1. Learn What Protocol Analysis Means

/ Introduction to Networking & Network Management
Engineering Science Department
Wireshark_1 Experiment
Your Name: / Your Station: / Your Computer:
You Partners: / Date:

A.  Objectives

1.  Learn what protocol analysis means

2.  Learn how to use Wireshark

3.  Monitor traffic at specific port & capture specific data (such as ping traffic) on an interface

4.  Analyze the packet & its content

B.  Configuration & Network Setup

Configure an Ethernet port 2 with the given ip address & attach Wireshark application to the receiving computer interface to capture data. Use the command sudo –l to login to root using & the password provided by the instructor.

C.  Procedure

1.  Do steps 1-11 on your own. You may do steps 12 to the end with your partner since you need to ping each other’s computer. Each student must submit her/his report on this lab. Note that you can save the Wireshark capture in your Ubuntu Document folder with a name starting with your name.

2.  Consider the wiring diagram of your Work Area as shown in Figure 1. We desire to send ip packets to a computer continuously & capture the traffic at its interface. Assume Wireshark application is installed in all computers in Salazar 2009A to capture data at any of its interfaces (e.g., PC D at its eth2 in Fig. 1). If installed, you can see the Wireshark icon on Ubuntu screen, or go to dashboard & search for it to see the icon.

Figure 1. Wiring Diagram of a
Work Area 1 & data capture at a computer interface by Wireshark.
Disregard “FTP Server” in the figure at PC D port. /

3.  Boot the computer & keep touching the Upward Arrow so that the display stops listing OSs (e.g., Ubuntu, Windows 7, …) for you to choose. At this time you scroll up or down to highlight UBUNTU (NOT Ubuntu Backup) & hit Enter for the UBUBTU OS to complete the boot. You may need to enter the password that the instructor provides to be able to see the UBUNTU screen.

4.  Open a Terminal page to check & make sure eth2 interface is “up” its ip address is 192.168.1.x as you set in basic_lab. “x” is the computer number za, zb, zc, & zd in decimal for the Work Area z.

E.g. for Work Area 1, use

1a=1*16 + 10 = 26

1b=1*16 + 11 = 27

1c=1*16 + 12 = 28

1d=1*16 + 13 = 29

5.  Now to generate traffic at eth2 of your computer, ping eth2 of your computer continuously with a content of FF. For each ping packet in form of an echo request, the destination sends back an echo reply packet. Both request & reply packets are in the form of icmp packet encapsulated in an IP packet.

What is the ping command you use?

6.  To invoke Wireshark as a protocol analyzer to capture or monitor the traffic at an interface with various options such as capturing the desirable number of packets, packet filter, etc., you need to have root authority. You can do this either:

a)  at a Terminal page by the command “sudo wireshark -i eth2 -c 6”, or

b)  by clicking the Wireshark icon on the left side of the Ubuntu screen. Then “Start a capture with detailed options” & use the following “Capture Options”:

-  Interface, select “eth2”.

-  Capture Filter, leave blank (or use “icmp” since only ping commands are being exchanged at eth2).

-  Stop Capture, after “6” packets.

In either case a) or case b), the Wireshark configuration screen opens as soon as you start.

7.  Then click “Start” and can see soon the Wireshark capturing the ping packets. You can go to site bellow to see some Wireshark screenshots.

https://www.wireshark.org/docs/wsug_html_chunked/ChUseCaptureMenuSection.html#ChUseWiresharkCaptureMenu

8.  In the command “sudo wireshark -i eth2 -c 6”:

Question / Answer
What is sudo for?
What does option “-i” do?
What does option “-c” do?

9.  Now look at the Wireshark panels on the screen for a high level understanding of the panels fill in the answers:

Question / Answer
Which was your computer (A, B, C, D) with Wireshark?
List the packets in the top panel.
What is the structure of the packets in the middle panel?
Select an Echo Request ping packet & see the content of the corresponding frame in the middle panel & copy the content in the right column.
Explain briefly what it is showing & if it makes sense.
Select an Echo Request ping packet & see the content of the corresponding frame in the bottom panel & copy the hexadecimal content in the right column.
Explain briefly what it is showing & if can be helpful.

10.  To stop & abort the pinging at your computer by going to the Terminal page & entering “Control Z”.

11.  To learn what an Ethernet & IEEE 802.3 frames look like to analyze frame contents, google “image of IEEE 802.3 frame”. Pick one that shows the image for both Ethernet & IEEE 802.3 frame and fill in the following table.

Fields of frame / # of Octets in Ethernet Frame / # of Octets in IEEE 802.3 Frame
Preamble
Start of Frame
Destination MAC address
Source MAC address
Ethernet Type or
Data
Frame Check Sequence (FRC) / Cyclic Redundancy Code (CRC)

12.  From here on you can work in a group of two in your work area. First, connect your computer with the computer of your partner by two Ethernet cables at the patch panel & the Alcatel Omni switch OS6860 or OS6450 as in the basic_lab. Power on the switch & make sure the two computers are connected by the ping command.

13.  To generate some traffic at eth2 port of your computer let your partner ping continuously (NO count parameter) your computer with packets of 10FF bytes in the content. Now set your Wireshark with an “icmp” filter to capture six ping packets and start. Frist, look at the Wireshark panels on the screen at high level & fill in the answers:

Question / Answer
Which was your computer (A, B, C, D) with Wireshark?
Which computer (A, B, C, D) was sending you ping?
List the packets in the top panel.
What is the structure of the packets in the middle panel?
Select an echo request ping packet & see the content of the corresponding frame in the bottom panel & copy the hexadecimal content in the right column for your analysis.

9.  Next, you want to compare various fields of the IP & icmp ping packet that is encapsulated each in an Ethernet frame in the Wireshark panels with various addresses content of the ping packet your partner sent to you from the Ubuntu Terminal & verify they are the correct. From the Wireshark panels identify each of the following fields, write the number of bytes for each field & its content in the table below. The ifconfig in a terminal screen can be helpful.

Question / # of Bytes / Content
The eth2 address field at the source in the frame.
Is this address the same as the eth2 address of the source computer?
The eth2 address field at the destination in the frame.
Is this address the same as the eth2 address of the destination computer?
The ip address field of the source computer.
Is this address the same as the ip address of the source computer?
The ip address field at the destination computer.
Is this address the same as the ip address of the destination computer?
The content field of the icmp packet.
From the content field identify in detail the type of message, code, checksum, identifier, sequence # & payload data. For icmp/ping format:
https://en.wikipedia.org/wiki/ping_(networking_utility)
Do these fields look okay to you? Explain.

10.  Now switch role with your partner & repeat step 9 above with 6 pings with hexadecimal content ABCDEF and respond. Note that you want to start the Wireshark first to capture and send the pings at the source to be able to capture the six ping packets.

Question / # of Bytes / Content
The eth2 address field at the source in the frame.
Is this address the same as the eth2 address of the source computer?
The eth2 address field at the destination in the frame.
Is this address the same as the eth2 address of the destination computer?
The ip address field of the source computer.
Is this address the same as the ip address of the source computer?
The ip address field at the destination computer.
Is this address the same as the ip address of the destination computer?
The content field of the icmp packet.
From the content field identify the type of message, code, checksum, identifier, sequence number & payload data.
Do these fields look okay to you? Explain.

D.  Report

1.  Type all your responses to the questions in the tables above including your observations & comments neatly. It will be better to delete the paragraphs that you do not need for your report.

2.  Make sure to power off all the devices, remove the cables & return them to the cabinet, & clean up your station.

3.  Submit your report by the due date.

AMK 10/11/2015 1