What are the size range of the packets captured

Assignment Help Computer Engineering
Reference no: EM132732536

ITECH1102 Networking and Security - Federation University

Lab sheet 4 : Introduction to Wireshark.

Major goals of this lab sheet:
• Gain familiarity with Wireshark
• Capture and interpret network data
• Locate additional Wireshark resources

Discussion:
Wireshark is an industry standard protocol analyser. The function of a protocol analyser is to capture and display network traffic in a readable format. Wireshark can also filter traffic to limit the capture of traffic to that of interest, (eg. Include all broadcast traffic from other machines). Hence by appropriate choice of filters a user can perform detailed analysis of the traffic on a network. In the coming weeks, we will use Wireshark to capture and examine network traffic to help us better understand the basics of networking and how particular network protocols function.

Wireshark is and open source product and as such can be downloaded from the Internet and installed free of charge. It runs on Windows, Mac OS X, Linux and Unix platforms. It is arguably the most widely used networking and security tool available. Version 2.0.2 is installed on our Linux Lite virtual image and the main campuses have Wireshark installed on the Windows host machines.
Students (particularly online students) should consider downloading and installing Wireshark on their host machine. This will allow traffic captures on multiple machines as required.

Launching Wireshark:
Wireshark can be launched from the Windows Start menu or Menu > Internet on Linux. (See the opening screen below).

From the opening menu we can see all interfaces on the machine and to the right we get an indication as to whether traffic is being seen on each interface.

We can also enter a capture filter from this screen to specific traffic types for capture.

The opening screen also shows the Main Menu at the top of the screen. These are the menu selections we will use frequently for capturing and analysing network traffic.

For us the main Menu items are:
• File (For saving and opening traffic capture files)
• Capture (Used to start and stop network captures and choose network interfaces)
• Statistics (Used to summarise information about captured traffic)

The icons below the menu bar provide shortcuts for starting capture sessions, stopping a capture session, saving and opening capture files, searching for particular packets and other functions.

The Filter area allows display filters to be chosen from the standard filters provided by Wireshark or the entry of new filters. Display filters allow us to limit the amount of traffic displayed by Wireshark.

Capturing network traffic:
Open Wireshark on Linux Lite and from the Wireshark menu select Capture > Options.

The left hand side of the screen shows available network interfaces. Select the one labelled enp0s3. From here we can enter a capture filter (optional) then select Start to start capturing network traffic.

To stop the traffic capture click on the red Stop button in the Wireshark menu.

Captured traffic should resemble the screen capture below. Notice the three distinct panes: Packet list pane at the top, the Decode pane in the middle and the Packet dump at the bottom. Each is explained below.

Packet List - Shows brief details about all the packets that have been captured. Notice the Time column which records the time when the packet was captured. Currently, with no filter this list will grow rapidly!

Packet Decode - For the currently selected packet in the packet list this pane shows the decoded contents of that packet. Wireshark understands what is taking place within many common network protocols and, provided this packet contains a protocol that Wireshark understands, this pane will contain a "human readable" interpretation of the data in the packet. You can click on different sections of the decode and the corresponding region in the Packet Dump pane will be highlighted in blue.

Packet Dump - In this pane the raw data bytes in the current packet can be viewed. Maximise the window and note that there are two, parallel, views of the data on offer. On the left hand side are the numeric value of the binary data displayed in hexadecimal (Each hexadecimal digit represents 4 binary bits). On the right hand side is the same binary information displayed with each byte (2 hexadecimal digits) represented as a character. As you can see, certain bytes do not represent a printable character and are therefore shown instead by a full-stop. Sixteen bytes are normally displayed per row).

Wireshark exercises

(i) Capture some network traffic

If you have not already done so run Wireshark.

1. From the main menu select Capture then Interfaces
2. Choose the interface that is connected to the Network.
3. Click Start to begin the capture.

• If you are not capturing traffic you may have selected an interface that is not connected to the network.
• If you are on a low traffic network you can generate network traffic by running any network enabled program, Firefox for instance. The number of packets generated from basic web sites will be significant.

Wait for about 20 seconds then click the Stop button to stop the capture.

Confirmation that we are dealing with a packet switched network.

In Topic 2 we described the differences between circuit switched and packet switched networks.
Starting with Packet # 1 in the Packet List pane determine the size of the packet.
• The Frame summary at the top of the packet decode lists the size.
• You could also confirm the size by counting the raw bytes in the packet dump pane at the bottom of the screen.

Now look at the sizes of more packets in the capture. The sizes are likely to vary considerably.

Although quite obvious you have just confirmed that the information we are looking at with Wireshark is in fact 10's 100's or 1000's of packets of data. Confirming we are working with Packet Switched network traffic.

