Networks -- CS 125

CS 125 Lab - Observing a Network at the TOP with Wireshark

Due date: Check the course for the due date.

Introduction

In this assignment, you will use Wireshark, a packet sniffer, to capture and interpret frames transmitted on an Ethernet.

Because there can be security issues with a packet sniffer, sniff only what you are asked to sniff. If you would like to sniff other traffic, then PRIOR to sniffing, talk to me and I will get permission from the appropriate network users and administrators.

As a packet sniffer, Wireshark captures packets as they are being sent/received from/by your computer. Wireshark will store and/or display the contents of various protocol fields in the captured messages. Wireshark is passive in that it observes messages being sent and received by
applications and protocols running on your computer, but never sends packets itself. Similarly, received packets are never explicitly addressed to the packet sniffer. Instead, the packet sniffer receives copies of the packets, so the packets still make their way to the intended recipient.

A packet sniffer has two parts: a packet capture library and a packet analyzer. The packet capture library receives a copy of every link-layer frame that is sent from or received by your computer. Almost all Unix-based packet sniffers use libpcap. Capturing all link-layer frames gives you all messages that are sent or received by all protocols and applications executing in your computer. The packet analyzer helps you interpret the data collected by the packet capture library. It displays the contents of all fields within a protocol message. Thus, the packet analyzer must understand the structure of all messages exchanged by protocols.

Running Wireshark

There are at least two places where you can run Wireshark: Hoare and the CS Labs. On Hoare there are two Ethernet ports (use ifconfig to understand what each is. So in using Wireshark on Hoare be sure to think about where you want to measure. If you run Wireshark in the CS Labs, you will be watching only your switch port which may or may not be what you want to do. In the CS labs, you want to watch on 'en0'

Command Menus: Standard pulldown menus located at the top of the window. File and Capture are of interest.
Packet-listing window: Displays a one line summary for each packet captured, including a packet number assigned by Wireshark
Packet-header window: Provides details about the packet selected (highlighted) in the packet-listing window.
Packet-content window: Displays the entire contents of the captured frame, in both ASCII and hex.
Packet display filter field: Towards the top of the Wireshark GUI into which the protocol name or other filtering information can be entered.

Acknowledgments

This assignment is taken from K&R 7th Edition

Goals

To better understand the Internet by observing it in action.
To appreciate the "ecology" of a local area network.
To learn to use a packet sniffer.

Logistics

You are to work in your pairs.

Preparation

There is no additional preparation required beyond reading the introduction to the assignment. If you like, you can read more about Wireshark at its web site, http://www.wireshark.org

Assignment

Part A: Getting started with Wireshark

You should have all been given permission to run Wireshark with administrative privileges on the cs network. Verify that you can do so. To run wireshark, open a terminal, type wireshark or use ssh to X into a machine running wireshark.
Explore the user interface. Wireshark. has five major components as mentioned above
Experiment with creating filters. Try these two different ways to exclude packets that are not related to a particular protocol:
- e.g., Include only packets where "protocol is HTTP".
- e.g., Include only packets where the TCP source port is 80 or the TCP destination port is 80.
How do the packets you see differ? Form a hypothesis as to why there is a difference.
Close the trace file.

Part B: Capturing a filtered trace

When you run wireshark you can create a lot of data. Store your captures in /tmp where the data will go away and not cause a problem with your quota.
In the Capture menu, choose Options.
Observe the option to Capture in promiscuous mode. In promiscuous mode, the trace will include all packets seen, regardless of whether they are addressed to or from your machine. Since the cs network is a switched network, it usually does not matter whether this is checked.
Click Start to begin a capture.

NOTE:

There are two DNS efforts. I am sure that there are overlaps in questions. ONLY ANSWER QUESTIONS ONCE. There is a long history behind many of these labs.

Part C: What you are to do

Discussion Questions

Many system administrators do not allow users to run packet sniffers on shared networks. Why do you think this is? How could this policy be enforced? Investigate the policies for networks that you regularly use.
What traffic might you expect to find on a "quiet network," that is, one in which no user is deliberately using a network application such as a web browser? Consider both useful background activity and potentially malicious activity.
Read about Snort, an excellent open source network intrusion detection system. You can use Snort to monitor your local network for suspicious traffic patterns. Snort users write rules that specify what suspicious traffic is using the same type of information captured by Wireshark (source and destination IP address, protocol, etc.) From what you have learned in this exercise, briefly discuss how Snort might work and suggest some traffic patterns that might indicate malicious activity.
Tell me what could be worded better in the above directions.

Mike Erlinger

Last Modified Tuesday, 09-Oct-2018 13:34:14 PDT