Protocol Analysis: Capturing Packets

Similar documents
Protocol Analysis: Capturing Packets

BSc Year 2 Data Communications Lab - Using Wireshark to View Network Traffic. Topology. Objectives. Background / Scenario

Lab Using Wireshark to Examine Ethernet Frames

Lab Using Wireshark to Examine Ethernet Frames

Lab - Using Wireshark to Examine a UDP DNS Capture

Experiment 2: Wireshark as a Network Protocol Analyzer

Objectives: (1) To learn to capture and analyze packets using wireshark. (2) To learn how protocols and layering are represented in packets.

Lab - Using Wireshark to Examine a UDP DNS Capture

Lab 4: Network Packet Capture and Analysis using Wireshark

DKT 224/3 LAB 2 NETWORK PROTOCOL ANALYZER DATA COMMUNICATION & NETWORK SNIFFING AND IDENTIFY PROTOCOL USED IN LIVE NETWORK

9. Wireshark I: Protocol Stack and Ethernet

COMP2330 Data Communications and Networking

Lab Exercise Protocol Layers

UNI CS 3470 Networking Project 5: Using Wireshark to Analyze Packet Traces 12

Project points. CSE422 Computer Networking Spring 2018

University of Maryland Baltimore County Department of Information Systems Spring 2015

Wireshark Lab: Getting Started v6.0

CE3005: Computer Networks Laboratory 3 SNIFFING AND ANALYSING NETWORK PACKETS

Genie Snoop lab. Laboration in data communication GenieLab Department of Information Technology, Uppsala University

Lab Capturing and Analyzing Network Traffic

The following virtual machines are required for completion of this lab: Exercise I: Mapping a Network Topology Using

King Fahd University of Petroleum & Minerals. Data Traffic Capture and Protocols Analysis using Sniffer Tool

A Simple Network Analyzer Decoding TCP, UDP, DNS and DHCP headers

Lab - Using Wireshark to Examine TCP and UDP Captures

New York University Computer Science Department Courant Institute of Mathematical Sciences

Protocol Layers & Wireshark TDTS11:COMPUTER NETWORKS AND INTERNET PROTOCOLS

Chapter 2. Switch Concepts and Configuration. Part II

TCP/IP Networking Basics

Networking interview questions

SC/CSE 3213 Winter Sebastian Magierowski York University CSE 3213, W13 L8: TCP/IP. Outline. Forwarding over network and data link layers

Wireshark Lab: Getting Started

TCP/IP Transport Layer Protocols, TCP and UDP

CCNA Semester 1 labs. Part 2 of 2 Labs for chapters 8 11

Computer Networks A Simple Network Analyzer PART A undergraduates and graduates PART B graduate students only

Wireshark Lab: Getting Started v7.0

Use of the TCP/IP Protocols and the OSI Model in Packet Tracer

Wireshark Lab: Getting Started v6.0

ECE 358 Project 3 Encapsulation and Network Utilities

Wireshark Lab: Getting Started

Wireshark intro. Introduction. Packet sniffer

The trace file is here:

Wireshark Lab: Getting Started v6.0 Supplement to Computer Networking: A Top-Down Approach, 6th ed., J.F. Kurose and K.W. Ross

Hands-On Ethical Hacking and Network Defense

Ethereal Lab: Getting Started

Introduction to OSI model and Network Analyzer :- Introduction to Wireshark

CS 356 Lab #1: Basic LAN Setup & Packet capture/analysis using Ethereal

A Simplified Example of TCP/IP Communication Chuck Cusack

Wireshark Lab: Getting Started

Lab Exercise UDP. Objective. Requirements. Step 1: Capture a Trace

IP Network Troubleshooting Part 3. Wayne M. Pecena, CPBE, CBNE Texas A&M University Educational Broadcast Services - KAMU

Computer Networks/DV2 Lab

WL5041 Router User Manual

ICS 351: Networking Protocols

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

Introduction to OSI model and Network Analyzer :- Introduction to Wireshark

COMS3200/7201 Computer Networks 1 (Version 1.0)

Wireshark HTTP. Introduction. The Basic HTTP GET/response interaction

Lab Assignment for Chapter 1

To see the details of TCP (Transmission Control Protocol). TCP is the main transport layer protocol used in the Internet.