(ii) Saving captured traffic

From the file menu select Save As and save the captured traffic to your desktop. What is the size of the saved file? .............................
What extension does Wireshark use to save such traffic? .............................

Saved files can be loaded into Wireshark from the File Menu for subsequent analysis.

(iii) Analysis of captured traffic

At the top of the packet list pane are 7 headings that give us a brief description of each packet in the packet list.

On busy networks the number of packets in the packet list can grow very quickly.

The Time column indicates the time between subsequent packets. Take a look at this column and determine the number of millionths of a second between any two packets. Try to find a few packets that were sent within a very short time period of one another.

(iv) Sorting traffic

The protocol column is extremely important as it allow us to focus in on specific traffic for close observation.

Click on the Protocol column to sort traffic according to its type.

You will probably see TCP traffic, UDP traffic and hopefully numerous other types of traffic.

(v) Ethernet (MAC addresses)

Arrange the three panes so that the packet list pane (top pane) only shows 3 or 4 packets. This will give you room to display most of (or all of) the packet dump (raw data) pane at the bottom of the screen.

In the Packet Decode pane (middle pane) click on the word Frame. You should see the entire packet dump pane display in blue to indicate the entire transmission constitutes a frame.

Now try clicking on word Ethernet II. You should see the first 14 bytes highlighted in the packet dump pane. This indicates the Ethernet II data constitutes the first 14 bytes of the frame.

Now try clicking the solid triangle next to the Ethernet II. From here you should be able to determine where in the frame the Ethernet Destination address (MAC address) is located. Where the Ethernet source address in located and where the Ethernet type is located in the packet.

How many bytes are used to store the Ethernet Source or destination address? ..............

How many binary bits are required to store the Ethernet destination address? ...............

(vi) Observing captured traffic

1. There is a Wireshark traffic capture (named RandomTraffic-1.pcapng) included in the topic 4 files stored on Moodle.

2. Download it to Linux Lite so we can inspect it in the context of the material we have covered so far in lectures.

This file was captured from the Mt Helen networking lab using no capture filter.
The traffic captured is simply background traffic typical of moderately sized networks.

Protocol column

The protocol column tells us the network protocol in this packet.

1. How many different types of protocol have been captured?
2. What are the size range of the packets captured?

Encapsulation

In this exercise we want to find the Protocols used at each layer of the Internet Model and the size of the associated layer header.

This information can be found by selecting a packet in the packet list pane then inspecting the packet in the decode pane.

For example packet 1 (TCP packet) is 66 bytes in length. The first 14 byte are the Ethernet Header
The next 20 bytes are the IP header and the last 32 bytes are the TCP header.

The second byte is an OSPF packet. It is 94 bytes in length.
It has an IP header associated with it (again 20 bytes) followed by the OSPF information.

OSPF is a Network layer protocol and as such does not require any layers of encapsulation further up the Internet Model so we do not see a TCP header.

Have a look on the Internet to determine a little more information about the role of OSPF in computer networking.
Have a look at the encapsulation of the STP protocol.

Try to determine the encapsulation from the network traffic. (Hint - If you can't see a Network layer protocol header or a Transport Layer protocol then interactions are taking place at a the Data Link layer.

Confirm this by looking on the Internet for information about the particular protocol in question.

Also have a look at the Ethernet Type field of the Ethernet header for STP, note that it is different to all TCP packets.

(vii) Confirmation that Ethernet only requires source and destination MAC addresses to communicate.

Ethernet is only concerned with local communications that is communications between two network interface cards on a common network.
An important point concerning local Ethernet communication is that communications between the two machines only requires the source and destination MAC addresses for communications to take place.

To demonstrate this fact we have developed a program that can run on Linux Lite that creates an Ethernet packet containing the MAC address of your machine (the source) and a destination machine. (You enter the destination machine's MAC address by hand).

The Type field of this particular Ethernet frame is one of the reserved Ethernet types. This was chosen so that Wireshark does not have issues decoding the frame content. It will simply interpret any information beyond the 14 bytes of the Ethernet header as Data.

Machine 1: Any machine that can run Wireshark

You will need to determine the MAC address of this machine so the packet can be formatted correctly on machine 2.

Machine 2: Linux Lite

This machine will be used to format the Ethernet frame and send it.

