Introduction§

In this assignment, you will use Wireshark [WP], a packet sniffer, to capture and interpret frames transmitted on an Ethernet. Wireshark is an excellent open-source tool, with a highly usable interface and a wide range of capabilities. If you ever want to figure out what's happening on your network, Wireshark is probably the first tool you should pull out.

Because there can be security issues with a packet sniffer, sniff only what you are asked to sniff. If you would like to sniff other traffic, then PRIOR to sniffing, talk to me and get permission from all network users and administrators.

As a packet sniffer, Wireshark captures packets as they are being sent/received from/by your computer. Wireshark will store and/or display the contents of various protocol fields in the captured messages. Wireshark is passive in that it observes messages being sent and received by applications and protocols running on your computer, but never sends packets itself. Similarly, received packets are never explicitly addressed to the packet sniffer. Instead, the packet sniffer receives copies of the packets, so the packets still make their way to the intended recipient.

A packet sniffer has two parts: a packet capture library and a packet analyzer. The packet capture library receives a copy of every link-layer frame that is sent from or received by your computer. Almost all Unix-based packet sniffers use libpcap. Capturing all link-layer frames gives you all messages that are sent or received by all protocols and applications executing in your computer. The packet analyzer helps you interpret the data collected by the packet capture library. It displays the contents of all fields within a protocol message. Thus, the packet analyzer must understand the structure of all messages exchanged by protocols.

Acknowledgments§

This assignment is adapted from "Lab: Wireshark: Ethernet" by Mike Erlinger at Harvey Mudd College. It also incorporates elements of exercises 1.1 - 1.2 in Computer Networking: Internet Protocols in Action by Jeanna Matthews (Wiley, 2005).

Goals§

Assignment§

Part A: Getting started with Wireshark§

  1. Wireshark has been installed on the computers in CNS E201. It is available under the Applications directory. It will present an error message when starting, but this will not affect its operation. To fix the cause of the error message, follow these instructions from the related bug report:

    "It seems that the directory where these are stored is actually /usr/share/snmp/mibs/, not the default path that the program is searching. Open the Name Resolution section under preferences and add the above directory to SMI (MIB and PIB) paths."

    Alternatively, you may download and install Wireshark on your own computer.

  2. Download and open some sample capture files from the Wireshark wiki.

  3. Explore the user interface. Wireshark has five major components:

    Command menus : Standard pull-down menus located at the top of the window. File, Capture, and Statistics are of particular interest.

    Status bar : Near the top of the screen, includes a text input area. Allows you to apply packet filters, so that only selected packets are displayed (e.g., those belonging to a particular protocol or from a particular sender).

    Packet list : Displays a one-line summary for each packet captured, including a packet number assigned by Wireshark.

    Packet details : Provides details about the packet selected in the trace pane.

    Packet bytes : Shows the entire contents of the captured frame, in both ASCII and hexidecimal.

  4. Experiment with creating filters. This trace (from the Wireshark wiki) contains an HTTP transfer. Try these two different ways to exclude packets that are not related to HTTP:

    • Include only packets where "protocol is HTTP".
    • Include only packets where the TCP source port is 80 or the TCP destination port is 80.

    How do the packets you see differ? Form a hypothesis as to why there is a difference.

  5. Close the trace file.

Part B: Capturing a filtered trace§

Sniffing is not allowed on the IWU network, so we will use Emulab in order to capture packets from a live network.

  1. Create an Emulab experiment with a single node and no links. Make sure you give it the default Linux operating system. This will set up a machine for you to use network sniffing software in an environment that allows its use.
  2. Log in to your node via SSH. You are going to run an older version of the Wireshark software from back when it was called Ethereal. The command-line version (without a GUI) is called tethereal. Execute the following commands to capture a trace that includes fetching our favorite website in the world: www.uni-ulm.de
    cd /tmp
    sudo tethereal -q -w 330lab2_trace &
    wget http://www.uni-ulm.de/
    fg
    [CTRL-c]
    

Explanation§

  1. Now your trace is saved in the file you created. To copy it to your IWU home directory, run the following command (the : is important)
    scp 330lab2_trace [your username]@sun.iwu.edu:
    • scp is another very handy program. I use it daily. man scp if you're curious.
  2. You can now open the trace in Wireshark on the computers in CSN E201, or you can copy it to your own computer and open it in Wireshark there if you've installed it.
  3. Don't forget to terminate your Emulab experiment when you're finished with it.

Part C: LAN ecology§

Using the trace you just captured, answer the following questions.

  1. How much time elapsed during the trace? How many packets were captured? What was the average packet size? (Hint: Look under the Statistics menu.)
  2. What protocols appear in the trace? Give the full name of the protocol along with the acronym. (Hint: Try sorting the packet list by protocol.)
  3. Make an educated guess about what some or all of the protocols might be. Don't spend too much time on this.
  4. What is your Emulab node's IP address, and what is the IP address of the web server? (Hint: Look at the IP header for the HTTP request or response.) What other IP addresses appear in the trace?
  5. Some packets are displayed in black with red text. Why? (Hint: Read the commentary in Wireshark, then do a Google search for unfamiliar terms.)
  6. List any questions that you have about the traffic you see.

Part D: Ethernet§

Using the trace you just captured, answer the following questions. To limit the number of packets shown, apply the filter "protocol is HTTP".

  1. What is the Ethernet address of your Emulab node?

  2. What is the destination address in the Ethernet frame for the HTTP request? Whose address is this, the web server or a router? Why do you think so? How might you find out for sure?

  3. Give the hexadecimal value for the two-byte frame type field in the Ethernet frame. What does this field indicate?

  4. For each bit that is on (1) in the Flag field, explain what that bit means. (Skip this part - it's related to things we'll cover later. Feel free to poke at the Flag field if you like, but don't worry about it.)

  5. Which struct would you use in dealing with an Ethernet header? Why?

    /* Version 1 */
    struct ethhdr {
     unsigned int h_dest[ETH_ALEN]; /* destination eth addr */
     unsigned int h_source[ETH_ALEN]; /* source eth addr */
     unsigned int h_proto; /*packet type ID field */
    }
    
    /* Version 2 */
    struct ethhdr {
     unsigned char h_dest[ETH_ALEN]; /* destination eth addr */
     unsigned char h_source[ETH_ALEN]; /* source eth addr */
     unsigned short h_proto; /*packet type ID field */
    }
    
    /* Version 3 */
    struct ethhdr {
     unsigned short h_dest[ETH_ALEN]; /* destination eth addr */
     unsigned long h_source[ETH_ALEN]; /* source eth addr */
     unsigned int h_proto; /*packet type ID field */
    }
    
  6. Fill in the correct values for XX in the following defines.

    /* IEEE 802.3 Ethernet magic constants. The frame sizes omit the preamble
     and FCS/CRC (frame check sequence). */
    
    #define ETH_ALEN XX /* Octets in one ethernet addr */
    #define ETH_HLEN XX /* Total octets in ethernet header */
    #define ETH_ZLEN XX /* Min. octets in frame sans FCS */
    #define ETH_DATA_LEN XXX /* Max. octets in payload */
    #define ETH_FRAME_LEN XXX /* Max. octets in frame sans FCS */
    

Part E: Ecology of another network§

Obtain a trace of another network via one of the two options below.

Using this new trace, address questions 1-3 from part C. How do the protocols seen on this other network compare to those you saw on the Emulab network? Can you make any inferences about the network configuration or hosts?

Option 1: Your own network§

  1. Identify a network other than Emulab's that you have access to, and obtain permission from network users to capture packets. This does not need to be Ethernet, but could instead be wireless, or even just a computer connected to a cable modem. I suggest a network in an off-campus house or apartment. This will let you easily identify all of the network users and obtain their permission.
  2. Install Wireshark on your own computer.
  3. In your lab report, record the location and type of the network.
  4. As in part B, start a trace. Uncheck the Capture in promiscuous mode option so that you only capture packets to or from your machine!
  5. Capture at least 2 minutes and no more than 10 minutes. During this time, fetch a web page. If you like, do some more things to generate network traffic; record what you did.
  6. End the capture and save the trace file.

Option 2: A canned trace§

  1. Download this sample capture file (only available from within IWU's network).

    This trace was taken by me, at my home, on a machine connected to a small local network. I fetched a web page during the trace, and some other things were going on as well.

Lab Report§

Upload your network capture files from part B and part E (if you made your own for part E) separately from the lab report. The assignment will let you upload multiple files.

Include your answers to A.4, part C, part D, part E, and the discussion questions.

Discussion Questions§

  1. The Emulab network is connected via Ethernet. Is it connected via hubs or switches? How can you tell?
  2. Many system administrators do not allow users to run packet sniffers on shared networks. Why do you think this is? How could this policy be enforced?
  3. What traffic might you expect to find on a "quiet network," that is, one in which no user is deliberately using a network application such as a web browser? Consider both useful background activity and potentially malicious activity.
  4. Extra credit (2 points) : What internet radio station's website did I have open when I captured the trace I supplied for Part E?
  5. Extra credit (a ton of money and/or a job with the NSA) : What is the password I used in the SSH session in the trace I supplied for Part E?
  6. What did you find most surprising or interesting about this assignment?
  7. How long did you spend on this assignment? What problems, if any, did you run into?