Scribd
Upload
15 views12 pages

Lab 12 CN

Uploaded by

bscs22f34
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
15 views12 pages

Lab 12 CN

Uploaded by

bscs22f34
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 12

Namal University Mianwali

Department of Computer Science

Lab Manual
Course CSC-251L- Computer Networks - Lab
Instructor Muzamil Ahmed Session / Semester 2022-2026 (5th)

Lecture # 12
Name Zunaira Akbar
Reg # NUM-BSCS-2022-34

Lab Tasks

Task 1: Capturing Network Traffic CLO-1, CLO-2, CLO-3

1. Objective: Capture real-time network traffic on your system.


2. Steps:
o Open Wireshark and select an active network interface (e.g., Ethernet or Wi-Fi).
o Start capturing packets.
o Open a web browser and visit a website, send a ping command, or download a small
file to generate traffic.
o Stop the capture after 30–60 seconds.

3. Observations:
o Record the total number of packets captured.

A total of 1,034 packets were captured during the network analysis.

CSC-251L- Computer Networks - Lab


o Identify the most frequently used protocol in the capture.

The most frequently used protocol in the capture is ARP (Address Resolution Protocol), which is
evident from the numerous ARP requests and replies present in the packet list. ARP packets are used
for mapping IP addresses to MAC addresses within the local network.

o Describe any unusual activity or spikes in network traffic.

The captured network traffic reveals numerous repeated ARP requests for the same IP addresses,
particularly for 172.16.17.121 and 172.16.14.161, which may indicate potential issues such as ARP
spoofing, where an attacker could be attempting to intercept network traffic by sending misleading
ARP messages, or network congestion caused by devices repeatedly trying to resolve the same
addresses without success. Additionally, noticeable spikes in DHCP requests towards the end of the
capture suggest that devices are attempting to connect to the network and obtain IP addresses from the
DHCP server. While this behavior can be normal, frequent spikes may necessitate further
investigation into the DHCP server's configuration or the overall stability of the network.
Task 2: Analysing DNS Traffic CLO-1, CLO-2, CLO-3

1. Objective: Capture and analyse DNS traffic to understand the process of domain name
resolution.
2. Steps:
o Open Wireshark and start capturing on your active network interface.
o Open a browser and visit three different websites (e.g., example.com, bbc.com,
github.com).
o Stop the capture.
o Apply the filter dns in Wireshark to isolate DNS packets.

3. Observations:
o Identify the DNS query type (e.g., A, AAAA, or CNAME records).

CSC-251L- Computer Networks - Lab


The captured DNS queries primarily consist of A (Address) records, which map domain names to
their corresponding IPv4 addresses. There are also CNAME (Canonical Name) records present,
which provide aliases for domain names, and SOA (Start of Authority) records, which contain
administrative information about the domain.

o Note the IP addresses resolved for each domain.

For the domain dns.google, the resolved IP addresses are 8.8.8.8 and 8.8.4.4.

For assets.msn.com, the resolved IP addresses are 23.55.44.112 and 23.55.44.104, with CNAMEs
pointing to assets.msn.com.edgekey.net and e28578.d.akamaiedge.net.

The domain wpad.microsoft.com returned a "No such name" response, indicating that it does not
exist in the DNS records.
For crt.sectigo.com, the resolved IP addresses are 104.18.38.233 and 172.64.149.23, with a CNAME
pointing to crt.comodoca.com.cdn.cloudflare.net.

o Check for retransmitted DNS queries, if any.

There are instances of retransmitted DNS queries, particularly for the domain assets.msn.com. The
same query is sent multiple times, likely due to the initial response being delayed or not received.

o Compare the behaviour of cached and non-cached DNS responses.

The behaviour of cached responses can be inferred from the presence of multiple queries for the same
domain. For example, the queries for dns.google and assets.msn.com show that the client is
attempting to resolve these domains multiple times, which may indicate that the responses are not
being cached effectively.
In contrast, when a DNS response is received, it often includes multiple A records or CNAMEs,
suggesting that the DNS server is providing cached information to reduce lookup times for frequently
accessed domains.
Task 3: ICMP Traffic Analysis CLO-1, CLO-2, CLO-3

1. Objective: Capture and analyse ICMP traffic to understand the role of ping in network
troubleshooting.
2. Steps:
o Start Wireshark on your network interface.
o Open a command prompt or terminal and execute the ping command for three
different IP addresses (e.g., your gateway, a DNS server, and a public website).

