Computer Networks
CS 280
Project 4
Understanding Protocols
Fall, 2003
Project 4
1
TABLE OF CONTENTS
Project Overview
Report Format
Environment and Tools
Understanding Windump
Understanding Ethereal
Understanding ARP
Understanding Netstat
Understanding ipconfig
Capturing Network Traffic
Project 4
2
Project Overview
The purpose of this Project is to become familiar with a number of tools that can be
used for probing what’s happening at the Transport, Network, and Link Level of your
machine.
This consists of trying various commands to understand the configuration of your
machine. It also includes using tools to watch and understand packets traveling
across the network.
Have fun.
Schedule:
November 13 - Project Kickoff
December 4 - Project turned in
December 4 - Lab exam on this material
Project 4
3
Report Format
Throughput this project, you will be asked to answer questions and document your
results.
Each section should answer the questions specified.
Each section should contain the output from the tool (windump or ethereal)
Rules about this output:
1.
The output should demonstrate what the questions are asking for.
2.
This output may vary in size – try to give me enough output to satisfy this
demonstration, but not so much that it goes on and on – the right strategy is to
specify an output that’s relatively large, and then edit out the portions before
and after the points of interest.
3.
Do NOT edit out the data in the range that you’re demonstrating.
4.
Highlight/Emphasize/what you want me to see in your outputs – don’t assume
that I know where to look (in addition, your highlights let me see that you know
where to look yourself.)
Please hand me a PAPER copy on or before the due date.
Project 4
4
Environment and Tools
Some of the simple tools you will use include
ARP Netstat Ipconfig ping ftp telnet ssh
You can read about these for your system as described later.
There are two sniffing tools you will use.
Windump is available from http://windump.polito.it
Install it on your machine.
A manual describing its behavior is at:
http://babbage.clarku.edu/~jbreecher/docs/ethereal_user_guide.pdf
Ethereal can be downloaded from
http://www.ethereal.com/
Install it on your machine.
A manual describing its behavior is at:
http://babbage.clarku.edu/~jbreecher/docs/WinDump_Manual.htm
There are two major thing you’ll want to understand about these sniffing tools:
• How to use filters – how to capture only the information of interest to you.
• How to read the outputs.
Project 4
5
Environment and Tools
It’s assumed in these commands that you are running on a Windows machine. You
may well have a LINUX installation and everything we’re doing here will work just
fine.
The arguments used on the various commands will be different for Windows and
Linux; even though the lab has been written with Windows in mind, it should be easy
to run on your LINUX machine.
This lab is NOT doable on the machines in the lab. This is because Windump and
Ethereal both require special privileges. The tools allow you to snoop what is
happening on the network and as such you are denied from using them in the lab.
Project 4
6
Environment and Tools
Throughout this lab we refer to a number of IP addresses and host names. Here’s an
explanation of those addresses you’ll be needing.
Your own address: The address of your host machine.
Local Network Address: The address of a machine on your local network, such that
no travel through a router is required. You’ll find this machine by watching
Ethereal and determining the local traffic.
Remote Network Address: The IP address of a host NOT on your local network.
Using this from your room, yahoo.com would be a good example.
A Non-Existent Address: An IP address that you can’t get to. Using this address,
non of the ARP or Naming Services give successful results. An address like
10.0.1.xx meets this need.
Note that the destination e-net address ff:ff:ff:ff:ff:ff is a broadcast. All nodes on
your local network will accept this address. Used by ARP.
Black.clarku.edu is a good telnet target.
Project 4
7
Understanding Windump
Exercise 1. Simple windump capture of ping
Use windump to observe the network traffic that is generated by issuing ping commands.
1. Start windump so that it monitors all packets that contain the IP address of the target PC,
by typing
windump –n host <local-network-address> >win.out
2. Open a new window and execute
ping –c 1 10.0.1.12
3. Observe the output of windump. Save the output to a file.
Note: you may need to use the –l option of windump.
Note: It may be necessary to hit Ctrl-c to terminate the windump session.
Lab Report:
Include the saved output in your lab report. Explain the meaning of each field in the
captured data.
Project 4
8
Understanding Windump
Exercise 2. Another Simple windump capture of ping
1. On your PC, start capturing packets using the windump -n command.
2. Issue a ping to the non-existing IP address 10.0.1.xx:
ping –c 1 10.0.1.xx
3. Issue a ping to the broadcast address 10.0.1.255 using the command:
ping –c 2 –b 10.0.1.255
4. Save the outputs of ping and windump to a file.
Lab Report
Include the saved output in your lab report and interpret the results.
