Computer Networks CS 280 Project 4 Understanding Protocols Fall, 2003 Project 4 1 TABLE OF CONTENTS Project Overview Report Format Environment and Tools Understanding Windump Understanding Ethereal Understanding ARP Understanding Netstat Understanding ipconfig Capturing Network Traffic Project 4 2 Project Overview The purpose of this Project is to become familiar with a number of tools that can be used for probing what’s happening at the Transport, Network, and Link Level of your machine. This consists of trying various commands to understand the configuration of your machine. It also includes using tools to watch and understand packets traveling across the network. Have fun. Schedule: November 13 - Project Kickoff December 4 - Project turned in December 4 - Lab exam on this material Project 4 3 Report Format Throughput this project, you will be asked to answer questions and document your results. Each section should answer the questions specified. Each section should contain the output from the tool (windump or ethereal) Rules about this output: 1. The output should demonstrate what the questions are asking for. 2. This output may vary in size – try to give me enough output to satisfy this demonstration, but not so much that it goes on and on – the right strategy is to specify an output that’s relatively large, and then edit out the portions before and after the points of interest. 3. Do NOT edit out the data in the range that you’re demonstrating. 4. Highlight/Emphasize/what you want me to see in your outputs – don’t assume that I know where to look (in addition, your highlights let me see that you know where to look yourself.) Please hand me a PAPER copy on or before the due date. Project 4 4 Environment and Tools Some of the simple tools you will use include ARP Netstat Ipconfig ping ftp telnet ssh You can read about these for your system as described later. There are two sniffing tools you will use. Windump is available from http://windump.polito.it Install it on your machine. A manual describing its behavior is at: http://babbage.clarku.edu/~jbreecher/docs/ethereal_user_guide.pdf Ethereal can be downloaded from http://www.ethereal.com/ Install it on your machine. A manual describing its behavior is at: http://babbage.clarku.edu/~jbreecher/docs/WinDump_Manual.htm There are two major thing you’ll want to understand about these sniffing tools: • How to use filters – how to capture only the information of interest to you. • How to read the outputs. Project 4 5 Environment and Tools It’s assumed in these commands that you are running on a Windows machine. You may well have a LINUX installation and everything we’re doing here will work just fine. The arguments used on the various commands will be different for Windows and Linux; even though the lab has been written with Windows in mind, it should be easy to run on your LINUX machine. This lab is NOT doable on the machines in the lab. This is because Windump and Ethereal both require special privileges. The tools allow you to snoop what is happening on the network and as such you are denied from using them in the lab. Project 4 6 Environment and Tools Throughout this lab we refer to a number of IP addresses and host names. Here’s an explanation of those addresses you’ll be needing. Your own address: The address of your host machine. Local Network Address: The address of a machine on your local network, such that no travel through a router is required. You’ll find this machine by watching Ethereal and determining the local traffic. Remote Network Address: The IP address of a host NOT on your local network. Using this from your room, yahoo.com would be a good example. A Non-Existent Address: An IP address that you can’t get to. Using this address, non of the ARP or Naming Services give successful results. An address like 10.0.1.xx meets this need. Note that the destination e-net address ff:ff:ff:ff:ff:ff is a broadcast. All nodes on your local network will accept this address. Used by ARP. Black.clarku.edu is a good telnet target. Project 4 7 Understanding Windump Exercise 1. Simple windump capture of ping Use windump to observe the network traffic that is generated by issuing ping commands. 1. Start windump so that it monitors all packets that contain the IP address of the target PC, by typing windump –n host <local-network-address> >win.out 2. Open a new window and execute ping –c 1 10.0.1.12 3. Observe the output of windump. Save the output to a file. Note: you may need to use the –l option of windump. Note: It may be necessary to hit Ctrl-c to terminate the windump session. Lab Report: Include the saved output in your lab report. Explain the meaning of each field in the captured data. Project 4 8 Understanding Windump Exercise 2. Another Simple windump capture of ping 1. On your PC, start capturing packets using the windump -n command. 2. Issue a ping to the non-existing IP address 10.0.1.xx: ping –c 1 10.0.1.xx 3. Issue a ping to the broadcast address 10.0.1.255 using the command: ping –c 2 –b 10.0.1.255 4. Save the outputs of ping and windump to a file. Lab Report Include the saved output in your lab report and interpret the results. How many of the nodes on your network responded to the broadcast ping? Project 4 9 Understanding ethereal Ethereal is a network protocol analyzer with a graphical user interface. Using ethereal, you can interactively capture and examine network traffic, view summaries and get detailed information for each packet. In Section 3 of the Introduction we provide more details on the use of ethereal. Running ethereal This exercise walks you through the steps of capturing and saving network traffic with ethereal. 1. Starting ethereal: On your PC, start ethereal by typing ethereal This displays the ethereal main window on your desktop as shown in the figure on the next slide 2. Selecting the capture options: Use the instructions in the next text slide to set the options of ethereal in preparation for capturing traffic. Use the same options in other labs, whenever ethereal is started. Project 4 10 Understanding ethereal Project 4 11 Understanding ethereal Selecting capture preferences in ethereal: 1. From the main window, select "Capture:Start ". 2. This displays the following “Capture Preferences” window: • Select "Capture packets in promiscuous mode". • Select "Update list of packets in real time". • Select "Automatic scrolling in live capture". • Unselect “Enable MAC name resolution”. • Unselect "Enable network name resolution". • Unselect “Enable transport name resolution”. 3. Starting the traffic capture: Start the packet capture by clicking “OK” in the “Capture Preferences” window. 4. Generating traffic: In a separate window on your PC, execute a ping command to a target. ping –c <local network address> Observe the output in the ethereal main window. Click and highlight a captured packet in the ethereal window, and view the headers of the captured traffic. Project 4 12 Understanding ethereal 5. Stopping the traffic capture: Click "Stop" in the window "Ethernet Capture". 6. Saving captured traffic: Save the results of the captured traffic as a plain text file. This is done by selecting “Print” in the “File” menu. When a “Print” window pops up, select the options and set a filename. Selecting print options in the “Print” window for saving captured traffic to plain text files: o Select the format "Plain Text". o Select the “File” checkbox and type the filename in the field next to the “File” button. o Select “Print summary” if you want to save only some high level information on each packet. Print summary is usually sufficient. o Select “Print detail” and "Expand all levels" if you want to save all details of all packets at all levels. o Click the “OK” button to complete the save operation. The next slide shows you the kind of information that can be captured. Project 4 13 Understanding ethereal Overview of Packet Info Click on one of these lines or fields and watch the packet being highlighted below. Details about header of Packet highlighted. Info about packet and Its contents. Project 4 14 Understanding ethereal Printing Data To A File: The way to get ascii data out of ethereal is to follow these steps: file print select format = plain text, print to = file specify the file name Choose either “print summary” or “print detail” Exercise 3. Simple ethereal capture of ping You actually did this a few slides back as a part of explaining Ethereal. Here you’re simply asked to record the data and make some comparisons. Lab Report: Include the file with the captured data in your lab report. Save the details of the captured traffic, using the “Print detail” option in the Print window . Describe the differences between the files saved by Windump (in Exercise 1) and by Ethereal (in this part). Project 4 15 Understanding ARP This part of the lab explores the operation of the Address Resolution Protocol (ARP) which resolves a MAC address for a given IP address. Yo will want to read about ARP in your text to get an overview of this section. The lab exercises use the command arp, for displaying and manipulating the contents of the ARP cache. The ARP cache is a table that holds entries of the form <IP address, MAC address>. The most common uses of the arp command are as follows: arp –a Displays the content of the ARP cache. arp –d IPAddress or arp –d * Deletes the entry with IP address IPAddress, or all addresses. arp –s IPaddress MAC_Address Adds a static entry to the ARP cache which is never overwritten by network events. The MAC address is entered as a 6 hexadecimal bytes separated by colons. Example: arp –s 00:02:2D:0D:68:C1 Project 4 16 Understanding ARP Time-outs in the ARP cache: The entries in an ARP cache have a limited lifetime. Entries are deleted unless they are refreshed. The typical lifetime of an ARP entry is 2 