Reference no: EM132732540
ITECH1102 Networking and Security - Federation University
Week 5 lab sheet: The Network (Internet) layer.
Major goals of this lab sheet:
• Investigate the Linux file system and basic Linux commands
• Observe IP settings on Windows and Linux
• Use Wireshark to capture and analyse ARP (Data Link Protocol)
• Use Wireshark to capture and analyse network layer protocols Part 1 - Investigate the Linux file system and basic Linux commands. Discussion:
Most students will be familiar with the structure of the Windows File System and the way it identifies file system devices using drive letters.
For instance:
C: represents typically the main hard drive that contains the operating system. D: is often used for the DVD drive (if one exists)
E: for removable media like USB sticks or hard drives
In Linux, a totally different file system structure is used. The Linux file system all falls below the root of the file system which is represented by a forward slash. ( / )
Devices like extra hard drives, USB devices and network drives must be mounted into a file system directory somewhere beneath the root of the file system. This is usually all done for you during installation.
When representing parts of the Linux file system, we usually represent the entire path starting from /. For instance, the Documents directory of user1 is located at /home/user1/Documents/
The directory representing the first USB device on our Linux Lite system is at /mnt/vbox/
Task 1.
Draw a diagram of the Linux file system identifying the directories mentioned below:
• /bin/
• /home/
• /home/user2/Downloads/
• /etc/
• /etc/samba/
• /sbin/
• /mnt/
• /mnt/vbox/
Task 2
Determine from the Internet the primary function of each of the above Linux directories.
Task 3
Draw a hierarchical diagram of the above Linux directory structure. (not the entire Linux file system)
Task 4 - Navigating the Linux file system from the command line
Thunar allows us to navigate the Linux file system using a GUI. However, power Linux users spend much of their time working in Linux terminals with command-line commands and associated arguments.
There are a few commands that allow us to move around the Linux file system and to determine our current location in the file system.
Command line commands
cd Change directory command
This command allows us to navigate to specific Linux directories. Example:
cd /home/user1/ takes us to user1's home directory
Example:
cd /home/user1/Pictures/ takes us to the Pictures directory of user1. The cd command can navigate to any directory in the Linux file system.
pwd Print Working Directory
This command shows us our current location in the file Linux system.
Exercise
Open a Linux terminal and using the cd and pwd commands navigate to all Linux directories mentioned in Task 1 above.
From the Pictures directory enter the command:
cd ..
Use the pwd command to determine what the cd .. command does in Linux.
Shortcut notations in Linux commands.
Linux file system paths are often quite long and so entering an entire path from the root of the file system can be tedious.
Shortcuts include:
. This represents the current directory as determined with the pwd command.
.. This represents the directory one level up in the Linux file system.
~ This represents the current users home directory.
These shortcuts can be particularly useful in all sorts of commands. The Linux copy ( cp )
and move ( mv ) are good examples.
Example:
cp /home/user1/Pictures/MyPhoto.jpg ~
Would copy the file MyPhoto.jpg to the current users home directory.
Likewise:
cp ../file3 /home/user1/
Would copy the file named file3 from one directory back in the file system to the directory /home/user1/
Other Linux terminal commands:
whoami This command tells you who you are currently logged in as.
ls ls is the Linux List command. It is probably the most frequently used Linux command. It lists the contents of the current working directory, or if a file system path is added it lists the contents of that path.
Example:
cd /home/ ls
This will change directory to /home/ and then list its contents.
The ls command has two main command line arguments that tell us more about the contained file system.
ls -l is a long listing. (This displays extra information about each file/directory) ls -a is a listing that includes hidden files (files that start with a period)
ls -la does both.
Exercise
From the command line Navigate to the directory /etc/gufw/
Use the command ls -la to get a long listing of the files within /etc/gufw/
Use the Internet to try to determine what each column of an ls -la listing tells us about the associated files.
Note - we are not concerned with what the files of /etc/gufw/ do, we just want some idea of what the ls -la listing tells us about the associated files.
Part 2 - Observing IP settings on Windows and Linux
Windows ipconfig command
The Windows ipconfig command allows us to determine the current IP configuration of the Windows machine.
The basic form of the command only shows the following basic settings:
• IPv4 address
• Subnet Mask
• Default Gateway
• IPv6 address
By using the ipconfig /all option, we can obtain a wealth of other related IP information, including:
• Physical Address (MAC address)
• DHCP status (Enabled or disabled)
• DHCP Lease information (How long DHCP has allocated the IP setting to you)
• DHCP server's IP address
• DNS servers IP address
These setting are all we require for most solving most IP issues. Linux ifconfig command
Like the ipconfig command in Windows, the Linux ifconfig command displays basic IP settings including:
• IPv4 address
• Subnet Mask
• HWaddr (MAC address)
• IPv6 address
To observe the gateway address, we use the route command. Gateway address
The route command displays the Linux machines routing table. The entry labelled default is the gateway address.
You may have to determine the default entry first by running the route command then entering the command route -n to fist the actual IP address of the gateway.
Part 3 - Examining Protocols with Wireshark Discussion
Wireshark is an industry-standard protocol analyser that allows us to capture and analyse network traffic. It is a fantastic learning tool because it will enable us to closely examine the particular protocols discussed in lectures.
Wireshark is also used as a software diagnostic tool. It allows us to determine the interactions that occur between client and server applications and can enable difficult interactions to be traced and diagnosed.
Wireshark is also an important tool used in forensic analysis in security circles. Traffic generated by viruses and bots on client computers can be examined to help determine the source and
lead to mitigation of the security threats.
In this lab, we will examine some protocols discussed in lectures.
Exercise: Examine the format of an IP header.
Prior to examining an IP header, we must first of all capture one.
From the Linux Lite Menu select > Internet > Wireshark (This should run Wireshark)
If you double click on the name of an interface that is indicating it is capturing traffic, you will start capturing background network traffic.
After capturing for 10 or 20 seconds, you should have captured significant traffic.
Try clicking on a packet in the Packet List pane (the one at the top). Look in the Packet decode pane, and you will see all the headers associated with the packet selected in the packet list pane.
Find a packet that has an IP header and click the expand/contract triangle in the Packet Decode pane. This should show the details of this particular IP header. We will investigate various fields of this header by answering the following questions about it:
What is the IP version? ........................
How many bits are used to store the IP header length? ........................
What is the length of the IP header in this case?. ........................
What is the first flag suggest about the packet? ........................
What is the value of the Time to Live field ........................
What does this mean?
What is the value of the header checksum? .........................
What is the function of the header checksum field?
What is the IP address of the host that sent this packet?
Where can you find the hexadecimal value of the IP address in Wireshark?
What is the IP address of the destination host? ............................
Exercise - Examine an ARP request and associated response Discussion
ARP is a Data Link layer protocol, and as such you will not see an IP header in ARP Wireshark captures.
The role of ARP is to determine the MAC address of a machine with a specific IP address.
ARP does this by sending a broadcast to the network asking which machine has the IP address. It then waits for a response from the machine with the IP address in question.
Looking closely at the request packet is instructive, it has a blank MAC address (00:00:00:00:00:00) in the field associated with the target machine's MAC address.
Exercise: Capture an ARP request with Wireshark on Linux Lite
The first thing we must do is to find a machine to contact. In the university labs, all you need do is determine the IP address of another lab machine (one that does not already have an entry in your machine's ARP cache)
To look at your arp cache, enter the command:
arp
Run Wireshark > Capture > options
- Select the correct interface
- Enter the word arp in the capture filter box
- Click the Start button
To generate an arp request and reply:
- open a terminal
- ping the IP address of the machine identified above You should see an arp request and an arp reply captured in Wireshark. Click the RED stop button to stop the Wireshark capture.
Note - ARP is a Data Link protocol and so only works on your local network.
If you ping a remote IP address (e.g. That of google.com), you will not get arp packets generated because communications would go via the gateway, for which there is already an entry in the arp cache.
Note - If you need to remove an entry from the arp cache, use the command:
sudo arp -d <ip_address>
If you are having problems generating arp traffic, there is an arp capture on Moodle.
Once you have an arp request and reply, carefully examine them in Wireshark.
You should be able to see the request that is missing the MAC address of the target machine (see below).
The reply has the MAC address included.
Exercise - Examine DNS traffic Discussion
DNS is the service on IP networks that translates names like www.apple.com to its associated IP address.
When you enter a URL into a browser, for instance, that URL has to be converted to its associated IP address for the web site to be contacted.
If you try to ping a remote web site, DNS will also do an associated lookup and return the IP address in question.
In the next exercise, we will ping a remote web site to force DNS traffic. We will capture it with Wireshark and then investigate it.
Exercise: Capture DNS Traffic
Run Wireshark > Capture > options
- Select the correct interface
- Enter the word port 53 in the capture filter box
- Click the Start button
To generate a DNS request and reply:
- open a terminal
- ping the web site www.apple.com Now press the Red stop button to stop the capture. Investigate the resulting traffic.
Things to examine in the traffic:
• The sequence of headers in each packet.
From this, you should be able to identify the layer at which DNS works.
• What is the query asking?
• What is the response sending back?
• Associated fields in the Domain Name System ( response ) header.
Attachment:- Network Layer.rar