CCNA 1 Final Exam Answers UPDATE 2012 eg.1

Update your network settings

Web Mechanisms. Draft: 2/23/13 6:54 PM 2013 Christopher Vickery

Lab: 2. Wireshark Getting Started

Networking Notes. Common Internet Speeds. Online Speed Test myspeed.visualware.com

Wireless-G Router User s Guide

Clientless SSL VPN Remote Users

Wireshark Lab: HTTP SOLUTION

VERSION Lab 3: Link Layer

The Cisco HCM-F Administrative Interface

Review of Important Networking Concepts

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 8 Networking Essentials

Clientless SSL VPN End User Set-up

APSCN VPN Settings for Windows 7 2. APSCN VPN Settings for Windows XP 8. APSCN VPN Settings for MAC OS 15

Interconnecting Networks with TCP/IP. 2000, Cisco Systems, Inc. 8-1

Wireshark Lab: Getting Started v7.0

Setting up PuTTY. Version Updated for 2015 Fall (with corrections)

Setting up PuTTY. Software* Downoad PuTTY. Download PuTTY Download the putty.zip file. It contains several programs for SSH, SFTP, and SCP.

Setting up PuTTY. CTEC1767 Data Communications & Networking CTEC1863 Operating Systems CTEC1906 Internet Computing

TRANSMISSION CONTROL PROTOCOL. ETI 2506 TELECOMMUNICATION SYSTEMS Monday, 7 November 2016

E&CE 358: Tutorial 1. Instructor: Sherman (Xuemin) Shen TA: Miao Wang

Department Of Computer Science

AN TOÀN LỚP 4: TCP/IP ATTACKS NGUYEN HONG SON PTITHCM

Getting Started. 1 Earlier versions of these labs used the Ethereal packet analyzer. In May 2006, the developer of Ethereal

CIT 380: Securing Computer Systems. Network Security Concepts

Introduction to Computer Networks. CS 166: Introduction to Computer Systems Security

Appserv Internal Desktop Access Mac OS Device with Safari Browser. Enter your Appserv username and password to sign in to the Website

4. Web-based Switch Configuration

Exploring TCP and UDP based on Kurose and Ross (Computer Networking: A Top-Down Approach) May 15, 2018

COMP 2000 W 2012 Lab no. 3 Page 1 of 11

Tools Needed: - PC with Wireshark installed ( - An Ethernet hub or a managed switch with Port mirroring capability

Computer Forensics: Investigating Network Intrusions and Cybercrime, 2nd Edition. Chapter 2 Investigating Network Traffic

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Agility2018-TCPdump Documentation

Lab Assignment 3 for ECE374

Packet Tracer - Investigating the TCP/IP and OSI Models in Action (Instructor Version Optional Packet Tracer)

Wireshark Lab: Ethernet and ARP v6.01

Using Citrix to access QFIS and other applications

Goals - to become acquainted with Wireshark, and make some simple packet captures and observations

Lab Exercise UDP & TCP

Overview of Ethernet Networking

Transcription:

