Important instruction: Print lab sheet and submit it with all solution derived from lab experiment to tutors.
Lab 2 Part A: Understanding ARP (Address Resolution Protocol)
Note: Work in pair with your neighbor. The bold character is what you need to type
2.1 Go to command prompt, type
C:> ipconfig /all
i. To get the IP address and MAC address of your PC.
ii. Write it down here: iii. IP address: _______________________ iv. MAC address: ___________________________
2.2 Get the IP address of your neighbor by asking him/her
2.3 Type i. C:> arp –a ii. and check if your neighbor’s IP address in the ARP entry.
2.4 i. Ping your neighbor IP ii. E.g C:> ping 10.100.10.2
After a successful ping, type
i. C:> arp –a ii. and check if your neighbor’s IP address is in the ARP entry. iii. Write down your friend IP and MAC address. iv. IP address: _______________________ MAC address: ___________________________
Part B: Using Wireshark™ to View Protocol Data Units
Learning Objectives
Be able to explain the purpose of a protocol analyzer (Wireshark).
Be able to perform basic PDU capture using Wireshark. Be able to perform basic PDU analysis on straightforward network data traffic. TCN2141 Computers Networks Lab 2- 2022
Experiment with Wireshark features and options such as PDU capture and display filtering.
Background
Wireshark is a software protocol analyzer, or "packet sniffer" application, used for network troubleshooting, analysis, software and protocol development, and education. Before June 2006, Wireshark was known as Ethereal.
A packet sniffer (also known as a network analyzer or protocol analyzer) is computer
software that can intercept and log data traffic passing over a data network. As data streams travel back and forth over the network, the sniffer "captures" each protocol data unit (PDU) and can decode and analyze its content according to the appropriate RFC or other specifications. Wireshark is programmed to recognize the structure of different network protocols. This enables it to display the encapsulation and individual fields of a PDU and interpret their meaning. It is a useful tool for anyone working with networks and can be used with most labs in the CCNA courses for data analysis and troubleshooting. For information and to download the program go to - http://www.Wireshark.org
Scenario
To capture PDUs the computer on which Wireshark is installed must have a working connection to the network and Wireshark must be running before any data can be captured.
When Wireshark is launched, the screen below is displayed.
To start data capture it is first necessary to go to the Capture menu and select the Options choice. The Options dialog provides a range of settings and filters which determines which and how much data traffic is captured. TCN2141 Computers Networks Lab 2- 2022
First, it is necessary to ensure that Wireshark is set to monitor the correct interface. From the Interface drop down list, select the network adapter in use. Typically, for a computer this will be the connected Ethernet Adapter.
Then other Options can be set. Among those available in Capture Options, the two highlighted below are worth examination.
Setting Wireshark to capture packets in promiscuous mode
If this feature is NOT checked, only PDUs destined for this computer will be captured. TCN2141 Computers Networks Lab 2- 2022
If this feature is checked, all PDUs destined for this computer AND all those detected by the computer NIC on the same network segment (i.e., those that "pass by" the NIC but are not destined for the computer) are captured. Note: The capturing of these other PDUs depends on the intermediary device connecting the end device computers on this network. As you use different intermediary devices (hubs, switches, routers) throughout these courses, you will experience the different Wireshark results.
Setting Wireshark for network name resolution
This option allows you to control whether or not Wireshark translates network addresses found in PDUs into names. Although this is a useful feature, the name resolution process may add extra PDUs to your captured data perhaps distorting the analysis.
There are also a number of other capture filtering and process settings available.
Clicking on the Start button starts the data capture process and a message box displays the progress of this process.
As data PDUs are captured, the types and number are indicated in the message box
The examples above show the capture of a ping process and then accessing a web page.
When the Stop button is clicked, the capture process is terminated and the main screen is displayed.
This main display window of Wireshark has three panes.
TCN2141 Computers Networks Lab 2- 2022
Packet List Pane
Packet Details Pane
Packets Bytes Pane
The PDU (or Packet) List Pane at the top of the diagram displays a summary of each packet captured. By clicking on packets in this pane, you control what is displayed in the other two panes.
The PDU (or Packet) Details Pane in the middle of the diagram displays the packet selected in the Packet List Pane in more detail.
The PDU (or Packet) Bytes Pane at the bottom of the diagram displays the actual data (in hexadecimal form representing the actual binary) from the packet selected in the Packet List Pane, and highlights the field selected in the Packet Details Pane.
Each line in the Packet List corresponds to one PDU or packet of the captured data. If you select a line in this pane, more details will be displayed in the "Packet Details" and "Packet Bytes" panes. The example above shows the PDUs captured when the ping utility was used and http://www.Wireshark.org was accessed. Packet number 1 is selected in this pane.
The Packet Details pane shows the current packet (selected in the "Packet List" pane) in a more detailed form. This pane shows the protocols and protocol fields of the selected packet. The protocols and fields of the packet are displayed using a tree, which can be expanded and collapsed.
The Packet Bytes pane shows the data of the current packet (selected in the "Packet List" pane) in what is known as "hexdump" style. In this lab, this pane will not be examined in TCN2141 Computers Networks Lab 2- 2022
detail. However, when a more in-depth analysis is required this displayed information is useful for examining the binary values and content of PDUs.
The information captured for the data PDUs can be saved in a file. This file can then be opened in Wireshark for analysis sometime in the future without the need to re-capture the same data traffic again. The information displayed when a capture file is opened is the same as the original capture.
When closing a data capture screen or exiting Wireshark you are prompted to save the captured PDUs.
Clicking on Continue without Saving closes the file or exits Wireshark without saving the displayed captured data.
Task 1: Ping PDU Capture
Step 1: After ensuring that the standard lab topology and configuration is correct, launch Wireshark on a computer in a lab pod. Set the Capture Options as described above in the overview and start the capture process.
From the command line of the computer, ping the IP address of another network connected and powered on end device on in the lab topology. In this case, ping the www.google.com Server (example) at using the command ping ###.###.###.###.
After receiving the successful replies to the ping in the command line window, stop the packet capture.
Step 2: Examine the Packet List pane.
The Packet List pane on Wireshark should now look something like this: TCN2141 Computers Networks Lab 2- 2022
Look at the packets listed above; we are interested in packet numbers 6, 7, 8, 9, 11, 12, 14 and 15.
Locate the equivalent packets on the packet list on your computer.
If you performed Step 1A above match the messages displayed in the command line window when the ping was issued with the six packets captured by Wireshark.
From the Wireshark Packet List answer the following:
What protocol is used by ping? ________ _____________________
What is the full protocol name? _________
What are the names of the two ping messages? ______________
____________________________________
Are the listed source and destination IP addresses what you expected? Yes / No
Why? ___________________________________
Answers may vary- Yes, the source address is my computer and the destination is the Eagle server
Step 3: Select (highlight) the first echo request packet on the list with the mouse.
The Packet Detail pane will now display something similar to:
Click on each of the four "+" to expand the information.
The packet Detail Pane will now be similar to:
TCN2141 Computers Networks Lab 2- 2022
As you can see, the details for each section and protocol can be expanded further. Spend some time scrolling through this information. At this stage of the course, you may not fully understand the information displayed but make a note of the information you do recognize.
Locate the two different types of 'Source" and "Destination". Why are there two types?
As you select a line in the Packets Detail pane all or part of the information in the Packet Bytes pane also becomes highlighted.
For example, if the second line (+ Ethernet II) is highlighted in the Details pane the Bytes pane now highlights the corresponding values.
This shows the particular binary values that represent that information in the PDU. At this stage of the course, it is not necessary to understand this information in detail. TCN2141 Computers Networks Lab 2- 2022
Step 4: Go to the File menu and select Close.
Click on Continue without Saving when this message box appears.
Task 2: HTTP PDU Capture
Step 1: Start packet capture.
Assuming Wireshark is still running from the previous steps, start packet capture by clicking on the Start option on the Capture menu of Wireshark.
Note: Capture Options do not have to be set if continuing from previous steps of this lab.
Launch a web browser on the computer that is running Wireshark.
Enter the URL of the Celcom Server of www.celcom.com.my or enter the IP address- 203.82.70.248. When the webpage has fully downloaded, stop the Wireshark packet capture. Or from CMD: start /max chrome.exe http://www.celcom.com.my
Step 2: Increase the size of the Wireshark Packet List pane and scroll through the PDUs listed. Locate and identify the TCP and HTTP packets associated with the webpage download.
Note the similarity between this message exchange and the FTP exchange.
Step 3: In the Packet List pane, highlight an HTTP packet that has the notation "(text/html)" in the Info column. In the Packet Detail pane click on the "+" next to "Line-based text data: html" When this information expands what is displayed? _____HTML code for the web page__________________________
Examine the highlighted portion of the Byte Panel.
This shows the HTML data carried by the packet.
When finished close the Wireshark file and continue without saving
Task 3: Investigate ARP and DNS packet as well
Step1: What is purpose of ARP? Step 2: Describe the ARP message structure during request and reply process
Step3: What is purpose of DNS?
Step 4: Describe the DNS message structure look like during request and reply process TCN2141 Computers Networks Lab 2- 2022
Solution: output may vary: Refer ARP and DNS function
Task 4: Reflection
Consider the encapsulation information pertaining to captured network data Wireshark can provide. Relate this to the OSI and TCP/IP layer models. It is important that you can recognize and link both the protocols represented and the protocol layer and encapsulation types of the models with the information provided by Wireshark.
Task 5: Challenge
Discuss how you could use a protocol analyzer such as Wireshark to:
(1) Troubleshoot the failure of a webpage to download successfully to a browser on a
computer. and (2) Identify data traffic on a network that is requested by users.
Answers could vary- Wireshark could show when request for a web page failed due to incorrect URL. User traffic could be monitored to identify errors in source or destination.
Task 6: Cleanup Unless instructed otherwise by your instructor, exit Wireshark and properly shutdown the computer.
