Introduction§

In this assignment, you will use Wireshark [WP], a packet sniffer and protocol analyzer, to capture and interpret frames transmitted on an ethernet link. Wireshark is an excellent open-source tool, with a highly usable interface and a wide range of capabilities. If you ever want to figure out what's happening on your network, Wireshark is probably the first tool you should pull out.

Because there can be security issues with a packet sniffer, sniff only what you are asked to sniff. If you would like to sniff other traffic, then PRIOR to sniffing, talk to me and get permission from all network users and administrators.

As a packet sniffer, Wireshark captures packets as they are being sent/received from/by your computer. Wireshark will store and/or display the contents of various protocol fields, as well as the payload, in the captured messages. This makes it an excellent tool for studying network protocols.

Wireshark is passive in that it observes messages being sent and received by applications and protocols running on your computer, but never sends packets itself. Similarly, received packets are never explicitly addressed to the packet sniffer. Instead, the packet sniffer receives copies of the packets, so the packets still make their way to the intended recipient.

A packet sniffer has two parts: a packet capture library and a packet analyzer. The packet capture library receives a copy of every link-layer frame that is sent from or received by your computer. Almost all Unix-based packet sniffers use libpcap. Capturing all link-layer frames gives you all messages that are sent or received by all protocols and applications executing in your computer. The packet analyzer helps you interpret the data collected by the packet capture library. It displays the contents of all fields within a protocol message. Thus, the packet analyzer must understand the structure of all messages exchanged by protocols.

Acknowledgments§

This assignment is adapted from "Lab: Wireshark: Ethernet" by Mike Erlinger at Harvey Mudd College. It also incorporates elements of exercises 1.1 - 1.2 in Computer Networking: Internet Protocols in Action by Jeanna Matthews (Wiley, 2005).

Goals§

Assignment§

Part A: Getting started with Wireshark§

  1. Wireshark has been installed on the computers in CNS E201 [... but it doesn't currently work on those machines... working on it!]. It is available under the Applications directory.

    Alternatively, you may download and install Wireshark on your own computer.

  2. Download and open some sample capture files from the Wireshark wiki.

  3. Explore the user interface. Wireshark has five major components:

    Command menus : Standard pull-down menus located at the top of the window. File, Capture, and Statistics are of particular interest.

    Status bar : Near the top of the screen, includes a text input area. Allows you to apply packet filters, so that only selected packets are displayed (e.g., those belonging to a particular protocol or from a particular sender).

    Packet list : Displays a one-line summary for each packet captured, including a packet number assigned by Wireshark.

    Packet details : Provides details about the packet selected in the trace pane.

    Packet bytes : Shows the entire contents of the captured frame, in both ASCII and hexidecimal.

  4. Experiment with creating filters. This trace (from the Wireshark wiki) contains an HTTP transfer. Try these two different ways to exclude packets that are not related to HTTP:

    • Include only packets where "protocol is HTTP".
    • Include only packets where the TCP source port is 80 or the TCP destination port is 80.

    How do the packets you see differ? Form a hypothesis as to why there is a difference.

  5. Close the trace file.

Part B: Capturing a filtered trace§

Sniffing is not allowed on the IWU network, so we will use Emulab in order to capture packets from a live network.

  1. Create an Emulab experiment with a single node and no links. Running this in Emulab gives you a way to run network sniffing software in an environment that allows its use. Make sure you give it the default Linux operating system. Be sure to set the operating system on the node to FEDORA10-STD, because the default OS given to the node may or may not work.
  2. Log in to your node via SSH. Wireshark isn't installed by default, so we need to install it. We'll use yum, package-management software on certain Linux systems that makes installing and removing programs very easy. To install Wireshark, run:
    sudo yum install wireshark
    
    The sudo program lets you run programs as the Super User, or root, if you have the right permissions. For more information (sort of), see this xkcd comic.
  3. You are going to run the command-line version of Wireshark (without a GUI), called tshark ("t" for "terminal," I believe). Execute the following commands to capture a trace that includes fetching our favorite website in the world: www.ucd.ie
    cd /tmp
    sudo tshark -q -w 330lab3_trace &
    wget http://www.ucd.ie/
    fg
    [CTRL-c]
    

Explanation§

  1. Now your trace is saved in the file you created. To copy it to your IWU home directory, run the following commands (the : is important for scp, remember!)
    sudo chmod a+r 330lab3_trace
    scp 330lab3_trace [your username]@sun.iwu.edu:
    
    • We have to run chmod as root to grant your regular (non-root) user access to the file. Otherwise, it is owned by root and no other user, including you when you're not root, can read it. Giving chmod the a+r argument means "give everyone read permissions."
    • scp, which we've seen before, is another very handy program. I use it daily. man scp if you're curious.
  2. You can now open the trace in Wireshark on the computers in CSN E201 or on your own machine; it will be in your home directory [no, we don't get network home directories in E201 any more...]. You can copy it to any computer, including your own, from sun.iwu.edu using scp.
  3. Don't forget to terminate your Emulab experiment when you're finished with it.

Part C: LAN ecology§

Using the trace you just captured, answer the following questions.

  1. How much time elapsed during the trace? How many packets were captured? What was the average packet size? (Hint: Look under the Statistics menu.)
  2. What protocols appear in the trace? Give the full name of the protocol along with the acronym. (Hint: Try sorting the packet list by protocol.)
  3. Make an educated guess about what some or all of the protocols might be. Don't spend too much time on this.
  4. What is your Emulab node's IP address, and what is the IP address of the web server? (Hint: Look at the IP header for the HTTP request or response.) What other IP addresses appear in the trace?
  5. Some packets are displayed in black with red text. Why? (Hint: Read the commentary in Wireshark, then do a Google search for unfamiliar terms.)
  6. List any questions that you have about the traffic you see.

Part D: Ethernet§

Using the trace you just captured, answer the following questions. To limit the number of packets shown, apply the filter "protocol is HTTP".

  1. What is the ethernet address of your Emulab node?

  2. What is the destination address in the ethernet frame for the HTTP request? Whose address is this, the web server or a router? Why do you think so? How might you find out for sure?

  3. Give the hexadecimal value for the two-byte frame type field in the ethernet frame. What does this field indicate?

  4. For each bit that is on (1) in the Flag field, explain what that bit means. (Skip this part - it's related to things we'll cover later. Feel free to poke at the Flag field if you like, but don't worry about it.)

  5. Imagine you're writing C/C++ code for dealing with an ethernet header. Which of the following structs would you use? Why?

    [See here for standard sizes for the types used in these structs, if you're not familiar. This is basically all about the sizes of the different fields.]

    /* Version 1 */
    struct ethhdr {
     unsigned int h_dest[ETH_ALEN]; /* destination eth addr */
     unsigned int h_source[ETH_ALEN]; /* source eth addr */
     unsigned int h_proto; /*packet type ID field */
    }
    
    /* Version 2 */
    struct ethhdr {
     unsigned char h_dest[ETH_ALEN]; /* destination eth addr */
     unsigned char h_source[ETH_ALEN]; /* source eth addr */
     unsigned short h_proto; /*packet type ID field */
    }
    
    /* Version 3 */
    struct ethhdr {
     unsigned short h_dest[ETH_ALEN]; /* destination eth addr */
     unsigned long h_source[ETH_ALEN]; /* source eth addr */
     unsigned int h_proto; /*packet type ID field */
    }
    
  6. Fill in the correct values for XX in the following defines, which could be used, again, in C/C++ code for dealing with ethernet frames.

    /* IEEE 802.3 Ethernet magic constants. The frame sizes omit the preamble
     and FCS/CRC (frame check sequence). */
    
    #define ETH_ALEN XX /* Octets in one ethernet addr */
    #define ETH_HLEN XX /* Total octets in ethernet header */
    #define ETH_ZLEN XX /* Min. octets in frame sans FCS */
    #define ETH_DATA_LEN XX /* Max. octets in payload */
    #define ETH_FRAME_LEN XX /* Max. octets in frame sans FCS */
    

Part E: Ecology of another network§

Obtain a trace of another network via one of the two options below.

Using this new trace, address questions 1-3 from part C. How do the protocols seen on this other network compare to those you saw on the Emulab network? Can you make any inferences about the network configuration or hosts?

Option 1: Your own network§

  1. Identify a network other than Emulab's that you have access to, and obtain permission from network users to capture packets. This does not need to be ethernet, but could instead be wireless, or even just a computer connected to a cable modem. I suggest a network in an off-campus house or apartment. This will let you easily identify all of the network users and obtain their permission.
  2. Install Wireshark on your own computer.
  3. In your lab report, record the location and type of the network.
  4. As in part B, start a trace. Uncheck the Capture in promiscuous mode option so that you only capture packets to or from your machine!
  5. Capture at least 2 minutes and no more than 10 minutes. During this time, fetch a web page. If you like, do some more things to generate network traffic; record what you did.
  6. End the capture and save the trace file.

Option 2: A canned trace§

  1. Download this sample capture file (only available from within IWU's network).

    This trace was taken by me, at my home, on a machine connected to a small local network. I fetched a web page during the trace, and some other things were going on as well.

Lab Report§

Upload your network capture files from part B and part E (if you made your own for part E) separately from the lab report. The assignment will let you upload multiple files.

Include your answers to A.4, part C, part D, part E, and the discussion questions.

Discussion Questions§

  1. The Emulab network is connected via ethernet. Is it connected via hubs or switches? How can you tell?
  2. Many system administrators do not allow users to run packet sniffers on shared networks. Why do you think this is? How could this policy be enforced?
  3. What traffic might you expect to find on a "quiet network," that is, one in which no user is deliberately using a network application such as a web browser? Consider both useful background activity and potentially malicious activity.
  4. Extra credit (1 point) : What internet radio station's website did I have open when I captured the trace I supplied for Part E?
  5. Extra credit (a ton of money and/or a job with the NSA) : What is the password I used in the SSH session in the trace I supplied for Part E?
  6. What did you find most surprising or interesting about this assignment?
  7. How long did you spend on this assignment? What problems, if any, did you run into?