Intro Wireshark Lab
Intro Wireshark Lab
Intro Wireshark Lab
1. Review Linux man pages for arp at www.linuxmanpages.com (in both Sections 7 and 8), the ARP RFC (RFC
826) at www.ietf.org, and Section 3.4 of the IBM Red Book.
Pie-Lab 2 Questions:
1. Write the syntax for a wireshark command with a capture filter so that all IP datagrams with a source or
destination IP address equal to 10.0.1.12 are recorded.
2. Write the syntax for a wireshark display filter that shows IP datagrams with a destination IP address equal to
10.0.1.50 and frame sizes greater than 400 bytes.
3. Write the syntax for a wireshark display filter that shows packets containing ICMP messages with a source
or destination IP address equal to 10.0.1.12 and with frame numbers between 15 and 30.
4. Write the syntax for a wireshark display filter that shows packets containing TCP segments with a source or
destination IP address equal to 10.0.1.12 and using port 23.
5. Write a capture filter for question 4.
LAB TW0: Wireshark 2
- 2 -
LAB 2
The purpose of this lab is to acquaint yourself with wireshark in Linux and the ways in which packet reading and
capturing can be useful. As you saw in Lab 1, tcpdump has functionality very similar to that of wireshark,
albeit with fewer features. Although we will not explicitly talk about tcpdump from here forward, keep in mind
that there are some tasks that are better suited to it than wireshark, such as monitoring traffic on a remote server
a circumstance in which using a graphical user interface (and therefore wireshark) may not be possible.
NOTE: Remember to reboot the PCs and to save all of your files in /root/labdata and your floppy/usb drive.
SAVE ALL FILES IN /root/labdata/<user> (where your <user> is your cats/email ID). All files you create should
be saved to your USB or floppy drive.
SUGGESTION - unless a specific name is requested, use the following name format for the files you save:
[Exercise]-[Part]-[Question]-PC-<command>. For example 5-A-4-PC1-tcpdump. This will help ensure you can find
the data needed for the lab report.
Netwoik Setup F0R LAB 2
Connect the PCs according to the diagram below to a single switch (Same as in Lab 1). Note: do not use port 24 on
the switches as it has been configured to behave differently from the other ports you will find out about this in
later labs.
1.1 Topology for Lab 2
The table below contains the IP address for each of the Linux PCs; these should be preconfigured:
PC IP address of eth0
PC1 10.0.1.11/24
PC2 10.0.1.12/24
PC3 10.0.1.13/24
PC4 10.0.1.14/24
LAB TW0: Wireshark 3
- 3 -
Exeicise 1: Wiieshaik, Ping, anu Telnet
In this exercise you will familiarize yourself with the display and capture filters in wireshark and how they can
be used to assist you in further exercises.
PART A: 0sing Captuie Filteis in Wiieshaik
In this section you will review the traffic capture capabilities of wireshark.
A.1: Start wireshark on
PC1 and set the same capture
preferences as shown in the
figure (using the
Capture:Options... menu
item). These should be used
for all experiments.
A.2: Setting a capture filter:
In Filter box set a filter so
that all packets that contain
the IP address of PC2 are
recorded.
Hint: The required filter
expression is the answer to
question 2 in the pre-lab.
A.3: Start the capture by
clicking OK in the Capture
Options window.
A.4: In another terminal
window on PC1, issue a ping
to PC2 with two packets:
PC1% ping c 2 10.0.1.12
A.5: Stop the capture process, but DO NOT close wireshark.
Save Bata:
A.6: Save the results of the capture with both the detail and summary options.
LAB TW0: Wireshark 4
- 4 -
PART B: 0sing Bisplay Filteis in Wiieshaik
This section will familiarize you with display filters
that can be extremely useful for seeing a specific set
of data within the captured set.
B.1: To set a display filter use the Filter bar at the
top of the window as shown below. Click the Clear
button next to the bar to clear any existing filter.
Click the Filter button for help constructing a display
filter.
Now enter a display filter that shows all IP
datagrams with a destination IP address of 10.0.1.12.
To activate the display filter hit enter or click Apply.
Save Bata:
B.4: Save the displayed data using the print
summary option with the Displayed option selected.
Youll notice if you open the file that the only
packets saved were the ones filtered by the display
filter.
Save Bata:
B.5: Repeat the exercise making a display filter that lists only IP datagrams with a source IP address of 10.0.1.12.
PART C: Complex Bisplay filteis
Here we will dive into more complex display filters that will require the use of AND (& or &&) and OR ( || ) to
filter data with multiple conditions.
C.1: On PC1, use wireshark and start traffic capture using the settings from Part A, but with no capture filter.
C.2: Simultaneously, in two windows on PC1, run the following two commands to ping PC2 with 5 packets and
start a telnet session to PC2 from PC1. For the telnet session login as root then logout with the command exit.
PC1% ping c 5 10.0.1.12
PC1% telnet 10.0.1.12
C.3: Stop the traffic capture, do not close.
Save Bata:
For each of the following steps, save all data as Print Summary after applying the specified display filter.