How many of the nodes on your network responded to the broadcast ping?
Project 4
9
Understanding ethereal
Ethereal is a network protocol analyzer with a graphical user interface. Using ethereal, you
can interactively capture and examine network traffic, view summaries and get detailed
information for each packet. In Section 3 of the Introduction we provide more details on the
use of ethereal.
Running ethereal
This exercise walks you through the steps of capturing and saving network traffic with
ethereal.
1. Starting ethereal: On your PC, start ethereal by typing ethereal
This displays the ethereal main window on your desktop as shown in the figure on the next
slide
2. Selecting the capture options: Use the instructions in the next text slide to set the
options of ethereal in preparation for capturing traffic. Use the same options in other labs,
whenever ethereal is started.
Project 4
10
Understanding ethereal
Project 4
11
Understanding ethereal
Selecting capture preferences in ethereal:
1. From the main window, select "Capture:Start ".
2. This displays the following “Capture Preferences” window:
• Select "Capture packets in promiscuous mode".
• Select "Update list of packets in real time".
• Select "Automatic scrolling in live capture".
• Unselect “Enable MAC name resolution”.
• Unselect "Enable network name resolution".
• Unselect “Enable transport name resolution”.
3. Starting the traffic capture: Start the packet capture by
clicking “OK” in the “Capture Preferences” window.
4. Generating traffic: In a separate window on your PC,
execute a ping command to a target.
ping –c <local network address>
Observe the output in the ethereal main window.
Click and highlight a captured packet in the ethereal window,
and view the headers of the captured traffic.
Project 4
12
Understanding ethereal
5. Stopping the traffic capture: Click "Stop" in the window "Ethernet Capture".
6. Saving captured traffic: Save the results of the captured traffic as a plain text file.
This is done by selecting “Print” in the “File” menu. When a “Print” window pops up, select the
options and set a filename.
Selecting print options in the “Print” window for saving captured traffic to plain text files:
o Select the format "Plain Text".
o Select the “File” checkbox and type the filename in the field next to the “File” button.
o Select “Print summary” if you want to save only some high level information on each packet. Print
summary is usually sufficient.
o Select “Print detail” and "Expand all levels" if you want to save all details of all packets at all levels.
o Click the “OK” button to complete the save operation.
The next slide shows you the kind of information that can be captured.
Project 4
13
Understanding ethereal
Overview of Packet Info
Click on one of these lines or fields and
watch the packet being highlighted below.
Details about header of
Packet highlighted.
Info about packet and
Its contents.
Project 4
14
Understanding ethereal
Printing Data To A File:
The way to get ascii data out of ethereal is to follow these steps:
file  print
select format = plain text,
print to = file
specify the file name
Choose either “print summary” or “print detail”
Exercise 3. Simple ethereal capture of ping
You actually did this a few slides back as a part of explaining Ethereal. Here you’re simply
asked to record the data and make some comparisons.
Lab Report:
Include the file with the captured data in your lab report. Save the details of the captured
traffic, using the “Print detail” option in the Print window . Describe the differences between
the files saved by Windump (in Exercise 1) and by Ethereal (in this part).
Project 4
15
Understanding ARP
This part of the lab explores the operation of the Address Resolution Protocol (ARP) which
resolves a MAC address for a given IP address. Yo will want to read about ARP in your text
to get an overview of this section. The lab exercises use the command arp, for displaying
and manipulating the contents of the ARP cache. The ARP cache is a table that holds
entries of the form <IP address, MAC address>. The most common uses of the arp
command are as follows:
arp –a
Displays the content of the ARP cache.
arp –d IPAddress or arp –d *
Deletes the entry with IP address IPAddress, or all addresses.
arp –s IPaddress MAC_Address
Adds a static entry to the ARP cache which is never overwritten by network events. The
MAC address is entered as a 6 hexadecimal bytes separated by colons.
Example: arp –s 00:02:2D:0D:68:C1
Project 4
16
Understanding ARP
Time-outs in the ARP cache:
The entries in an ARP cache have a limited lifetime. Entries are deleted unless
they are refreshed. The typical lifetime of an ARP entry is 2 minutes, but much
longer lifetimes (up to 20 minutes) have been observed. You will want to verify
when your system does remove ARP entries automatically after a certain amount
of time.
