Section C - Using Sniff'Em
advertisement
CST8182 - Networking Fundamentals Observing Network Processes Objectives • To observe and understand the basics behind network transmission • To view and analyze network traffic using supplied tools Equipment: Lab PC Printout of the lab (optional) Tools from Lab share to install for the lab (Bare in mind that these are demo versions and not all of the capabilities are enabled) Lab Outcome: A good working understanding of normal network transmission processes Lab Deliverables • Completed copy of Lab , with answers, submitted by the end of the lab period. Procedure: N.B.: Follow these procedures carefully. If at any time you are unsure or are having problems, consult your lab instructor to insure that you are not inadvertently damaging the equipment settings, Don’t be afraid or embarrassed to have the lab instructor verify your work before going on to another step. Each application has a different way of approaching the network information and packet filtering/captures. Because of this, it is important that you try several different tools and understand what each can or cannot do. Remember: You learn more by asking questions than by protecting your ego! Section A - Gathering information about the system At this stage of the game, you should be comfortable with modifying and identifying the current network settings for your computer. It will also allow you to verify that things are setup the way you expect them to be. So, let’s document the information: HostName _______________________________________ DNS Server(s) _______________________________________ Node Type _______________________________________ NetBIOS Scope ID _______________________________________ IP Routing Enabled _______________________________________ WINS Proxy Enabled _______________________________________ NetBIOS Resolution Uses DNS_______________________________________ Adapter _______________________________________ Adapter Address (MAC) _______________________________________ Adapter IP _______________________________________ Subnet Mask _______________________________________ Gateway _______________________________________ DHCP Server(s) _______________________________________ Primary WINS Server _______________________________________ Secondary WINS Server _______________________________________ Lease Obtained _______________________________________ Lease Expires __ _______________________________________ Once you’ve accomplished this, verify that you can connect to the Internet properly. Each one of these steps should work without any problems IF you are configured properly. Open a DOS Window Run the command “ping www.google.com’’ and observe what happens Did you manage to verify that the site is up and running? If so, indicate how many packets were sent and how many made it to their destination below: Ping Statistics Packets sent:_____ received:_____ Lost:_____ (_____%loss) Approximate Round Trip times: Packets sent:_____ received:_____ Lost:_____ (_____%loss) Open a browser Connect to online.blackboard.corn Did you manage to connect to the web site? [Y/N] Switch back to the DOS Window Run the command “ftp 10.50.254.245” and login as username=rhftp, password=algoftp Did you manage to connect to the FTP site? List some of the content of the first directory on the FTP below: _______________________________________________________________________________________ _______________________________________________________________________________________________________ _______________________________________________________________________________________ Assuming that everything above worked properly, you are ready to go on to the next part of the lab. If, however, you had problems with ANY of these, stop and fix your system up until they work. Otherwise, you will not be able to achieve the required results for the remainder of the lab. Section B - Using TracePlus Start by downloading the package from the teacher’share. Once you have it on your hard drive, install the package – use the default installation options for everything. Once you’ve installed the package and verified that it works – i.e. start it up to see if it does – you’re ready to go on. Once you’ve got TracePlus running, you will likely need to identify which network adapter you want to have the software observing. To do this, click on the little green NIC icon at the top of the page and select the appropriate adapter. Once you have everything setup, you should start to see some basic statistics on what’s happening on your network connection – i.e. quantity and type of traffic that your NIC card is currently seeing. As this is a demo version of the software, you will be limited as to how much information you will see and for how long it will observe the network. But, for our purposes, this will serve. Give it a minute or so and then go ahead and answer the questions below based on what you see. You may have to switch to the “Network Statistics” window by selecting it under the Window list to answer some of the questions. Now, let’s add some traffic to the equation. What kind of packets is the most common ___________________________________ What is the most common packet size ___________________________________ What percentage of the bandwidth is being used ____________________________ What is the MAC address of the most common machine listed ________________________ Open up the DOS window Run the command “ping – n 100 www.google.coni’ Go back to TracePlus Click on the symbol at the top to start up another capture session Let the session run for a minute or two and answer the questions again What kind of packets is the most common ___________________________________ What is the most common packet size ___________________________________ What percentage of the bandwidth is being used ____________________________ What is the MAC address of the most common machine listed ________________________ Go back to the DOS window Wait for the ping command to run out Run the command “ftp 10.50.254.248’ and login using username=rhftp, password=algoftp Go back to TracePlus Click on the symbol at the top to start up another capture session Let the session run for a minute or two and answer the questions again What kind of packets is the most common ___________________________________ What is the most common packet size ___________________________________ What percentage of the bandwidth is being used ____________________________ What is the MAC address of the most common machine listed ________________________ Based on what you know of capabilities, try and understand what you have seen here before going on. Go ahead and try and play with some of the other features in the software. Section C - Using Sniff’Em Start by downloading the package from the teacher’s Share. Once you have it on your hard drive, install the package – use the default installation options for everything. Once you’ve installed the package and verified that it works – i.e. start it up to see