Protocol Analysis: Capturing Packets This project is intended to be done on the EiLab Network, but if you want to try to VPN into the EiLab Network on your own PC from your home or workplace, follow these first instructions. Some locations at UH are filtering outbound VPN and it doesn t it work well on the Wireless Bauer network. Nor will you be able to do this on a PC that you do not have administrative rights on because it requires the installation of software. Create an RTF file for capturing info on your EiLab Virtual desktop and cut and paste your answers there (questions are in red see below). You will then email your answers to me at jake@uh.edu. You should be able to log into your U of H email from your Virtual Desktop. (CURRENTLY THIS IS NOT WORKING RELIABLY SO SKIP THIS SECTION AND DO THIS ASSIGNMENT IN THE EiLAB ) VPN Into the EiLAB network (or skip to the next section if you are IN the EiLab) 1. If you do not already have the Citrix Receiver installed on your PC, Go to receiver.citrix.com. Download and install the receiver. Reboot your computer. 2. If you already have set up and used VPN then skip down to the next section after you connect successfully. 3. On a Windows 7 PC (google how to do this if you have a MAC), go to the Network and Sharing Center (google how to do this if necessary).. Choose Set up a new connection or network 5. Choose Connect to a workplace and click Next 6. Choose No, create a new connection and click Next 7. Click on Use my internet connection(vpn). Internet address: 192.13.19.5 9. Destination Name: UH-EiLab 10. Click Next 11. Type your user name and password: User Name: mis77user1, mis77user2,, Password: VMJus3r! Domain: eilab Optionally check Remember Password if you are on your own PC 12. Click Connect 13. Once Connected, open a Browser and go to http://ipchicken.com to make sure your IP is 192.13.19.5 1. Open a Dos Command window and try to ping xen.eilab.bauer.uh.edu 15. If it works, continue to the next section. If not, type ipconfig /flushdns and then repeat the ping step.. If it still does not work, you will need to manually change your DNS servers to 192..1.31 and... If you do not know how to do this, google it. Connect to your assigned Virtual Machine Environment 1. If you have installed the Citrix receiver this may also work from Chrome, Safari and Firefox. 2. Open Internet Explorer and go to http://xen.eilab.bauer.uh.edu 3. If you are prompted to install a plug-in, follow the on-screen instructions.. Log in with your assigned user name, password and domain name User Name: mis77user1, mis77user2, etc Password: VMJus3r! Domain: eilab.bauer.uh.edu If a new browser window does not automatically appear with your Virtual Machine, click on the screen icon to run the launch.ica file. If a bar appears at the bottom asking you to open or save launch.ica, choose Open. You should now be connected to and viewing your assigned Windows XP 6 bit virtual machine. If a popup appears about sharing your local files, you can choose read/write. Objectives This will introduce you to packet sniffing, a method by which we can capture packets being sent between computers as they communicate. As a network administrator you can use this method to help evaluate the performance of your network by identifying bottlenecks and Written by Michael A. Chilton, Ph.D., Associate Professor of MIS at Kansas State University

slower performing servers or sections of your network. You can also use it to check the security of your network. As a graphic demonstration of this, you will configure an FTP server and observe the login packet interchange. You will see that each communication may consist of several packets that are exchanged between the two computers and you will see the potential for security leaks and how to gauge potential abuse of the network by users. Overview& Prerequisites You will first install a program called Wireshark. You should have already installed this by now. This is an open source application freely available on the Internet that allows you to capture packets as they appear at the network adaptor card. This means that you will be able to see all header information on the packet from each of the OSI layers. (Normally these headers are stripped off so that the only portion remaining is the data payload.) You will use the software to view complete packets and locate each layer s header, from the physical layer to the application layer. Doing so will help you to better understand network traffic and identify things that are out of order. Using this program you will: 1) Analyze simple protocols and learn about the software interface and the information it contains; 2) Observe, analyze and reconstruct specific packet interchanges between a computer and a server; and 3) Monitor the login process to an FTP server. This will include searching for the login information in the Wireshark output. For the first two parts of this lab, you will need a single computer with an Internet connection. For the last part, you will need two computers, one of which should have an active FTP server loaded on it.instructions are provided in part 3 for setting up an FTP server on one computer and connecting to it from a second computer using an FTP client. Procedure To obtain the software that you will use for this lab, go to www.wireshark.org and download it to your workstation. Once downloaded, you can install the software and accept all defaults. The program includes a helper program called WinPCap (which you must install and load at boot up), which will install after Wireshark is installed. Install the bit or 6 bit version depending on your Operating System. If you don t know how to check, google for instructions. Part 1: Analyzing simple protocols After you have installed Wireshark, start the program. Depending on the version you have and whether or not you have multiple network connections, \the initial screen will resemble figure 1. Click on Interface List. Choose Local Area Connection click Start. 2

Figure 1: Wireshark Packet Capture Options Below the menu, the capture window is divided into three distinct areas. The top is a listing of all packets received the packet list pane; the middle provides the details of a packet selected in the packet list pane and is called the packet details pane; and the bottom, called the packet pane, shows the hexadecimal details of the selected packet and will highlight its (selected) fields. You can resize the 3 frames by moving your mouse to the separation line between each frame, clicking and moving it up or down. Figure 2 illustrates this and shows some captured packets. Packet List Packet Details Packet Bytes Figure 2: Wireshark You can see in figure 2 that packets were captured and the first is selected in the packet list pane. In the packet details pane, you can see the Ethernet frame header, the IP header, the UDP header and finally the data payload, which indicates that this is asimple Network Management Protocol (SNMP) packet. The packet byte pane shows the hexadecimaland ASCII equivalentof 3

