Lab 9 - Capture and Inspect protocols
pdf
keyboard_arrow_up
School
Algonquin College *
*We aren’t endorsed by this school
Course
8182
Subject
Industrial Engineering
Date
Feb 20, 2024
Type
Pages
11
Uploaded by JusticeScience13313
CST8182 - Lab 9: Layer 2, 3, 4 and 7 protocols
CST8182 – Networking Fundamentals Page 1/11
2022-11-17 What you will do:
Capture, inspect, and understand various PDUs. Things that you will need to know or learn:
1. Topology of the existing lab infrastructure (ie. How is everything hooked up? Done in lab.) 2. How the TCP 3-way handshake works and the operation of key fields & flags in the TCP header ie. sequence number, acknowledgement number, flags 3. Layer 4 port numbers for the layer 7 applications 4. How to use Wireshark to capture & filter
network traffic (Skill exercised during lab time) 5. How to identify key fields in a Wireshark capture: IP addresses, port numbers, transport layer header values, and application layer header and data fields. (Skill exercised by lab) What you need to submit and when: This lab must be done individually. You can ask your classmates for help if you want to but be sure YOU understand in the end. 1. Complete the in-lab part of the exercise (see below), before the end of the lab period.
2. Complete the Lab 9 questions on Brightspace before the due date.
3. The mark for this lab will come entirely from the Lab 9 questions on Brightspace.
(You can only get full marks if you were also present and actively participating in the lab) Required Equipment:
•
USB memory stick to save results. You will need the results. Notes: •
There will be questions based on your understanding
of this material on your final exam. •
The marks associated with this lab are small. The marks associated with the mid-term exam are large. •
It is your responsibility to use your lab time to explore and learn. •
Make sure you can answer the questions in the lab because you actually understand the concepts. ASK QUESTIONS. •
The Lab PC firewall should be off for this lab. (The TFTP file won’t download with it on.)
CST8182 - Lab 9: Layer 2, 3, 4 and 7 protocols
CST8182 – Networking Fundamentals Page 2/11
2022-11-17 Topology Diagram This is the Internal network t
opology
or layout. Although it may appear that the two routers serve no real purpose, they are included to provide multiple hops between client & server and allow a greater variety of configuration. Your computer is represented by one of the hosts in the bottom of the topology drawing. The other hosts represent the other computers in the lab. You should become very familiar with this topology so that you don't need to constantly flip back to it. Transcribe the IP addresses from the table below onto the diagram, with an IP address next to each device. Addressing Table Device Interface IP Address Subnet Mask Default Gateway R1-ISP S0/0/0 10.10.10.6 255.255.255.252 N/A Fa0/0 192.168.254.253 255.255.255.0 N/A R2-Central S0/0/0 10.10.10.5 255.255.255.252 N/A Fa0/0 172.16.255.254 255.255.0.0 N/A Eagle Server network 192.168.254.254 255.255.255.0 192.168.254.253 test i/f 172.31.254.254 255.255.255.0 N/A host
Realtek 172.16.254
.
XXX
255.255.0.0 172.16.255.254 test interface
172.31.254.254
CST8182 - Lab 9: Layer 2, 3, 4 and 7 protocols
CST8182 – Networking Fundamentals Page 3/11
2022-11-17 Protocols that you will be exploring in this lab: ARP:
Address Resolution Protocol = A Layer 2 protocol that is used to find an unknown MAC address when the IP address is known. TCP:
Transmission Control Protocol = Connection oriented “reliable” layer 4 protocol with flow control and ordered data reconstruction. UDP:
User Datagram Protocol = Connectionless “unreliable” layer 4 protocol with NO flow control or data reconstruction DNS: Domain Name System = A Layer 7 protocol that is used to resolve host names to IP addresses. Example: www.google.com = 173.194.43.82 FTP: File Transfer Protocol (FTP) - A Layer 7 protocol used for interactive file transfer between systems. TFTP:
Trivial File Transfer Protocol = Layer 7 protocol used for connectionless transfer of files between systems. HTTP:
Hypertext Transfer Protocol = Layer 7 protocol that transfers files that make up the web pages of the World Wide Web. DHCP:
Dynamic Host Configuration Protocol = A layer 7 protocol used to automatically assign an IP address, subnet mask, default gateway, and DNS server addresses to a host. Task 0: Viewing DNS entries 1. Connect your PC to the Eagle-Server network. 2. Make sure your PC is set to receive all layer 3 addressing from a DHCP server. 3. Release and renew your IP address. Verify your IP is in the correct network. 4. Open a command prompt and clear your DNS entries by typing ipconfig /flushdns
. You are doing this to force your PC to make a DNS query. 5. Type ipconfig /displaydns
to show your DNS entries. As you just flushed the DNS entries, there should be none. (* there may be a couple of persistent entries.) 6. Ping eagle-server (by the host name, not by IP address) ping eagle-server.example.com
7. Type ipconfig /displaydns
to show your DNS entries again. As you just used ICMP to test your connection to the eagle-server using the host name rather than the IP address, you should now see a DNS entry for the eagle-server. Look for “A (Host) Record”
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
CST8182 - Lab 9: Layer 2, 3, 4 and 7 protocols
CST8182 – Networking Fundamentals Page 4/11
2022-11-17 READ ALL OF THE INSTRUCTIONS FOR EACH TASK BEFORE STARTING THE TASK
This lab is divided into two sections. 1
st
you will get the required Wireshark captures. Once you have them all, you will then go back and examine the captures. You are doing this so you can explore the captures on your own laptop if you run out of time. PART I – Capture the required traffic Task 1: Capture ARP and DNS Operations using Wireshark
1. Create batch file that will flush your DNS cache and then ping the Eagle-Server by it’s hostname. Suggested batch file: ..
arp
..
–d
.. ..
ipconfig
..
/flushdns
.. ..
arp -a .. ..
ipconfig
..
/displaydns
.. ..
ping
..
eagle-server.example.com
.. ..
arp
..
-a
....
..
ipconfig
..
/displaydns
.. ..
pause
... (clears ARP cache) (clears DNS cache) (views ARP cache is clear) (views DNS cache is clear) (pings eagle server by name) (views new ARP cache entry) (views new DNS cache entry) (READ THE OUTPUT) 2. Start a new Wireshark capture. 3. With the Wireshark capture running, run your batch file. 4. Stop the Wireshark capture and save your captured data
as: Lab9-1 ARP and DNS.pcapng
. You will need to find your capture files later. (You should save directly to your USB key/drive) 5. Take a moment to look over the output that resulted from running the batch file. Make sure there were no errors. Does the output make sense?
6. Open your capture file and filter to show only ARP and DNS traffic (arp || dns). 6.1. Can you see your
ARP request and the corresponding reply? 6.2. Can you see your DNS query and the corresponding reply? If you see the above information, close your capture and continue. Otherwise, repeat the task. Ask for help if you need to.
CST8182 - Lab 9: Layer 2, 3, 4 and 7 protocols
CST8182 – Networking Fundamentals Page 5/11
2022-11-17 Task 2: Capture TFTP traffic using Wireshark 1. Still using the Eagle Server network, start another (new) Wireshark capture. 2. AFTER starting a new Wireshark capture, use TFTP to download a file (
no
spelling mistakes allowed!) NOTE
that no account or password is required for TFTP. It is very insecure! 3. From a command prompt, type the following (carefully!!!): tftp
eagle-server.example.com
get
s1-central
4. Once the transfer is complete, stop the Wireshark capture and save your capture data
as Lab9-
2 TFTP.pcapng
. 5. Filter your capture for TFTP (tftp) 5.1. You should
see a total of 15 TFTP packets. If you see the tftp Packets, close your capture and continue. Otherwise, repeat the task. Ask for help if you need to.
Task 3: Capture HTTP traffic 1. Start another (new) Wireshark capture. DO NOT open the web page before starting the capture. Not even to test it. DO NOT use Microsoft Edge. 2. AFTER starting a new Wireshark capture
, use the Chrome web browser to connect to http://eagle-server.example.com 3. Navigate to a second web page by entering the following URL: http://eagle-server.example.com/page2.html 4. Close the web browser, then stop the Wireshark capture. Save your capture data as
Lab9-3 HTTP.pcapng.
5. Open your saved capture. 5.1. Filter to show the captured http traffic. If your capture was successful, you should see:
CST8182 - Lab 9: Layer 2, 3, 4 and 7 protocols
CST8182 – Networking Fundamentals Page 6/11
2022-11-17 IF you don’t see this, clear your browser’s cache (history)
and repeat the steps. Be sure to start the capture before you load the web page. 5.2. If you see the http Packets above, close your capture and continue. Otherwise, repeat the task. Ask for help if you need to. Remember, you need to clear the browser’s cache before you try again. Otherwise the webpage will be cached on your PC and you will not capture the required http traffic. Task 4: Capture a DHCP exchange 1. Still using the Eagle Server network, start another (new) Wireshark capture. 2. With your Wireshark capture running, release and renew your IP Address. (2 commands) Do this with a batch file as well.
Your capture will be cleaner. 3. Stop the Wireshark capture. Save your capture data as
Lab10-4 DHCP.pcapng
. 4. Filter for “
dhcp
” and examine what was captured. You should see (at least) a DHCP Discover, Offer, Request and Acknowledgement. 5. If you see the DHCP Packets, close your capture and continue. Otherwise, repeat the task. Ask for help if you need to. Task 5: Capture FTP communication 1. Still using the Eagle Server network, start another (new) Wireshark capture. 2. After starting your Wireshark capture, use WINDOWS
EXPLORER (
not a web browser
) to connect to ftp
://eagle-server.example.com
(example below)
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
CST8182 - Lab 9: Layer 2, 3, 4 and 7 protocols
CST8182 – Networking Fundamentals Page 7/11
2022-11-17 3. Within Windows
Explorer, click on the directories until the URL includes: pub/eagle_labs/eagle1/chapter9
4. Save the following file by dragging it to your desktop: mac-address-table.pcapng (You do not need to keep this file afterwards. It the capture you want.)
5. Stop the Wireshark capture. Save your capture as
Lab9-5 FTP.pcapng. 5.1. Filter for TCP (tcp) 5.2. You should see some TCP, FTP, and FTP-DATA packets like the left column below. 5.3. If you see the TCP. FTP and FTP-DATA Packets, close your capture and continue. Otherwise, repeat the task. Ask for help if you need to. You will need your capture files for the Lab9 questions on Brightspace. Make sure you have your own copies when you leave the lab. c
Lab9-1 ARP and DNS.pcapng c
Lab9-2 TFTP.pcapng c
Lab9-3 HTTP.pcapng c
Lab9-4 DHCP.pcapng c
Lab9-5 FTP.pcapng
CST8182 - Lab 9: Layer 2, 3, 4 and 7 protocols
CST8182 – Networking Fundamentals Page 8/11
2022-11-17 PART II – Inspect the captured traffic Inspect your captured ARP & DNS traffic 1. Open your ARP and DNS capture file and filter to show only ARP and DNS traffic. •
Why did pinging the Eagle Server allow you to capture both ARP and DNS packets?
•
Identify your ARP REQUEST and ARP REPLY
•
Identify the DNS QUERY o
Identify the source port: _______
o
Identify the destination port: ______
o
Does the layer 7 DNS protocol use TCP or UDP at layer 4? ______
•
Identify the DNS RESPONSE
o
Identify the source port: ______
o
Identify the destination port ______
•
How was the source port chosen on the client? (It’s in the textbook – page 14.4.1)
•
How was the destination port chosen on the server? (It’s in the textbook – page 14.4.3)
•
What is the name of the DNS server that responded? (Expand the DNS response and read it)
Inspect your captured TFTP traffic 1. Open your TFTP capture. Filter to show only tftp traffic. 2. Look at the layer 4 and layer 7 information. •
Which transport layer protocol was used for tftp? o
Were there any acknowledgements at this layer? •
What were the source and destination ports? Why these ports? •
How many “blocks” of data were transferred? •
How did the client know when it had received the final block of data? •
How much data
was in each block? (Except the last one. It’s not the same as the others) •
How many bytes in total
did it take to transfer each block? (Except the last one) •
How much overhead did it take to transfer each block? (Total bytes minus the data.) •
Which application layer protocol was used? o
Were there any acknowledgements at this layer? Inspect your captured HTTP traffic 1. Open your HTTP capture file and filter for the layer 7 protocol, http. •
Which layer 4 protocol is used for http?
CST8182 - Lab 9: Layer 2, 3, 4 and 7 protocols
CST8182 – Networking Fundamentals Page 9/11
2022-11-17 2. Change your filter so you see both http and the correct layer 4 traffic. •
Identify the 3 packets used for the 3-way handshake. o
Can you find the flags that are set for each stage of the process? o
Which flags are set for each stage? •
Can you find the packet where you requested the 1
st
web page? (GET /) o
What were the source and destination ports? o
Can you explain why these ports were used? •
Can you find the acknowledgement for that packet? o
What were the source and destination ports? o
Was the acknowledgment sent by the layer 4 or the layer 7 protocol? •
Can you find the packet where you requested the 2nd web page? (GET /page2.html) •
What were the source and destination ports? o
Did the client use the same source port as it did for the 1
st
web page? o
Is this the same layer 4 session, or a different one?
Inspect your captured DHCP traffic 1. Open your DHCP capture file and filter for dhcp •
What is the source layer 2
address in the DHCP discover packet? •
What is the destination layer 2
address in the DHCP discover packet? o
What type of address is this? (Unicast / Multicast / Broadcast?) o
Why did your PC use that destination layer 2 address in the request? (Think… Does your PC know the address of the DHCP server?) •
What is the source layer 3
address in the DHCP discover packet? o
Why did your PC use that as the source layer 3 address in the request? •
What is the destination layer 3 address in the DHCP discover packet? o
What type of address is this? (Unicast / Multicast / Broadcast?) o
Why did your PC use that as the destination layer 3 address in the request? •
Can you find the IP address that the server offered you in the DHCP offer packet? When you get an IP address from a DHCP server, you get it for a certain amount of time. This is called a lease. Essentially, you borrow your IP address for a certain amount of time before you have
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
CST8182 - Lab 9: Layer 2, 3, 4 and 7 protocols
CST8182 – Networking Fundamentals Page 10/11
2022-11-17 to renew it. If the lease expires before you renew it, you could lose that IP address to another PC… •
How long is the lease that your PC was offered? •
How long will your PC wait until it renews the lease? •
Does it wait until the lease expires to renew? •
What other information is being offered in the lease? (explore) Inspect your captured FTP traffic 1. Open your FTP capture file. 2. FTP is different than many other protocols. It uses one port to control the session, and another port to actually transfer data.
3. Filter your captured data to show the FTP transactions (filter is “ftp”) and examine what you see. Look at the “info” column. You should see FTP control information, lots of requests and responses. •
What were the layer 4 source and destination ports? •
Can you find the packets where the username was requested and then sent? •
Can you find the packet where the client requested the SIZE of the file that you downloaded? (What was the name of the file?) o
How about the response to that request? How many bytes is the file? Easier way to find it:
Click the “Edit” menu Click “Find Packet” Click the “String” radio button Type the file name in the filter box (or try the word “SIZE”) Under “Search In” click the “Packet List” radio button Click: “Find” 4. Filter your capture to see the actual data transfers. (Filter is “ftp-data”). Examine what you see. •
What were the source and destination layer 4 ports that were used to transfer the data? (notice that they were different than the ones used for the control information) 5. Which layer 4 protocol does ftp use? Filter for that protocol and examine what you see. •
Do you see the ftp control packets? (you should) •
Do you see the ftp-data packets? (you should) •
Do you see acknowledgements at layer 4? (you should) •
Why do you see all of the ftp, ftp-data, and acknowledgements when you filter for the layer 4 protocol??? •
Most of the packets that transported the file were the same size – all but the last one. •
Does that make sense to you? (It should.)
CST8182 - Lab 9: Layer 2, 3, 4 and 7 protocols
CST8182 – Networking Fundamentals Page 11/11
2022-11-17 Checkpoint: There are no checkpoints for this lab. You got the in-lab portion of the mark for being here and doing the work. It was your responsibility to take the time to explore, ask questions and learn. You will need your capture files for the Lab9 questions on Brightspace. Make sure you have your own copies when you leave the lab. c
Lab9-1 ARP and DNS.pcapng c
Lab9-2 TFTP.pcapng c
Lab9-3 HTTP.pcapng c
Lab9-4 DHCP.pcapng c
Lab9-5 FTP.pcapng
If you have at least 30 minutes left in the lab class, you should start the lab 9 questions on Brightspace now. Once you begin, you will have 24 hours to complete the questions.