if it does – you’re ready to go on. Once you are in Sniff’Em and you have correctly identified your interface (may have detected it already, since there is only one), you are ready to have it observe what’s going on with network communications. To start the packet capture, click on the green arrow at the top of the screen. Give it a minute or two and go ahead and answer the questions below. What kind of protocol is the most common _______________________________ Is your IP always the source IP for the packets _______________________________ List some fields you can see in the packet window (top right) ________________________________ Select one of the packets in the packet capture window (top right), and click on it. Information about the packet content will become available in the Packet Decoding window (top left). Select a packet and extract the information below from it. N.B.: Not all packets will contain all of the information below. MAC Destination MAC Source Code Type IPv4 header version IPv4 header length Type of service Total Length Identification Time to Live Protocol Header Checksum IP Source IP Destination Port Source Port Destination Sequencing Number Look at the packet content (Data) and see if you can identify the application that generated the packet simply by observing the small segment of data you are presented. Now, let’s add some traffic to the equation again. Open up the DOS window (should be opened already) a Run the command “ping -n 100 www.google.corri’ a Go back to Sniff’Em Let the session run for a minute or so. Did running the PING command increase of decrease the amount of traffic visible? ______________________ What kinds of packets did the PING command send out? _____________________________________________ What kinds of packets did the PING command receive back?_________________________ How do you know for sure which packet is the PING and which is the response? ___________________________ Go back to the DOS window Wait for the ping command to run out Run the command “ftp 10.50.254.245’ and login using username=rhftp, password=algoftp Go back to Sniff’Em Let the session run for a minute or two and answer the questions again Did you running the FTP command increase of decrease the amount of traffic visible? _____________ What kinds of packets did the FTP command send out? ________________________________ What kinds of packets did the FTP command receive back? ________________________________ How do you know for sure which packet is the FTP send and which is the response? ___________ Based on what you know of capabilities, try and understand what you have seen here before going on. Go ahead and try and play with some of the other features in the software. Section D - Using LinkFerret Start by downloading the package from the teacher’s Share. Once you have it on your hard drive, install the package – use the default installation options for everything. Once you’ve installed the package and verified that it works – i.e. start it up to see if it does – you’re ready to go on. Once you are in LinkFerret and you have correctly identified your interface (may have detected it already, since there is only one), you are ready to have it observe what’s going on with network communications. To start the packet capture, click on the red net icon at the top of the screen. Give it a second or two and go ahead and answer the questions below. What kind of protocol is the most common __________________________ What kind of function is the most common___________________________ Is your IP always the source IP for the packets List some destinations you see along the way______________________ Select one of the packets in the packet capture window (top), and click on it. Information about the packet content will become available in the Packet Decoding window (middle 8 bottom). Click on the Pause button (blue icon at the top). Select a packet and extract the information below from it. N.B.: Not all packets will contain all of the information listed below. Interface Number Frame Number Frame Size Bytes Captured Frame Media Type Destination Hex Address Vendor Name Source Hex Address Vendor Name Ether Type Frame Length Destination SAP Source SAP Frame Type Authority Look at the packet content (Data) and see if you can identify the application that generated the packet simply by observing the small segment of data you are presented. Now, let’s add some traffic to the equation again. Open up the DOS window (should be opened already) a Run the command “ping -n 100 www.google.coni’ o Go back to Sniff’Em Let the session run for a minute or so. Did running the PING command increase of decrease the amount of traffic visible? What kinds of packets did the PING command send out? What kinds of packets did the PING command receive back? How do you know for sure which packet is the PING and which is the response? Go back to the DOS window Wait for the ping command to run out Run the command “ftp 10.50.254.245” and login using username=rhftp, password=algoftp Go back to Sniff’Em Let the session run for a minute or two and answer the questions again Did running the FTP command increase of decrease the amount of traffic visible? What kinds of packets did the FTP command send out? What kinds of packets did the FTP command receive back? How do you know for sure which packet is the FTP and which is the response? Based on what you know of capabilities, try and understand what you have seen here before going on. Go ahead and try and play with some of the other features in the software. Section E – Using Neo Trace Start by downloading the package from the teacher’s SHARE. Once you have it on your hard drive, install the package – use the default installation options for everything. Once you’ve installed the package and verified that it works – i.e. start it up to see if it does – you’re ready to go on. Once you are in NeoTrace, you will find a completely different interface. That’s because the software has a slightly different angle for viewing the network – it tries to resolve and display geographical location information associated with a site you are trying to traceroute to. In essence, NeoTrace traces your connection from your PC to where-ever you indicate you want to go, whether it is an IP or a machine/DNS name. It then displays each one of the “hops” it takes to get to the destination, including (if available and possible) geographical and DNS information on the “hops” along the way. Play with NeoTrace and examine the results for known sites you use on a regular basis. You might be surprised at the path your packets take to get from Point-A to Point-B:) Section F – Other utilities The utilities you’ve used in the lab are only a small cross-section of the software and utilities, freeware/shareware or purchased, that are available on the market. You should take the time to research on more of these kinds of utilities and get used to having an arsenal of tools for network troubleshooting that will help you in your day-to-day work.