each packet at the bottom of the window. Selecting a field in the packet details pane will highlight the hex and ASCII portions of the packet in the packet byte pane. Go ahead and start a capture session and after receiving a few packets, stop the packet capture (Click Capture Stop in the top menu.) Find a TCP packet in the packet list pane and select it. In the packet details pane, click on the + next to the word Frame. When this part of the packet opens, you will see some summary information that Wireshark logs about every packet that it captures. Now open each subsequent section of the packet beginning with Ethernet II. You should be able to find the portions of each packet as shown in figures 3a through 3c within the packet details section. Preamble 7 Start of Frame 1 byte Destination Address 6 Source Address 6 Type Date FCS Flag 2 6-1500 Figure 3a: An Ethernet II Frame Layout Version Number Header Length Service Field Total Length ID Flags 3 Fragment Offset 13 Time to Live Next Protocol Header Checksum Source IP Address Destination IP Address Data Variable Figure 3b: The IP Header Layout Source Port Destinatio n Port Sequence Number ACK Number Header Length Flags Window Size Header Checksum Urgent Pointer Figure 3c: The TCP Header Layout Options (Optional) Figure 3a includes 20 that are processed in the hardware and will not be seen in the packet details pane. These are the preamble (7 ), the Start of Frame (1 byte), the Frame Check Sequence (FCS, ), and the final Flag ( ). Part 2: Finding specific packet sequences For this part you need a workstation that is connected to the Internet and one that receives its IP address from a DHCP server. You should have Wireshark installed on your workstation from part 1. In step 1 you will observe the packets required to make and break a connection. Data Variable Step 1 Observing a TCP connection 1) Ensure that your capture options are set as before and begin another capture session. 2) Open a web browser on your workstation, allow the web page to finish loading, and then stop the packet capture session. 3) Filter out everything but the web traffic by entering this into the Filter line and clicking Apply: tcp.port eq 0 ) Look at the first three TCP packets in the packet list pane. TCP packets have a green background color (depending on your settings) and are easily recognized. These three packets should be listed as [SYN], [SYN, ACK] and [ACK]. This 3-packet interchange builds a connection between two computers. You should notice that the destination port for the [SYN] packet is 0, indicating a web request. The second two packets should provide you with a sequence/acknowledgement analysis. Step 2 Observing a DNS request/response

1) Ensure that your capture options are set as before and begin another capture session. You can discard the previous session or save it to a file. 2) Apply a filter to just look at DNS. Type dns in the filter box and click apply. 3) In a web browser, go to a random website you have never been to such as adjecta.com. ) Observc the first few DNS entries and note how a Standard query is made to your DNS server IP (192..1.31 is the primary DNS server on the EiLab Network) for an A (address) record of the domain you entered. 5) Note that if your browser already knows what the ip address is (cached), it will NOT have any output. If you don t get output, choose another domain name. 6) If a name is found, the next DNS line should contain a response with an IP address. 7) Go to another random website and observe the behavior again. ) Go back to the first website you visited. This time you will probably not see any output from Wireshark because the DNS information is now cached. 9) In some cases it will retrieve it again anyway, because some websites tell your browswer NOT to cache data. Try visiting a website with constantly changing content, such as cnn.com. You should see DNS queries in your Wireshark output every time you reload the web page. ASSIGNMENT DELIVERABLE # 1: Find at least 3 websites that allow caching and find at least 3 websites that tell your browser NOT to cache and list them. This should be saved to a pcap file see below. Step 3: Following an HTTP stream Let s have a closer look at a request/response interchange that requests a web site. Follow these steps to obtain a fresh set of packets: 1) Ensure that your capture options are set as before and begin another capture session. You can discard the previous session or save it to a file. 2) Open Internet Explorer on your workstation, return to Wireshark and begin a packet capture session. 3) Type in a URL and after the page loads, return to Wireshark and stop the packet capture. ) In the filter box, type http and click apply, to filter out extra traffic. 5) Find the packet with comments in the Info column are GET / HTTP/1.1 and select it. Right click this packet and click Follow TCP stream from the popup menu. 6) A new window will open with the details of the http interchange. The request and acknowledgements from your workstation are in red, and the responses are in blue and should resemble figure 5. 5

Figure 5: Raw TCP Stream Data 7) At the bottom of this window are some options for saving this file for later reference. Click the Close button to return to the main window and you will notice that only the TCP and HTTP packets have been retained, since a filter was created based on your action of following the TCP stream. Now select File Export Objects HTTP. In the resulting window, find the hostname corresponding to the site that contains text/html and click the Save As button. Save the file (with an html extension) on your desktop. You should also email me this file. You can save it to your local PC by going to My Computer under the Virtual Desktop session and you should see your local drives mapped there as Network Drives. Or you can log into your U of H web email from your Virtual Desktop session. ) Minimize all windows and find the file you just saved and open it with a web browser. If the web site is primarily javascript (as many web sites are), what you see won t be very impressive; however, figure 6 shows http://www.java.com on the left side, while its TCP stream produces the page shown on the right side of the figure. Although you can t see the graphics in the rendered file, you can easily determine its main theme. Figure 6: Java.com ASSIGNMENT DELIVERABLE # 1 (continued): Save the output from your websearch to find 3 sites that do NOT cache their main pages along with the above capture. Go to Wireshark, click, File, Save As, then name it websites ) to your Virtual Desktop. You will email me this with your answers. 6

Part 3: Viewing an FTP transfer We will now look at the file transfer between an FTP client and an FTP server. You will need a second computer on your network capable of providing file transfer services (an FTP server). We already have an FTP server running at ip 192..1.215 with the user, mis77 and password secret. You will need an FTP client program like Filezilla or WinSCP. Step 1: Setting up the FTP program If you have not already done so, download and install WinSCP from http://winscp.net. Download the Installation Package and run it. Run WinSCP and set up a connection. Change the protocol from SFTP to FTP with no encryption. For the host name, enter 192..1.215. Enter mis77 for the user and secret for the password, then click Save as and save it along with the password so you don t have to type it in again. Step 2: Monitor the FTP login exchange To see the packet interchange between the two computers, perform the following: 1) Open Wireshark on the client, ensure that your capture options are set as before. Clear any previous filter by clicking on Clear and begin another capture session. 2) Switch back to the WinSCP FTP program and click Login to establish a connection. 3) If the login was successful, go back to Wireshark and stop the packet capture. Look for the FTP packets in the Protocol column. You can filter out the other packets by typing ftp in the filter box and clicking Apply. In the Info column it will say Request: and Response: You should notice that the username and password are displayed for you in this column in clear text. This is shown in figure. If you have never seen a password revealed in a packet sniffer, it can be a real eye opener. Although we know that FTP servers are inherently not secure, this demonstration should make you think about the security of other types of logins. Try this: Start a new capture and clear the filter. Go back to WinSCP and click on Session and New Session, and click on add a new site. This time, choose SFTP for the protocol, 192..1.215 for the host, make sure the port is 22 (secure ssh port), user name and password is the same. Save it as mis77@192..1.215 (secure) and click Login. First you will note that it asks you to trust this site, click yes. It is sharing an SSL encryption key. Now go back to the Wireshark and stop the capture. You can try filtering for ftp but you will not see any new ftp packets. That is because you were using SSH protocol, specifically SSHv2. Enter a filter for ip.dst == 192..1.215 to just see packets going to the ftp server. Are you able to find the password? Instead what do you see? ASSIGNMENT DELIVERABLE # 2: Save the packet capture (Click File and save as and save it to your desktop or one of your locally mapped drives) and email it to me with your answers along with a description of what appears to be going on and the difference between ftp and sftp. 7

Figure : An FTP Login Sequence in Wireshark ASSIGNMENT DELIVERABLE # 3: Answer these short essay questions in the email you are sending me with the other deliverables. 1. Packet sniffing can be a controversial subject. Discuss any issues related to ethics that might arise when an organization monitors the electronic activity of its employees, i.e. what sort of issues might arise by sniffing employees web browsing activity? 2. You looked at packets captured during a web page request. What might this be useful for? 3. Most computers are connected together with switches (rather than hubs). How does this affect the packet capturing process? (hint, can you see traffic from your fellow students?). Discuss how sniffing packets from wireless networks might differ from wired networks. Hint, use google to answer this. Search for wireless packet sniffers and name a couple. Where would be a good place to test out a wireless packet sniffer? END OF LAB ASSIGNMENT THANK YOU ALL!!! Jake

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback