In this lab we will be introduced to the virtual networks we will use for the next 3 labs. We will also be introduced to the tcpdump and wireshark tools used for analyzing network traffic.
Here is a combined physical and logical diagram for the networks.
Network diagram in JPG format
Network diagram in PDF format
When you open a .pcap file with Wireshark you will see 3 main display areas. You can adjust the size of each area with the mouse. The top area shows you each packet/frame that is in the pcap file on a separate line. Each line has the sequence number, time stamp, source, destination, protocol and other information. You can click on a packet/frame in the top area and more details will be shown in the middle and bottom display areas. The middle display area will show you a breakdown of the frame/packet at each layer of the protocol stack. The top line is details about the frame. The second line is Layer 2 (MAC/Ethernet) information. The third line is Layer 3 (Network/IP) information. You can click on the + signs to see even more details about each "layer". The bottom display area of wireshark is a hexadecimal dump of the entire packet/frame. As you click on details in the middle display area, the corresponding bytes in the frame are highlighted.
To save details of a packet/frame or set of packets you will use the Edit->Mark menu and the File->Export Packet Dissictions menu option of wireshark. First select the frame you wish to "mark". Then Use edit->mark menu option (or 'ctrl-m' keyboard shortcut) to mark the frame. Repeat for all frames you wish to print details on. Then go to file->Export Packet Dissictions menu and choose "As Plain Text". For packet range choose "Marked Packets". For packet format make sure packet details is checked and "all expanded" is selected.
The command
man wiresharkon the JCCL linux workstation or the web page
http://www.wireshark.org/docswill give you much more information about the capabilities of the Wireshark program. There are also man pages available for the 'scp' and 'tcpdump' commands.
Wireshark is available on the JCCL linux and windows workstations. You can also download it and run it on your home machines.
The interfaces of the machines in this lab are
Interface machine and name Ethernet Address IPv4 Address monitor eth0 52:54:00:88:8A:01 64.64.64.108/24 monitor eth1 52:54:00:E9:55:CA 10.100.1.254/24 monitor eth2 52:54:00:49:E1:21 10.100.2.254/24 Win10 (ws1) ethernet 52:54:00:A4:43:29 10.100.1.5/24 Linux (ws2) eth0 52:54:00:A5:73:04 10.100.2.5/24
The command ping 10.100.2.5 was run in a command window on the Windows worksation (ws1) This caused 4 ICMP echo request packets to be sent from ws1 to the linux workstaton (ws2). Each of these caused a ICMP echo reply to be sent from ws2 to ws1. A tcpdump processes captured all packets seen on the Monther eth1 interface and that data is the pcap you will download.
You will download this pcap file lab2.pcap
You will open this pcap file in wireshark.
Question 1 (2 points)
Identify a frame with a destination broadcast address in the lab2.pcap file. What is the source ethernet address of this packet?
Question 2 (2 points)
Identify a frame with a destination broadcast address in the lab2.pcap file. Use table above to identify the interface that transmitted this packet that was captured.
Question 3 (2 points)
In the frame following the frame from question 2, what were the source and destination ethernet addresses.
Question 4 (3 points)
Identify a frame with a destination broadcast address in the lab2.pcap file. What is the ethernet TYPE or LENGTH code? How do you know it is a TYPE or LENGTH? Yes, wireshark will tell you, but how does wireshark know? What is the implication of it it being type or length?
Question 5 (4 points)
Identify a frame with a source IP address of 10.100.2.5 in the lab2.pcap file. What is the source and destination Ethernet address of this frame? Which system and interface (from table above) sent this frame when it was captured? Was this system/interface the same as the system/interface that made the ping reply (Linux eth0)?
Question 6 (3 points)
Identify a frame with a destination ethernet address of 01:80:c2:00:00:00. (The top frame summary might identify this as "Spanning Tree for Bridges". What type of destination address is this? How do you know what type it is?
Question 7 (3 points)
Identify a frame with a destination ethernet address of 01:80:c2:00:00:00. What is the ethernet TYPE or LENGTH code. How do you know it is a TYPE or LENGTH? Yes, wireshark will tell you, but how does wireshark know? What is the implication of it it being type or length?
Question 8 (2 points)
Include in your report the ascii export all expanded output of the frame from Question 1.
Question 9 (2 points)
Include in your report the ascii export all expanded output of the frame from Question 5.
Question 10 (2 points)
Include in your report the ascii export all expanded output of the frame from Question 6.
