IS 333 Lab 2: Monitoring Network Protocol Behavior

*** = write down and submit answers to these questions/problems. I recommend you use a google doc to record your answers.


This lab has you

0. Pair up

1. Getting Started

2. Hardware and IP Addresses

3. Repeat, in Windoze

4. Examining Network Traffic

In this step, you will capture the network activity the ping program generates between your computer and the computer you are pinging. (The program ping sends out an ICMP Echo Request to a given IP address.) Note that allowing users to capture network activity is a security risk; only the superuser is permitted to do so.

On the Linux box: To capture network traffic, we will use a tool called a network analyzer or packet sniffer named wireshark. To see if wireshark is installed or not, try to start the network analyzer by typing in the Terminal window

 sudo wireshark 

(sudo is a command that takes another command. It runs the 2nd command as if it were being run by the "superuser"/"root".)

If wireshark is not installed, try this:

 sudo apt-get install wireshark 

Answer Y and watch it install. Remember this apt-get install command -- you'll use it again.

(apt-get is a command that goes out to the network to a repository and finds programs/libraries to install on a computer.)

5. Capturing Network Packets

Once wireshark is installed on your system, run it by doing in a terminal window ("shell")
 sudo wireshark & 

(Two little dialog boxes will pop up warning you of various errors and/or that this is dangerous. Click "Don't show this message again." and close the windows.)

When wireshark is up and running, arrange your screen so that you can see the wireshark window and another terminal window at the same time.

From the Capture -> Options menu of the wireshark window, set the configuration so that the following options are enabled:

Click Start.

Watch a few packets go past. Wait until you see a packet go by of a type you recognize (ARP, or ICMP, or DNS, or something else we've talked about in class). Stop the capture, and click on the packet you want to inspect in depth. Arrange the window so that you can see all 3 panels in wireshark -- including the binary dump of a packet at the bottom.

Click on a few fields at various layers of the packet -- IEEE 802.3 Ethernet layer, Logical-Link Control layer, etc. Notice how the other panels update to show you where the information is encoded in the packet. Answer these questions:

  1. In the Ethernet header for the packet, find the Source and Destination addresses and write the info in your lab report document. ***
  2. In layer 3 (IP or ARP, etc.), record important information that we've talked about in class: source address, dest address, length, type, etc. ***
  3. In the layer above that (if it exists), record some important and interesting information (remember our mantra: Be Curious!). ***
  4. List at least 5 of the different protocols you see in this capture (in the Protocol column). ***

6. Capture ping packets

Start a new live capture (you don't need to store the previous capture.) One the Windoze machine, in a cmd window, run ping against the interface on the Linux box. E.g., ping . You should see some activity in the wireshark window. Stop capturing packets by pushing the Stop button. Looking at the display, make sure you can locate all the ping packets that were just generated. Note: the ping command sends ICMP packets.

  1. How do you know which ones are from your Windows computer? ***
  2. How much time passes between each ping request? ***
  3. How much time passes between a ping request and the response that is sent/captured.

7. Filter Traffic

This time, you'll monitor the network traffic associated with ping, by filtering out all other packets. In wireshark, do these steps:

Start capturing packets again (this will clear the wireshark window). Now ping the IP address as above. (Use the up-arrow key to find the ping command in the window (every time you run a command, it is recorded in a history file. So you can rerun previous commands by using up-arrow to find them.)

You should see only the ping packets being shown.

Next, click the Clear button, to clear the filter.

8. A challenge

  1. How do you create a filter that will show only packets from your ethernet card with a broadcast Ethernet destination address? ***

9. Inspect Something Else

Clear all your filters in wireshark. Start a capture.

Go to your web browser and load the page. Stop your capture.

  1. Approximate how many packets from the HTTP server did it take to get your web page. (Apply a filter and then look at the bottom of the window to see a count of packets.) ***
  2. What source IP addresses send most of the data? ***

10. Clean up

Remove wireshark from your flash drive installation by doing this:

sudo apt-get purge wireshark

Unplug the white ethernet cables and plug in the orange ones. Remove the USB flash drive and reboot the machine.


Turn in

Turn in the answers to the questions marked *** by submitting the file via Moodle.

Grading Rubric:

20 points total:

5 points: All questions are answered

5 points: Depth of information from ifconfig investigation

10 points: Correct answers for wireshark tasks.