CIS 320 Etherpeek Lab

Name: ______Section #: ______Date: ______

CIS 320 – EtherPeek Lab

(Revised 11/12/2003)

This is a take home lab that must be done individually. In order for you to complete this lab, you must either use a lab computer that already has WildPackets’ EtherPeek and Visualware’s VisualRoute installed, or you can download and install the software on your home computer.

Purpose: This lab will give you experience with using network diagnosis tools and give you a better understanding of how networks operate in the real world. It will help expand and reinforce your knowledge of addressing schemes, protocols, encapsulation, and routing.

Procedure: It is preferable that you complete this lab on your home computer because the software will only be on a limited number of computers in the lab and you will be restricted to the hours of operation for that particular lab.

Part 1A – Installing Software:

When you finish downloading the following programs, you can click the “Open” button on the Download dialogue box to install the software. If you are working in HHS 2037, you will need to install the programs in the C:\Temp folder.

1. You can download VisualRoute v8.0a at:

http://www.visualware.com/personal/download/index.html

You can download the EtherPeek demo at:

http://www.wildpackets.com/products/demo_link_new/88814

(Select “HTTP Download”)

2. When you finish downloading both the VisualRoute and EtherPeek software, run the files and install them with the default settings. During the EtherPeek install you might get a screen titled “Select Adapter.” If you do, select your NIC.

Part 1B – Preparation

1. You must first take note of your computer’s MAC and IP address. Click the “Start” button, click “Run…” and then type cmd in the command line and click the “OK” command button. You should now be in a command prompt window. Type ipconfig /all and press Enter. In the data that displays in the command prompt window, you should see lines that say Physical Address and IP Address. Record both.

IP Address: ______MAC Address: ______

2. Important: Sections of this lab will require you to take screenshots when you are running WildPackets’ EtherPeek and Visualware’s VisualRoute trial programs. You can take a screenshot of the display on your monitor by pressing the PrintScrn button on your keyboard and then paste it into Microsoft Word or Paint by pressing Ctrl+V. It is recommended you use Word because images are easier to manage in Word and you can easily integrate them into the final deliverable for this lab.

Part 2 – Packet Routing and Network Statistics:

1. Start the VisualRoute program. Your screen should look similar to Figure 1.

Figure 1

2. Enter “www.jmu.edu” in the “Address” box and hit “Enter”. The program will start generating a real-time (traceroute) report for your computer to www.jmu.edu. The report records the route (the specific gateway computers at each hop) through the Internet between your computer and a specified destination computer. It also calculates and displays the amount of time each hop took. After the report is finished, you should notice a crosshair appear on the map. The crosshair represents the geographical location of the “Address” you specified, in this case it is the location of James Madison University. Left-click the near the crosshair to zoom in on the map so you can get a more detailed view of the location, do this until the map displays the name of the state (Virginia in this case). Is this about where James Madison University would be located on a regular map?

3. Below the map you will notice a table with the columns: Hop, %Loss, IP Address, Node Name, Location, Tzone, ms, Graph, and Network. Hop number 0 in the table represents the starting location of your IP packets destined for www.jmu.edu. This is your local computer’s IP address. Compare it with the IP address you recorded from Part 1b, to make sure it matches. Each subsequent hop after 0 and before the final destination address represents routers your IP packets travel through to get closer to reaching its final destination. Write down the number of Hops it took for you to reach www.jmu.edu.

It took ______hops to reach www.jmu.edu.

4. %Loss means the percentage of IP packets that got dropped while in transit at that particular hop. For example, if you send ten packets to destination x and only 9 arrive, then the percent packet loss would be 10%. The most common cause for packet loss is usually caused by propagation effects, equipment malfunctions, and overloaded routers (most common). Write down the %loss (blank means 0% loss) for the final destination/hop, which should be www.jmu.edu.

Percent of packets lost: ______%

5. The last field that we will be concerned with in VisualRoute is ms. This is the amount of time (in milliseconds) that it takes for your IP packets to reach each hop (latency) and the final destination. Write down the total time it takes to reach www.jmu.edu.

It took ______milliseconds to reach www.jmu.edu.

6. The next step is to do a traceroute to www.yahoo.com. To do this, enter “www.yahoo.com” in the “Address” window and hit Enter. The program will start generating a real-time report from your computer to Yahoo! Once it finishes, you will have to zoom out on the map by right-clicking anywhere on the map so you can see the complete geographical path that your IP packets travel to reach Yahoo’s website. Alternatively, to reset the map, you may click “View” on the menu bar, then click “Reset map.” The geographical path is represented by the blue line that your IP packets take to reach the “Address” you specify. The geographical location of the destination you are trying to reach is represented by a blue square at the end of the blue line. The blue line is a rough estimate and is not an exact representation.

7. If you look in the table you can see different “Node Names” at each hop, these are host names assigned to the routers. If a router cannot directly deliver an IP packet to its final destination then it will send the packet to a router who can get it closer to the final destination. This is what is happening between each hop until the packet can be directly delivered by a router that is on the same physical network as the destination machine.

8. Write down the number of hops, the %loss, ms, and the geographical location for www.yahoo.com Click on www.yahoo.com under “Node Name” to get the registered “post office address.” This will do a whois on the domain yahoo.com). Compare these values with the values you obtained from the www.jmu.edu report (traceroute). Do you notice any difference in %Loss, ms, geographical path, and number of hops?