Refreshing the ARP cache:
You will observe that occasionally, a host sends out ARP requests to interfaces that are
already in the ARP cache.
Example: Suppose that a host with IP address <local address> has an ARP cache entry:
<local address> is-at <00:02:83:39:2C:42>
Then, this host occasionally sends an unicast ARP Request to MAC address
00:02:83:39:2C:42 of the form
Who has < local address>? Tell <my Address>
to verify that the IP address <local address> is still present before deleting the entry from
the ARP cache.
Project 4
17
Understanding ARP
Exercise 4. Arp requests to an real address not in cache.
1. Start ethereal on your PC with a capture filter set to the IP address of the target PC.
2. On your PC, view the ARP cache with arp –a and delete all entries with the “arp –d *”
option.
3. Issue a ping command from your PC to the target PC:
ping –c 2 <existing target ip address>
Observe the ARP packets in the ethereal window. Explore the MAC addresses in the
Ethernet headers of the captured packets. Direct your attention to the following fields:
• The destination MAC address of the ARP Request packets.
• The Type field in the Ethernet headers of ARP packets and ICMP messages.
4. View the ARP cache again with the command arp -a. Note that ARP cache entries get
refreshed/deleted fairly quickly (~2 minutes).
5. Save the results of ethereal to a text file, using the “Print detail” option.
Lab Report:
Use the saved data to answer the following questions:
• What is the destination MAC address of an ARP Request packet? What does this mean?
• What are the different values of the Type field in the Ethernet headers that you observed?
• Use the captured data to discuss the process in which ARP acquires the MAC address for
IP address <existing target ip address>.
Project 4
18
Understanding ARP
Exercise 5. ARP requests for a non-real address
Observe what happens when an ARP Request is issued for an IP address that does not
exist.
1. On your PC, start ethereal with a capture filter set to capture packets that contain the IP
address of your PC:
ethereal –f ‘host <your ip address>’
2. Establish a Telnet session from your PC to 10.0.1.10 (Note that this address does not
exist on this network)
telnet 10.0.1.10
Observe the time interval and the frequency with which your PC transmits ARP Request
packets. Repeat the experiment a number of times to discover the pattern.
3. Save the captured output.
Lab Report
• Using the saved output, describe the time interval between each ARP Request packet
issued by your PC. Describe the method used by ARP to determine the time between
retransmissions of an unsuccessful ARP Request. Include relevant data to support your
answer.
• Why are ARP Request packets not transmitted (i.e. not encapsulated) as IP packets?
Explain your answer.
Project 4
19
Understanding Netstat
The command netstat displays information on the network configuration and activity of a
system, including network connections, routing tables, interface statistics, masquerade
connections, and multicast memberships. The following exercise explores how to use the
netstat command to extract different types of information about the network
configuration of a host.
Netstat has slightly different switches on Linux/Windows/Macs. For Windows, useful
switches are -a, -e, -n, -r, -s. Read and understand these usages.
Exercise 6.
On your PC, try the different variations of the netstat command listed above and save the
output to a file.
1. Display information on the network interfaces by typing ????
2. Display the content of the IP routing table by typing ????
3. Display information on TCP and UDP ports that are currently in use by typing ????
4. Display the statistics of various networking protocols by typing ????
Project 4
20
Understanding Netstat
Lab Report
Attach the saved output to your report. Using the saved output, answer the following
questions.
a.
What are the network interfaces of your PC?
b.
How many IP datagrams, ICMP messages, UDP datagrams, and TCP segments has
your machine transmitted and received since it was last rebooted?
c.
Show your machine’s routing table. What do the columns in this table mean.
Explain, based on this table, how your machine determines routing behavior.
d.
Explain the role of interface lo, the loopback interface.
e.
In the port table produced by “netstat –a”, pick one of the connections and explain it
completely. What local program is using the port? What do “listening” and
“established” mean?
Project 4
21
Understanding ipconfig
(Note, this is called ifconfig in the non-Windows world)
USAGE:
ipconfig [/? | /all | /release [adapter] | /renew [adapter]
| /flushdns | /registerdns
Play
| /showclassid adapter
Options
/?
/all
/release
/renew
/flushdns
/registerdns
/displaydns
/showclassid
with these – see what
they do.
Some may force a reboot.