C.4: Display only packets that contain ICMP messages with the IP address of PC2 as either the destination or source
address. HINT: Question 4 in the Pre-Lab will help.
C.5: Display packets that contain TCP traffic with the IP address of PC2 either as the source or destination. Hint:
Question 5 will help.
C.6: Display packets that in addition to the constraints in C.5 use source port number 23.
LAB TW0: Wireshark 5
- 5 -
Exeicise 2: Auuiess Resolution Piotocol (ARP)
This exercise will help you become familiar with ARP which resolves a MAC address for a given IP address.
Common 0ses of ARP
arp -a
Displays the contents of the ARP cache
arp d IPAddress
Deletes the entry with the IP address specified
arp s IPaddress MACAddress
Adds a static entry to the ARP cache that is never overwritten by network events.
PART A: Expeiimenting with ARP
A.1: On PC1 view the ARP cache with the command arp a and delete all entries with the d option.
A.2: Start wireshark on PC1 with a capture filter set to the IP address of PC2.
A.3: Issue a ping command from PC1 to PC2:
PC1% ping c 2 10.0.1.12
A.4: View the ARP cache again; note that ARP cache entries are deleted fairly quickly (about 2 minutes).
SAvE BATA:
A.5: Save the wireshark data using both the detail and summary options.
PART B: ARP iequests foi a non-existing auuiess
Here we will see what happens when an ARP request is issued for an IP address that does not exist on the network.
B.1: On PC1, start wireshark with a capture filter set to capture packets that contain the IP address of PC1.
SAvE BATA:
B.2: Try to establish a telnet session from PC1 to 10.0.1.10 (Note: this address does not exist on the network).
Save the output (this will require redirecting stderr using the >& redirection).
PC1% telnet 10.0.1.10
SAvE BATA:
B.3: After telnet fails, stop capture and observe the time interval and the frequency with which PC1 transmits ARP
requests. Save the wireshark data using both the detail and summary options.
Exeicise S: FTP anu Telnet Expeiiments
A major problem with FTP and Telnet is that their passwords are sent across a network as plain text, without any
encryption.
PART A: Snooping Passwoius fiom FTP sessions
The goal is to capture traffic from an FTP session and find the password.
A.1: On PC1 start wireshark and set the capture filters to capture traffic between PC1 and PC2. The filter for this
is:
host 10.0.1.11 and host 10.0.1.12
A.2: Start an FTP server on PC2 using the command vsftpd, and on PC1 start an FTP session to PC2:
PC1%: ftp 10.0.1.12
A.3: Log in as root and then logout using the FTP quit command.
LAB TW0: Wireshark 6
- 6 -
A.4: Stop the capture.
A.5: To inspect the data payloads of a sequence of FTP packets in wireshark select a packet that contains a TCP
segment in the main window. Now click Follow TCP Stream in the Analyze menu. This creates a new window that
displays only the payload of the selected TCP connection.
SAvE BATA:
A.6: Using the Print Detail option save the packets that contain the login name and password. Hint: Use a
wireshark display filter (with the frame.number value), or Edit:Mark Frame menu item with Marked
packets only to show the desired packets.
PART B: Snooping foi telnet passwoius
SAvE BATA:
B.1: Repeat the previous exercise using telnet instead of ftp. On PC1 connect to PC2 using telnet and save the
output of the wireshark session using the detail option.
B.2: Identify the packets transmitted for each character typed. You should see 3 packets for each character.
RENENBER T0 C0PY SAvEB FILES T0 Y00R 0SB BRIvE 0R FL0PPY!
LAB TW0: Wireshark 7
- 7 -
Lab Repoit
Exercise 1 Questions:
1.1 Include the summary data saved from Part A in your lab report.
1.2 Include the summary data saved from both pieces of Part B in your lab report.
1.3 Include the data saved from each of the display filters from Part C.
Exercise 2 Questions:
Use your saved data to answer the following questions:
2.1 In Part A, what is the destination MAC address of an ARP Request packet? Include a captured packet to support
your answer.
2.2 In Part A, what are the different values of the Type field in the Ethernet headers that you observe?
2.3 Using the captured data from Part A, explain the process that ARP goes through to acquire a MAC address for
PC2 (10.0.1.12).
2.4 In Part B, using the saved output, describe the time interval between each ARP Request issued by PC1 and the
ARP retransmission policy. Include data to support your claim.
2.5: Why are ARP Request packets not encapsulated like IP packets? Explain.
Exercise 3 Questions:
3.1 From Part A: Using the save output, identify the port numbers of the FTP client and FTP server. Include the
relevant lines from the packets.
3.2 From Part A: Identify the login name and password, shown in plain text in the payload of the packets captured.
Include the relevant FTP/IP headers in the lab report.
3.3 From Part B: Does Telnet have the same security flaws as FTP? Support your answer by showing the relevant
headers from the data you captured.
3.4 Looking at the captured data explain why three packets are sent in a telnet session for each character typed.
Attach a sample of your output.