For Yahoo.com:

%Loss: _____

Milliseconds (ms): ______

Geographic location: ______

______

______

______

9. Now generate a new report (traceroute) for a website that interests you besides www.jmu.edu or www.yahoo.com. After the report finishes, take a screenshot of the map showing the entire geographical path that your IP packets take to reach the website (use the mouse buttons to zoom in/out). Save this screenshot in a file and print it out. Now click the “Snap text” button () in the upper right hand corner of the screen. Print this traceroute report out. You will have to turn this and the screenshot in.

Part 3 – EtherPeek

1. Start the EtherPeek Demo and select “OK” when the demo information appears. Once you start the program you might get a screen titled “Select Adapter.” If you do, select the NIC card that’s in your computer. Close the “Start Page” window once you are in the EtherPeek Demo program.

2. Read this entire step before taking any action. Once you’re in the program, select “Start Capture” under “Capture” in the menu bar (or press Ctrl+Y). Click “OK” through the “Capture Options” window. Before you start recording packets, open up your web browser (Internet Explorer or Netscape). Now arrange the desktop so you can easily task switch between EtherPeek and your web browser window (Hint: You can press Alt+Tab to switch between applications or you can tile the windows horizontally.) You should enter the website that you used for Part 2 step 9 into your web browser. Next, click “Start Capture” (Figure 2) and quickly switch back to your web browser and click “Refresh”. This will start capturing all the network messages that are seen by your NIC.

Figure 2:

3. After a few seconds (30 at most) a window will pop up saying that the capture has been stopped. Just click “OK.” You should now see several items populated in the capture window. If you are successful in capturing messages from the webpage, you will see your IP address (or computer.jmu.edu) and the HTTP protocol associated with different Packet numbers (You may have to scroll down to find these). If you can’t find these messages then you need restart the EtherPeek program and make sure you click “Refresh” right after you start the capture process.

4. Click on the “Protocol” tab. This screen displays protocol information of the capture and their percentage with regards to other protocols. You can right-click on a protocol and then select “Protocol Info…” to get a description of the protocol.

5. Click on the “Packets” tab. Now select “Find Pattern” from the “Edit” menu and make sure “Find in:” is set to “Decoded Text”. Now enter “Hyper Text Transfer Protocol” in the “Find what:” field and click “Find Next”. Keep clicking “Find Next” until you find a “Packet” that has your IP address (or computer.jmu.edu) in either the “Source” or “Destination” fields with a “Size” greater than 300 and open it up by double clicking on it. You should now have a window (Figure 3) that displays information about a packet that was from your webpage access.

Figure 3

7) The bottom part of the window shows the packet in Hex on the left and with the corresponding ASCII translation (when possible) on the right. The top half of the window shows the “decoded” information. EtherPeek interprets the packet by trying to identify the protocols that are used by the packet, breaking it up into the corresponding fields, and decoding each field. Click on any of the red words on the top, and the corresponding part of the packet will be highlighted below in Hex and in ASCII to the right.

8) Click on “Destination” and then “Source” under “Ethernet Header” and write down the two MAC address’s, specifying which one belongs to your NIC.

Source MAC Address: ______(Your Nic? Yes ___ No ___ )

Destination MAC Address: ______(Your Nic? Yes ___ No ___ )

9) Now find the “IP Header – Internet Protocol Datagram” section and locate the “Source” and “Destination” IP Addresses. This is the “Internet” Layer, the same layer that Internet routers operate at. Click on both of these and take notice of their hex equivalent. Take a screen capture making sure to include the Hex part of the “Source” and “Destination” IP addresses. Print this screen capture out and circle the Hex representation of the Source and Destination IP Addresses inside the packet. Label them “Source” and “Destination”.

10) The “IP Header” is where routers extract the source and destination IP addresses from in order to determine where to send that packet (next hop). Routers use the netID portion of an IP address and match it to a value in their routing tables, to determine where packets should be sent to (next hop) for that netID. However, routers can base decisions on subnet masks when you have multiple networks inside one Class A, B, or C network address and even hostID’s (rarely used).

11) Answer the questions at the end of this document, and close the EtherPeek program.

Questions: (Complete these questions and hand them in for credit. Don’t forget to use a word processor!)

1.  Did the geographical path given by VisualRoute seem accurate? Why? Did you come across any situations where the program wasn’t able to provide a geographical path on the map?

2.  How does the VisualRoute report for www.jmu.edu differ from the report for www.yahoo.com? List three differences that you observed.

3.  Briefly describe what happened when you generated a report in VisualRoute. List the values that you found for Step 8 of the Lab. Describe the statistics generated by VisualRoute and explain what the statistics tell you. At a minimum, you should discuss %Loss, ms, and the number of hops.

4.  How do routers determine the next hop of an IP packet once they receive it?

5.  For the sake of simplicity, imagine that all Internet users in New York City connect to Router 1, all D.C. users connect to Router 2, and all L.A. users connect to Router 3 to access the Internet. Router 1 has connections to Router 2 and 3 and Router 2 has connections to Router 1 and 3. If a person located in New York is sending a file to a person in Washington D.C. over the Internet, is it possible some of the IP packets will travel from New York to Los Angeles to Washington D.C. instead of directly from New York to D.C.? Please explain why or why not? What factors might influence this decision?