Display this help message.
Display full configuration information.
Release the IP address for the specified adapter.
Renew the IP address for the specified adapter.
Purges the DNS Resolver cache.
Refreshes all DHCP leases and re-registers DNS names
Display the contents of the DNS Resolver Cache.
Displays all the dhcp class IDs allowed for adapter.
Project 4
22
Understanding ipconfig
Exercise 7. Understanding How DNS Works
There are several steps in this test. They are designed to show you how DNS behaves.
1. Ping a named location ping cs.clarku.edu  puts the name in your dns cache
2. Start ethereal and capture data:
Note packets when name is in
3. Ping a named location ping cs.clarku.edu
local cache.
4. Flush the dns cache
ipconfig /flushdns
Note packets when name is NOT
5. Ping that location again ping cs.clarku.edu
in local cache.
Lab Report
Attach the saved output to your report. Using the saved output, answer the following question.
a)
What sequence of packets are required when the network layer must go to the DNS to
resolve a name?
b)
How does your machine know what IP address should be used to ask for that name?
Project 4
23
Capturing Network Traffic
Exercise 8. Snoop Passwords from an FTP session
Capture traffic from an FTP session between two hosts.
1.
Find a site that accepts ftp. (I found many via google.)
2.
On your PC, run the ethereal command with capture filters set to capture traffic
between your PC and the target PC.
3.
On your PC, initiate a FTP session to the target PC by typing ftp <target site>
4.
Log on to the site – many accept username = anonymous, password = your e-mail
5.
Inspect the payload (data) in the packets that are sent between your PC and the target
PC. FTP sessions use TCP connections for data transfer.
In ethereal, there is a
simple method to view the payload sent in a TCP connection. Simply select a packet
that contains a TCP segment in the main window of ethereal, and then click on "Follow
TCP Stream" in the "Tools" menu of the ethereal window. This will create a new window
that displays only the payload of the selected TCP connection.
6.
Save the details of the packets, i.e., select “Print details” in the “”Print” window of
ethereal, which transmit the login name and password. As a hint, you can set the
display filter in ethereal to show only the desired packet(s).
Lab Report:
• Using the saved output, identify the port numbers of the FTP client and the FTP server.
• Identify the login name and the password, shown in plain text in the payload of the packets
that you captured.
Project 4
24
Capturing Network Traffic
Exercise 9. Snoop a Telnet session – Part 1
1.
2.
3.
Repeat the above exercise with the telnet command instead of ftp. On your PC,
establish a Telnet session to a target PC, and save the ethereal output of packets used
to transmit the login name and password.
Once you are logged in, type a few characters. Observe that for each key you type,
there are three packets transmitted. Determine why this occurs.
Save the ethereal output to a text file (using the “Print Summary” option).
Lab Report:
a)
Does Telnet have the same security flaws as FTP? Support your answer using the
saved output.
b)
Attach the saved output to your report. Justify why three packets are sent in a telnet
session for each character typed on the terminal.
Project 4
25
Capturing Network Traffic
Exercise 10. Snoop a Telnet session – Part 2
Again using telnet,
1.
Run ethereal on your PC, and start to capture traffic.
2.
Telnet to port 80 on www.clarku.edu
3.
Generate the sequence of commands required to get the clark website to download its
home page.
4.
Save the ethereal output to a text file (using the “Print Summary” option).
Lab Report:
Attach the saved output to your report.
a)
Show the ethereal output that demonstrates that your telnet is sending the required
data to the webserver.
b)
Describe the packets that are sent by the Clark webserver back to your telnet. You
don’t need to show the details of the packets, but describe the number and type of
packets are sent. How many packets are text, how many pictures, etc.
Project 4
26
Capturing Network Traffic
Exercise 11. Snoop a ssh session
SSH is supposedly secure. In this section you will determine if it is.
1.
Run ethereal on your PC, and start to capture traffic.
2.
ssh to Babbage and log on.
3.
Perform several simple commands that will produce packets traveling back and forth
between Babbage and your PC.
4.
Save the ethereal output to a text file (using the “Print Summary” option).
Lab Report:
Attach the saved output to your report.
a)
Describe what you see with respect to username/password encryption. Explain the
sequence of packets that accomplish this login.
b)
Describe what you see with respect to data transfer.
c)
Given enough data and knowing the data being sent, could you crack this encryption?
Project 4
27