IS333: ifconfig and wireshark

IS 333 Lab 2: Monitoring Network Protocol Behavior

*** = write down and submit answers to these questions/problems. I recommend you use a google doc to record your answers.

Purpose

This lab has you

investigate the interface information stored on a Linux box and Windows box, and,
gets you started with the network monitoring program wireshark.

0. Pair up

For the pair of you, boot one machine into the Xubuntu operating system from the flash drive. Boot another machine into Windoze.

1. Getting Started

(The following is done on the Xubuntu (Linux) machine.)
Login as mradmin, password bluestone
Open a terminal window: Accessories -> Terminal Emulator.
(In fact, I recommend you find Terminal Emulator and then drag it onto the desktop or launchbar, so you can more easily run it in the future.)
Make sure your computer is only plugged in to the white ethernet cable. If it is also connected to the orange network, remove that ethernet cable.

2. Hardware and IP Addresses

Back to the Terminal window, type
ip addr
These computers have multiple ethernet NICs. Figure out which interface is being used by the computer.
*** For the one interface being used, copy the output from ip addr to your document that you are going to submit for this lab. Then, in that document, write notes explaining as much as you can about what you see there. You will probably have to use google to learn more about what you are looking at. I recommend you google for "ip addr output".

3. Repeat, in Windoze

Boot the computer next to you into Windoze. Make sure the machine is on the orange network. Log in using your campus-wide Windoze login / password.
Go to: Start Menu --> Control Panel --> View network status and tasks --> Local area connection --> Properties --> Internet Protocol Version 4 --> Properties.
*** Write down in your lab report all the information in that dialog box. ***
Click Obtain an IP address automatically.
Click Obtain DNS server address automatically.
Click all the OK/Apply buttons to get out of all the dialog boxes.
Remove the orange cable and plug in the white cable into the same ethernet port.
From the start menu, search for and run cmd.exe.
Type ipconfig and see if you have an IP address on the 192.168.33 network. If you do not, type ipconfig /release, then ipconfig /renew.

4. Examining Network Traffic

In this step, you will capture the network activity the ping program generates between your computer and the computer you are pinging. (The program ping sends out an ICMP Echo Request to a given IP address.) Note that allowing users to capture network activity is a security risk; only the superuser is permitted to do so.

On the Linux box: To capture network traffic, we will use a tool called a network analyzer or packet sniffer named wireshark. To see if wireshark is installed or not, try to start the network analyzer by typing in the Terminal window

 sudo wireshark

(sudo is a command that takes another command. It runs the 2nd command as if it were being run by the "superuser"/"root".)

If wireshark is not installed, try this:

 sudo apt-get install wireshark

Answer Y and watch it install. Remember this apt-get install command -- you'll use it again.

(apt-get is a command that goes out to the network to a repository and finds programs/libraries to install on a computer.)

5. Capturing Network Packets

Once wireshark is installed on your system, run it by doing in a terminal window ("shell")

 sudo wireshark &

(Two little dialog boxes will pop up warning you of various errors and/or that this is dangerous. Click "Don't show this message again." and close the windows.)

When wireshark is up and running, arrange your screen so that you can see the wireshark window and another terminal window at the same time.

From the Capture -> Options menu of the wireshark window, set the configuration so that the following options are enabled:

capture eth1 (or eth4, eth2, etc.) -- whichever interface has an IP address on it.
capture packets in promiscuous mode
update list of packets in real time
automatic scrolling in live capture
Resolve transport-layer name
Use external network name resolver

Click Start.

Watch a few packets go past. Wait until you see a packet go by of a type you recognize (ARP, or ICMP, or DNS, or something else we've talked about in class). Stop the capture, and click on the packet you want to inspect in depth. Arrange the window so that you can see all 3 panels in wireshark -- including the binary dump of a packet at the bottom.

Click on a few fields at various layers of the packet -- IEEE 802.3 Ethernet layer, Logical-Link Control layer, etc. Notice how the other panels update to show you where the information is encoded in the packet. Answer these questions:

In the Ethernet header for the packet, find the Source and Destination addresses and write the info in your lab report document. ***
In layer 3 (IP or ARP, etc.), record important information that we've talked about in class: source address, dest address, length, type, etc. ***
In the layer above that (if it exists), record some important and interesting information (remember our mantra: Be Curious!). ***
List at least 5 of the different protocols you see in this capture (in the Protocol column). ***

6. Capture ping packets

Start a new live capture (you don't need to store the previous capture.) One the Windoze machine, in a cmd window, run ping against the interface on the Linux box. E.g., ping 192.168.33.221 . You should see some activity in the wireshark window. Stop capturing packets by pushing the Stop button. Looking at the display, make sure you can locate all the ping packets that were just generated. Note: the ping command sends ICMP packets.

How do you know which ones are from your Windows computer? ***
How much time passes between each ping request? ***
How much time passes between a ping request and the response that is sent/captured.

7. Filter Traffic

This time, you'll monitor the network traffic associated with ping, by filtering out all other packets. In wireshark, do these steps:

Click Expression...
Choose ICMP in the list
Click OK
Click Apply (next to the Expression... button)

Start capturing packets again (this will clear the wireshark window). Now ping the IP address as above. (Use the up-arrow key to find the ping command in the window (every time you run a command, it is recorded in a history file. So you can rerun previous commands by using up-arrow to find them.)

You should see only the ping packets being shown.

Next, click the Clear button, to clear the filter.

8. A challenge

How do you create a filter that will show only packets from your ethernet card with a broadcast Ethernet destination address? ***

9. Inspect Something Else

Clear all your filters in wireshark. Start a capture.

Go to your web browser and load the www.calvin.edu page. Stop your capture.

Approximate how many packets from the HTTP server did it take to get your web page. (Apply a filter and then look at the bottom of the window to see a count of packets.) ***
What source IP addresses send most of the data? ***

10. Clean up

Remove wireshark from your flash drive installation by doing this:

sudo apt-get purge wireshark

Unplug the white ethernet cables and plug in the orange ones. Remove the USB flash drive and reboot the machine.

Turn in

Turn in the answers to the questions marked *** by submitting the file via Moodle.

Grading Rubric:

20 points total:

5 points: All questions are answered

5 points: Depth of information from ifconfig investigation

10 points: Correct answers for wireshark tasks.