minutes, but much longer lifetimes (up to 20 minutes) have been observed. You will want to verify when your system does remove ARP entries automatically after a certain amount of time. Refreshing the ARP cache: You will observe that occasionally, a host sends out ARP requests to interfaces that are already in the ARP cache. Example: Suppose that a host with IP address <local address> has an ARP cache entry: <local address> is-at <00:02:83:39:2C:42> Then, this host occasionally sends an unicast ARP Request to MAC address 00:02:83:39:2C:42 of the form Who has < local address>? Tell <my Address> to verify that the IP address <local address> is still present before deleting the entry from the ARP cache. Project 4 17 Understanding ARP Exercise 4. Arp requests to an real address not in cache. 1. Start ethereal on your PC with a capture filter set to the IP address of the target PC. 2. On your PC, view the ARP cache with arp –a and delete all entries with the “arp –d *” option. 3. Issue a ping command from your PC to the target PC: ping –c 2 <existing target ip address> Observe the ARP packets in the ethereal window. Explore the MAC addresses in the Ethernet headers of the captured packets. Direct your attention to the following fields: • The destination MAC address of the ARP Request packets. • The Type field in the Ethernet headers of ARP packets and ICMP messages. 4. View the ARP cache again with the command arp -a. Note that ARP cache entries get refreshed/deleted fairly quickly (~2 minutes). 5. Save the results of ethereal to a text file, using the “Print detail” option. Lab Report: Use the saved data to answer the following questions: • What is the destination MAC address of an ARP Request packet? What does this mean? • What are the different values of the Type field in the Ethernet headers that you observed? • Use the captured data to discuss the process in which ARP acquires the MAC address for IP address <existing target ip address>. Project 4 18 Understanding ARP Exercise 5. ARP requests for a non-real address Observe what happens when an ARP Request is issued for an IP address that does not exist. 1. On your PC, start ethereal with a capture filter set to capture packets that contain the IP address of your PC: ethereal –f ‘host <your ip address>’ 2. Establish a Telnet session from your PC to 10.0.1.10 (Note that this address does not exist on this network) telnet 10.0.1.10 Observe the time interval and the frequency with which your PC transmits ARP Request packets. Repeat the experiment a number of times to discover the pattern. 3. Save the captured output. Lab Report • Using the saved output, describe the time interval between each ARP Request packet issued by your PC. Describe the method used by ARP to determine the time between retransmissions of an unsuccessful ARP Request. Include relevant data to support your answer. • Why are ARP Request packets not transmitted (i.e. not encapsulated) as IP packets? Explain your answer. Project 4 19 Understanding Netstat The command netstat displays information on the network configuration and activity of a system, including network connections, routing tables, interface statistics, masquerade connections, and multicast memberships. The following exercise explores how to use the netstat command to extract different types of information about the network configuration of a host. Netstat has slightly different switches on Linux/Windows/Macs. For Windows, useful switches are -a, -e, -n, -r, -s. Read and understand these usages. Exercise 6. On your PC, try the different variations of the netstat command listed above and save the output to a file. 1. Display information on the network interfaces by typing ???? 2. Display the content of the IP routing table by typing ???? 3. Display information on TCP and UDP ports that are currently in use by typing ???? 4. Display the statistics of various networking protocols by typing ???? Project 4 20 Understanding Netstat Lab Report Attach the saved output to your report. Using the saved output, answer the following questions. a. What are the network interfaces of your PC? b. How many IP datagrams, ICMP messages, UDP datagrams, and TCP segments has your machine transmitted and received since it was last rebooted? c. Show your machine’s routing table. What do the columns in this table mean. Explain, based on this table, how your machine determines routing behavior. d. Explain the role of interface lo, the loopback interface. e. In the port table produced by “netstat –a”, pick one of the connections and explain it completely. What local program is using the port? What do “listening” and “established” mean? Project 4 21 Understanding ipconfig (Note, this is called ifconfig in the non-Windows world) USAGE: ipconfig [/? | /all | /release [adapter] | /renew [adapter] | /flushdns | /registerdns Play | /showclassid adapter Options /? /all /release /renew /flushdns /registerdns /displaydns /showclassid with these – see what they do. Some may force a reboot. Display this help message. Display full configuration information. Release the IP address for the specified adapter. Renew the IP address for the specified adapter. Purges the DNS Resolver cache. Refreshes all DHCP leases and re-registers DNS names Display the contents of the DNS Resolver Cache. Displays all the dhcp class IDs allowed for adapter. Project 4 22 Understanding ipconfig Exercise 7. Understanding How DNS Works There are several steps in this test. They are designed to show you how DNS behaves. 1. Ping a named location ping cs.clarku.edu puts the name in your dns cache 2. Start ethereal and capture data: Note packets when name is in 3. Ping a named location ping cs.clarku.edu local cache. 4. Flush the dns cache ipconfig /flushdns Note packets when name is NOT 5. Ping that location again ping cs.clarku.edu in local cache. Lab Report Attach the saved output to your report. Using the saved output, answer the following question. a) What sequence of packets are required when the network layer must go to the DNS to resolve a name? b) How does your machine know what IP address should be used to ask for that name? Project 4 23 Capturing Network Traffic Exercise 8. Snoop Passwords from an FTP session Capture traffic from an FTP session between two hosts. 1. Find a site that accepts ftp. (I found many via google.) 2. On your PC, run the ethereal command with capture filters set to capture traffic between your PC and the target PC. 3. On your PC, initiate a FTP session to the target PC by typing ftp <target site> 4. Log on to the site – many accept username = anonymous, password = your e-mail 5. Inspect the payload (data) in the packets that are sent between your PC and the target PC. FTP sessions use TCP connections for data transfer. In ethereal, there is a simple method to view the payload sent in a TCP connection. Simply select a packet that contains a TCP segment in the main window of ethereal, and then click on "Follow TCP Stream" in the "Tools" menu of the ethereal window. This will create a new window that displays only the payload of the selected TCP connection. 6. Save the details of the packets, i.e., select “Print details” in the “”Print” window of ethereal, which transmit the login name and password. As a hint, you can set the display filter in ethereal to show only the desired packet(s). Lab Report: • Using the saved output, identify the port numbers of the FTP client and the FTP server. • Identify the login name and the password, shown in plain text in the payload of the packets that you captured. Project 4 24 Capturing Network Traffic Exercise 9. Snoop a Telnet session – Part 1 1. 2. 3. Repeat the above exercise with the telnet command instead of ftp. On your PC, establish a Telnet session to a target PC, and save the ethereal output of packets used to transmit the login name and password. Once you are logged in, type a few characters. Observe that for each key you type, there are three packets transmitted. Determine why this occurs. Save the ethereal output to a text file (using the “Print Summary” option). Lab Report: a) Does Telnet have the same security flaws as FTP? Support your answer using the saved output. b) Attach the saved output to your report. Justify why three packets are sent in a telnet session for each character typed on the terminal. Project 4 25 Capturing Network Traffic Exercise 10. Snoop a Telnet session – Part 2 Again using telnet, 1. Run ethereal on your PC, and start to capture traffic. 2. Telnet to port 80 on www.clarku.edu 3. Generate the sequence of commands required to get the clark website to download its home page. 4. Save the ethereal output to a text file (using the “Print Summary” option). Lab Report: Attach the saved output to your report. a) Show the ethereal output that demonstrates that your telnet is sending the required data to the webserver. b) Describe the packets that are sent by the Clark webserver back to your telnet. You don’t need to show the details of the packets, but describe the number and type of packets are sent. How many packets are text, how many pictures, etc. Project 4 26 Capturing Network Traffic Exercise 11. Snoop a ssh session SSH is supposedly secure. In this section you will determine if it is. 1. Run ethereal on your PC, and start to capture traffic. 2. ssh to Babbage and log on. 3. Perform several simple commands that will produce packets traveling back and forth between Babbage and your PC. 4. Save the ethereal output to a text file (using the “Print Summary” option). Lab Report: Attach the saved output to your report. a) Describe what you see with respect to username/password encryption. Explain the sequence of packets that accomplish this login. b) Describe what you see with respect to data transfer. c) Given enough data and knowing the data being sent, could you crack this encryption? Project 4 27