CSC-251L- Computer Networks - Lab


CSC-251L- Computer Networks - Lab
o Stop the capture.
o Apply the filter icmp in Wireshark.

3. Observations:
o Record the packet structure of ICMP Echo Request and Echo Reply messages.

ICMP Echo Requests:

Type: 8 (Echo Request)

Code: 0

Checksum: A value used for error-checking.

Identifier: A unique identifier for the request (e.g., 0x0001).

Sequence Number: A number that helps match requests with replies (e.g., seq=1/256).

TTL (Time to Live): Indicates the maximum number of hops the packet can take (e.g., ttl=128).

ICMP Echo Reply:

Type: 0 (Echo Reply)

Code: 0

Checksum: Same as the request for validation.

Identifier: Matches the request identifier.

Sequence Number: Matches the request sequence number.

TTL: Indicates the number of hops remaining (e.g., ttl=254).

CSC-251L- Computer Networks - Lab


o Observe the response times for each destination.

172.16.0.3 (Local Gateway):


Response times: 4ms (minimum), 6ms (maximum), average: 4ms.
8.8.8.8 (Google Public DNS):
Response times: 40ms (consistent for all replies).
www.google.com (142.250.181.68):
Response times: 43ms (minimum), 45ms (maximum), average: 44ms.

o Note any dropped packets or unusual latency.

Dropped Packets:

There were 0% packet loss for all destinations, indicating that all sent packets received replies.

Unusual Latency:
The response times for the local gateway (4-6ms) are very low, indicating a quick response. The
public DNS (40ms) and Google website (43-45ms) responses are higher but still reasonable for
external requests. No significant latency issues were observed.

o Reflect on how ICMP helps in network diagnostics.

ICMP (Internet Control Message Protocol) is an essential tool for network diagnostics, primarily
using the ping command. It enables users to check connectivity by sending Echo Requests and
receiving Echo Replies, which confirms whether a device is reachable. Additionally, it measures
response times, providing insights into the speed and performance of the network connection. If
packets are lost or response times are high, it can indicate potential issues such as network congestion,
misconfigurations, or connectivity problems. Overall, ICMP assists in troubleshooting by helping to
identify where issues may exist, whether within the local network or with external connections.

Task 4: Analysing FTP Traffic CLO-1, CLO-2, CLO-3

1. Objective: Observe the behaviour of FTP (File Transfer Protocol) traffic in a controlled
environment.
2. Steps:
o Start Wireshark on your local network interface.
o Use an FTP client (e.g., FileZilla) to connect to a public FTP server (e.g.,
ftp.dlptest.com).
o Log in using the credentials provided by the server, download a file, and upload a
file.

CSC-251L- Computer Networks - Lab


CSC-251L- Computer Networks - Lab
CSC-251L- Computer Networks - Lab
o Stop the capture.
o Use the filter ftp in Wireshark.

3. Observations:
o Identify the FTP control and data channel traffic.

Connection Establishment:

Response: 220 Welcome to the DLP Test FTP Server

Request: OPTS UTF8 ON

Response: 200 Always in UTF8 mode.

Login Commands:

Request: USER dlpuser

Response: 331 Please specify the password.

Request: PASS rNrKYTX9g7z3RgJRmxWuGHbeu

Response: 230 Login successful.

Data Channel Traffic:

The data channel is used for transferring files. This traffic can be identified by commands
like RETR (retrieve) and STOR (store).

Request: RETR upload.txt (indicating a request to download the file)

Response: 150 Opening BINARY mode data connection for upload.txt (102400 bytes).

CSC-251L- Computer Networks - Lab


Response: 226 Transfer complete. (indicating the successful transfer of the file)

Request: STOR upload.txt (indicating a request to upload the file)

Response: 150 Ok to send data.

o Observe login credentials and file transfers (note that FTP traffic is unencrypted).

Login Credentials:

Request: USER dlpuser

Request: PASS rNrKYTX9g7z3RgJRmxWuGHbeu

This highlights the lack of encryption in FTP, making it vulnerable to interception.

File Transfers:

For the download of upload.txt, you see:

Response: 150 Opening BINARY mode data connection for upload.txt (102400 bytes).

Response: 226 Transfer complete.

For the upload of upload.txt, you see:

Response: 150 Ok to send data.

Response: 226 Transfer complete.

The sizes of the files being transferred (e.g., 102400 bytes) are also noted.

o Reflect on the security risks of using FTP versus secure alternatives like SFTP or
FTPS.

FTP transmits data, including login credentials, in plain text, making it vulnerable to
eavesdropping and man-in-the-middle attacks, where attackers can intercept and read
the transmitted data. Without encryption, sensitive information can be easily captured
by malicious actors on the same network or through compromised routers, posing
significant security risks.

Task 5: DHCP Traffic Analysis CLO-1, CLO-2, CLO-3

1. Objective: Capture and analyse DHCP (Dynamic Host Configuration Protocol) traffic during
an IP address lease.
2. Steps:
o Open Wireshark and start capturing on your local network.
o Disconnect and reconnect to your network to initiate a DHCP process.
o Stop the capture.
o Apply the filter dhcp in Wireshark.

CSC-251L- Computer Networks - Lab


3. Observations:
o Identify the DHCP Discover, Offer, Request, and Acknowledge packets.

DHCP Discover:

The first packet in your capture is a DHCP Request from 0.0.0.0 to 255.255.255.255:

This packet indicates that the client is looking for a DHCP server to obtain an IP address.

DHCP Offer:

The second packet is a DHCP Acknowledge from 172.16.0.3 to 172.16.15.202:

This packet indicates that the DHCP server (with IP 172.16.0.3) is acknowledging the request and
offering an IP address to the client.

DHCP Request:

The DHCP Request packet is indicated by the first packet you provided, which is the client's request
for an IP address.

DHCP Acknowledge:

The packet with the DHCP ACK indicates that the server has confirmed the assignment of the IP
address to the client.

CSC-251L- Computer Networks - Lab


DHCP NAK:

The packets with DHCP NAK indicate that the DHCP server is denying the request for an IP address:

This suggests that the server is unable to fulfill the request for the specified transaction IDs.

o Record the IP address assigned to your device and the lease duration.

The assigned IP address is indicated by the DHCP ACK packet from 172.16.0.3, which confirms that
the server has allocated an IP address to the client; however, the specific address is not explicitly
mentioned in the provided packets. Typically, the assigned IP address can be found in the details of
the DHCP Offer or ACK packet. Additionally, the lease duration, which specifies how long the IP
address is valid, is usually included in the DHCP Offer or ACK packet as well. If this information is
not visible in the provided data, it can be checked in the full details of the DHCP ACK packet within
Wireshark.

o Reflect on the role of DHCP in automating IP configuration.

DHCP automates the assignment of IP addresses to devices on a network, removing the need for
manual configuration. When a device connects, it sends a DHCP Discover packet to find a DHCP
server, which responds with an Offer. The device then requests the offered IP address, and the server
acknowledges this request, completing the lease process. This automation simplifies network
management, minimizes the risk of IP address conflicts, and allows devices to join the network
seamlessly. Additionally, DHCP supports dynamic IP address allocation, making it especially
beneficial in environments where devices frequently connect and disconnect.

Conclusion:
From this lab, we explored various aspects of network traffic analysis, focusing on DNS, ICMP, FTP,
and DHCP protocols. Using tools like Wireshark, we gained valuable insights into the operation and
packet structures of these protocols, as well as the risks associated with unencrypted traffic. We
emphasized the significance of automation in network management, particularly through DHCP,
which streamlines IP address allocation. Overall, the analyses conducted highlight the essential role of
network protocols in facilitating efficient and secure communication in contemporary networks.

CSC-251L- Computer Networks - Lab

You might also like