1. Open Firefox.
2. Enter the URL phoebe.ballarat.edu.au/ITECH1102/
3. Click on the file SendEthernet.tar.gz
4. Save the file to the Home directory of user1 ( /home/user1/ )
5. Double click the file SendEthernet.tar.gz file then extract it to user1's home directory.
6. Open a terminal screen
7. Type ls (ls is the list command and should show the contents of your home directory You should see the file run.sh)
8. Then type sudo ./run.sh and enter the user1 password when prompted.
9. You should see an interface similar to the one on the next page.
10. Make sure you have Wireshark running on the receiving machine and if you like on the Linux Lite machine.
11. Send the packet
12. Stop each instance of Wireshark from capturing more packets.

Note - The program Interface creates a Wireshark Display filter that can filter out all other traffic from a large capture.

If you like you could cut and paste the display filter on your Linux Lite machine to only display the packet that was sent or you could use it on the other machine to display the packet that was received. By inspecting the packet we should be able to see the two MAC addresses of the destination and source, we can also see the type field (0xffff) and the data that you entered into the GUI interface.

The understanding you need to take away from this is that Ethernet only requires the source and destination MAC addresses to communicate with another machine.

(viii) Wireshark online resources

Laura Chappell is extremely active in the area of Network Analysis using Wireshark and has a strong web presence. She even runs a web site called Chappell University.

Laura makes available a large number of free online videos both on YouTube and other sites. The site www.lcuportal2.com/ makes available many free Wireshark Videos from Wireshark Basics to quite advanced Wireshark features.

Open your Browser to www.lcuportal2.com/

On the left hand side of the screen you should see links to:
• Free Wireshark Basics
• Public Course Handouts

Starting with the Free Wireshark Basics link, observe the first few videos. Note: Laura Chappell's Wireshark videos can also be found on YouTube.

It will be advantageous to look at numerous other Videos made available on this site so that you become more familiar with Wireshark. Some video topics may help you to better understand some later Lab exercises.

Attachment:- Introduction to Wireshark.rar

Reference no: EM132732536

Questions Cloud

Diagram of the above linux directory structure : Draw a diagram of the Linux file system identifying the directories and Determine from the Internet the primary function of each of the above Linux directories
Identify the economic elements impacting the problem : A white paper is a persuasive and informative paper on a complex issue. Businesses use them for marketing purposes, but nonprofits and government organizations.
Explain the positives and negatives of such an occurrence : As a manager is it good to not have the same day twice? Explain the positives and negatives of such an occurrence.
State what was uncomfortable for you : This film contains a bit of discomfort in terms of learning about poverty and some of the unintended consequences that go along with "giving."
What are the size range of the packets captured : How many different types of protocol have been captured and What are the size range of the packets captured?
Why is financial planning so critical : As a manager why is financial planning so critical?
What factors could help explain low level of productivity : There has been rapid technology change with cloud computing, artificial intelligence, robotics, mobile devices
What is meant by this statement and is it valid : Also, some believe the U.S. does not have a productivity problem but rather a measurement problem. What is meant by this statement and is it valid?
Create two linux lite instances communicating : Explore how to use VirtualBox on a USB stick to save and exchange files and Create two Linux Lite instances communicating on the same host machine

Reviews

Write a Review

Computer Engineering Questions & Answers

  Discuss areas that generate-process revenue

Discuss one aspect of Tier 1, 2, or 3. Includes areas that generate/process revenue or that support the functions and processes that do so.

  What controls could you have put into place to prevent risk

In 80 words or more did this town miss a risk when evaluating their systems for operating system security? What controls could you have put into place.

  A program that initializes an array with ten random integers

Write a C++ program that initializes an array with ten random integers and then prints all elements in two lines of output containing.

  How the products can be used in building the network

Discuss how those products can be used in building the network within an organization with respect to the advantages and disadvantages of each one.

  Write a return statement to complete the function definition

Function double takes a number and returns twice its value. Write a return statement to complete the function definition.

  Which web site is your favorite

Small Business Center's website offers assistance in starting a Web site, marketing businesses online, and helping manage them more effectively.

  Find the costs of compromised data integrity breaches

In 500 words, discuss risk and costs of compromised data integrity breaches. Focus on integrity not confidentiality. Look at military, education, science.

  Document any conflicts that may arise between

write an organizational policy to address this it-related ethical issue should personal information be exchanged

  How many restore commands would you have to give to recover

In the worst case scenario, how many restore commands would you have to give to recover a file that was dumped using this schedule?

  Implement the process method by introducing an echo

Your task is to implement the process method by introducing an echo. For each sound value, add the value from 0.2 seconds ago.

  Implement euclids algorithm in fortran or basic

Write a program to compute the greatest common divisor of three integers u, v, and w. Implement Euclid's algorithm in FORTRAN or BASIC.

  Write a inline assembly language program subroutine

Write a inline assembly language program subroutine that searches for a character in a string and returns the first occurrence of the character in the string.

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd