ITE James Madison University Wireshark Monitor Simple Protocols Lab Report
Wireshark monitor TCP/IP traffic Protocol Analysis: Capturing PacketsAssignment Wireshark monitor TCPIP traffic.pdfObjectivesThis lab will introduce you to “packet sniffing,” a method by which we can capture packets being sent between computers as they communicate. As a network administrator you can use this method to help evaluate the performance of your network by identifying bottlenecks and slower performing servers or sections of your network. You can also use it to check the security of your network. Overview & PrerequisitesYou will first install a program called Wireshark. This is an open source application freely available on the Internet that allows you to capture packets as they appear at the network adaptor card. This means that you will be able to see all header information on the packet from each of the OSI layers. (Normally these headers are stripped off so that the only portion remaining is the data payload.) You will use the software to view complete packets and locate each layer’s header, from the physical layer to the application layer. Doing so will help you to better understand network traffic and identify things that are “out of order.” Using this program you will:Analyze simple protocols and learn about the software interface and the information it contains;Observe, analyze and reconstruct specific packet interchanges between a computer and a server For this lab, you will need a single computer with an Internet connection. (Optional FTP Part is given for those who want to try it.)DirectionsTo obtain the software that you will use for this lab, go to www.wireshark.org and download it to your workstation. Once downloaded, you can install the software and accept all defaults. The program includes a helper program called WinPCap, which will install after Wireshark is installed.Part 1: Analyzing simple protocolsAfter you have installed Wireshark, start the program. The initial screen will resemble Figure 1. Notice that your local interface is listed (if you have multiple interfaces, you may see more than one entry; the names may vary). You can click the interface and press “Start” to begin packet capture. (Your interface may be different, depending upon Wireshark version.)Network InterfaceStart buttonFigure 1: Wireshark Packet Capture OptionsBelow the menu, the capture window is divided into three distinct areas. The top is a listing of all packets received—the packet list pane; the middle provides the details of a packet selected in the packet list pane and is called the packet details pane; and the bottom, called the packet bytes pane, shows the hexadecimal details of the selected packet and will highlight its (selected) fields. Figure 2 illustrates this and shows some captured packets.Packet BytesPacket DetailsPacket ListFigure 2: WiresharkYou can see in Figure 2 that multiple packets were captured and the first packet is selected in the packet list pane. In the packet details pane, you can see the Ethernet frame header, the IP header, the UDP header and finally the data payload, which indicates that this is a Bootstrap Protocol packet. The packet byte pane shows the hexadecimal and ASCII equivalent of each packet at the bottom of the window. Selecting a field in the packet details pane will highlight the hex and ASCII portions of the packet in the packet byte pane. Make a snapshot of this screen and post it in your Word document (#1).Go ahead and start a capture session and after receiving a few packets, stop the packet capture (from the Wireshark menu, select the “Capture” menu item, and choose the “Stop” command from the drop-down menu).Find a TCP packet in the packet list pane and select it. In the packet details pane, click on the “+” next to the word “Frame.” When this part of the packet opens, you will see some summary information that Wireshark logs about every packet that it captures. Now open each subsequent section of the packet beginning with “Ethernet II.” You should be able to find the portions of each packet corresponding to figures 3a through 3c within the packet details section (though the sizes of each section may not always be apparent without closer examination).Figure 3a: An Ethernet II Frame LayoutFigure 3b: The IP Header LayoutFigure 3c: The TCP Header LayoutFigure 3a includes 20 bytes that are processed in the hardware and will not be seen in the packet details pane. These are the preamble (7 bytes), the Start of Frame (1 byte), the Frame Check Sequence (FCS, 4 bytes), and the final Flag (8 bytes). Make a snapshot of this screen and post it to you Word document. (#2)Part 2: Finding specific packet sequencesFor this part you need a workstation that is connected to the Internet and one that receives its IP address from a DHCP server. (Normally you have this if you are connected to a service provider (Comcast, Verizon, etc.) You should have Wireshark installed on your workstation from part 1. In step 1 you will observe the packets required to make and break a connection.Step 1 Observing a TCP connectionEnsure that your capture options are set as before and begin another capture session. After the capture session has begun, open a web browser on your workstation, allow the web page to finish loading, and then stop the packet capture session.Look for the first three TCP packets in the packet list pane. TCP packets have a green background color (depending on your settings) and are easily recognized. These three packets should be listed as [SYN], [SYN, ACK] and [ACK]. This 3-packet interchange builds a connection between two computers. You should notice that the destination port for the [SYN] packet is 80, indicating a web request. The second two packets should provide you with a sequence/acknowledgement analysis. Make a snapshot of this screen and post it to your Word document. (#3)Step 2 Observing a DNS request/responseEnsure that your capture options are set as before and begin a fresh Wireshark capture session. You can discard the previous session or save it to a file.Begin a Command Prompt window. Next, to release the existing IP address, enter the ipconfig /release command at the command prompt. See Figure 4. (Note: if your computer has IPv6 configured, you will see the configured IPv6 address; you can release these using the ipconfig /release6 command.)Figure 4: Releasing a DHCP IP Address LeaseAs soon as you see that your IP address was released (shown as empty or 0.0.0.0, depending on your system) enter the ipconfig /renew command at the command prompt. See Figure 5.Figure 5: Renewing a DHCP IP Address LeaseWait until the renewal process has completed (you receive an IP address). Then, stop the packet capture in Wireshark. Next, click on the column in the Packet List pane marked, “Protocol.” This will sort the entries in order of protocol.Locate the DHCP packets and select the first one. (There should be 5.)The first of these packets is from your computer to the DHCP server telling it to release the lease on your IP address. The next 4 packets renew that lease. Note that the source address on the “DHCP Discover” and “DHCP Request” packets is 0.0.0.0. This indicates that your computer does not actually use its new IP address until the interchange has completed. Also note that the destination address in each of the 4 packets is a broadcast address[1]. It should be obvious to you why the first two packets are broadcasted, but what about the last two? Can you explain this? Answer the questions in your Word document right after you post a snapshot of the DHCP packet screen. (#4)Step 3: Following an HTTP streamLet’s have a closer look at a request/response interchange that requests a web site. Follow these steps to obtain a fresh set of packets:Ensure that your capture options are set as before and begin another capture session. You can discard the previous session or save it to a file.Open Internet Explorer on your workstation (it could be another browser if you so choose except edge), return to Wireshark and begin a packet capture session.Type in a URL and after the page loads, return to Wireshark and stop the packet capture.Find the packet with comments in the “Info” column saying “GET / HTTP/1.1” and select it. Right click this packet and click “Follow TCP stream” from the popup menu. See Figure 6.Figure 6: Follow TCP StreamA new window will open with the details of the http exchange. The request and acknowledgements from your workstation are in red, and the responses are in blue and should resemble Figure 7. Make a snapshot of the screen and post it in your Word document. (#5)Figure 7: Raw TCP Stream DataAt the bottom of this window are some options for saving this file for later reference. Click the “Close” button to return to the main window and you will notice that only the TCP and HTTP packets have been retained, since a filter was created based on your action of following the TCP stream. Now select File > Export > Objects > HTTP. See Figure 8. In the resulting window, find the Hostname you visited (second column; in our case, it was www.java.com; yours can be different.) and the content-type corresponding to text/html. Then, click the “Save As” button. Save the file (with a “.html” extension) on your desktop.Figure 8: Exporting TCP Stream (HTTP)Minimize all windows and find the file you just saved on the desktop and open it with a web browser. If the web page contains a number of secondary files, such as image, css, or flash files (as many web sites do), what you see won’t be very impressive; however, Figure 9 shows http://www.java.com on the left side, while its TCP stream produces the page shown on the right side of the figure. Although you can’t see the graphics in the rendered file, you can easily determine its main theme. Post this page into your Word document. (#6)Figure 9: Java.com (comparison) ___________________________________________________________________________________________________________________________________________________________You should notice that FTP login username and password are transferred in clear; not good at all for security.) OPTIONAL: Viewing an FTP transferWe will now look at the file transfer between an FTP client and an FTP server. You will need a second computer on your network capable of providing file transfer services (an FTP server). The easiest way to set up an FTP server is to download the open source program, Filezilla. It has both a server version that you can use to store files and a client version, which is used to access your server from another computer. Step 1: Setting up the FTP ServerDownload the Filezilla server from http://filezilla-project.org and install it on one computer. You can accept all the defaults for this demonstration, but you will need to create a user and assign a home directory to that user. Make sure you give the user a password but do not enable SSL. For this lab, we chose the username “johndoe” and a password “secret”. See Figure 10.Note: Your firewall may need to be configured to allow connections to FileZilla Server.Figure 10: Creating an FTP user in FileZillaDownload the Filezilla client from the same website as above and install it on a second computer. You can accept all the defaults including having the program start after installation. Step 2: Monitor the FTP login exchangeTo see the packet interchange between the two computers, perform the following:Open Wireshark on the client, ensure that your capture options are set as before and begin another capture session.Connect to the FTP server by typing in its IP address, user name and password in the text boxes at the top of the client software, then press “Quickconnect”. This is shown in Figure 11.Figure 11: Connecting to the FTP ServerStop the packet capture.Look for the FTP packets in the Protocol column (or apply a filter to show only ftp protocol packets). In the “Info” column they will say “Request: …” and “Response: …” You should notice that the username and password are displayed for you in this column in clear text. This is shown in Figure 12.If you have never seen a password revealed in a packet sniffer, it can be a real eye opener. Although we know that FTP servers are inherently not secure, this demonstration should make you think about the security of other types of logins. Try this: if you have a domain controller on your network, try logging on to it from a workstation and sniffing the packets as you do so. Are you able to find the password? (Hopefully not.) Now set up a database server for which the security setting is controlled by the operating system and do the same thing. If the security is not configured correctly, not only will you be able to find the login information (user name and password), but data will be passed in the clear also.Figure 12: An FTP Login Sequence in Wireshark Part 3: Write questions and answers to the following and post in your Word document.QuestionsPacket sniffing can be a controversial subject. Discuss any issues related to ethics that might arise when an organization monitors the electronic activity of its employees.You looked at packets captured during a web page request. What might this be useful for?Most computers are connected together with switches (rather than hubs). How does this affect the packet capturing process? Discuss how sniffing packets from wireless networks might differ from wired networks. Use the Internet to search for wireless packet sniffers. Where might someone go to sniff wireless packets and possibly obtain some “juicy” information?Grading Rubric Correct submission of Part 1 30 pointsCorrect submission of Part 2 30 pointsCorrect submission of Part 3 40 pointsTotal 100 points[1] You may see a unicast (your IP address) target for the DHCP Offer / ACK from the DHCP server. This may happen if your DHCP Discover request has Option 50 set to a preferred IP address (e.g., your old IP address).GradingThis assignment is worth 100 points