Observing an Ethernet with Wireshark

Due date

Check the course schedule for the due date.

Introduction

In this assignment, you will use Wireshark, a packet sniffer, to capture and interpret frames transmitted on an Ethernet. 

Because there can be security issues with a packet sniffer, sniff only what you are asked to sniff. If you would like to sniff other traffic, then PRIOR to sniffing, talk to me and get permission from all network users and administrators.

As a packet sniffer, Wireshark captures packets as they are being sent/received from/by your computer. Wireshark will store and/or display the contents of various protocol fields in the captured messages. Wireshark is passive in that it observes messages being sent and received by
applications and protocols running on your computer, but never sends packets itself. Similarly, received packets are never explicitly addressed to the packet sniffer. Instead, the packet sniffer receives copies of the packets, so the packets still make their way to the intended recipient.

A packet sniffer has two parts: a packet capture library and a packet analyzer. The packet capture library receives a copy of every link-layer frame that is sent from or received by your computer. Almost all Unix-based packet sniffers use libpcap. Capturing all link-layer frames gives you all messages that are sent or received by all protocols and applications executing in your computer.  The packet analyzer helps you interpret the data collected by the packet capture library. It displays the contents of all fields within a protocol message. Thus, the packet analyzer must understand the structure of all messages exchanged by protocols.

Acknowledgments

Goals

• To better understand the Ethernet protocol by observing it in action.
• To appreciate the "ecology" of a local area network.
• To learn to use a packet sniffer.

Logistics

You may work individually or in pairs. You have one week to complete this assignment.

Preparation

There is no additional preparation required beyond reading the introduction to the assignment. If you like, you can read more about Wireshark at its web site, http://www.wireshark.org.

Assignment

Part A: Getting started with Wireshark

1. You should have all been given permission to run Wireshark with administrative privileges on the MathLAN. Verify that you can do so. To run Wireshark, open a terminal, type "sudo wireshark", and enter your password when it is requested.

2. Open the file /home/davisjan/364-web/labs/tcp-trace.cap so that you have some data to look at. Once you're in the Open dialog, hit Ctrl-L to type the filename. If you can't open it from here, you can download it from the web.

3. Explore the user interface. Wireshark has five major components:

Command menus

Standard pull-down menus located at the top of the window. File, Capture, and Statistics are of particular interest.

Status bar

Near the top of the screen, includes a text input area. Allows you to apply packet filters, so that only selected packets are displayed (e.g., those belonging to a particular protocol or from a particular sender).

Packet list

Displays a one-line summary for each packet captured, including a packet number assigned by Wireshark.

Packet details

Provides details about the packet selected in the trace pane.

Packet bytes

Shows the entire contents of the captured frame, in both ASCII and hexidecimal.

4. Experiment with creating filters. This trace includes an HTTP transfer. Try these two different ways to exclude packets that are not related to HTTP:

   • Include only packets where "protocol is HTTP".
   • Include only packets where the TCP source port is 80 or the TCP destination port is 80.

   How do the packets you see differ? Form a hypothesis as to why there is a difference.

5. Close the trace file.

Part B: Capturing a filtered trace

1. When you run sudo, you become logged in as root; that means you can't write to your own home directory unless it is writeable by root. Open a terminal and create a new directory immediately under your home directory in which to save your work. Then use chmod 777 to make the new directory world-writeable, -readable, and -executable.

2. In the Capture menu, choose Options. 

3. Observe the option to Capture in promiscuous mode. In promiscuous mode, the trace will include all packets seen, regardless of whether they are addressed to or from your machine.  Since the MathLAN is a switched network, it does not matter whether this is checked.

4. Click Start to begin a capture. 

5. Open a web browser and fetch a web page from a nearby server such as www.cs.grinnell.edu.

6. Stop the packet capture. Save this trace to the directory you created in step B.1 so you can examine it again later if you are interrupted before you complete the assignment.

Part C: LAN ecology

Using the trace you just captured, answer the following questions. 

1. How much time elapsed during the trace? How many packets were captured? What was the average packet size? (Hint: Look under the Statistics menu.)

2. What protocols appear in the trace? Give the full name of the protocol along with the acronym. (Hint: Try sorting the packet list by protocol.)

3. Make an educated guess about what some or all of the protocols might be.  Don't spend too much time on this.

4. What is your machine's IP address, and what is the IP address of the web server? (Hint: Look at the IP header for the HTTP request or response.) What other IP addresses appear in the trace?

5. Some packets are displayed in black with red text. Why? (Hint: Read the commentary in Wireshark, then do a Google search for unfamiliar terms.)

6. List any questions that you have about the traffic you see.

Part D: Ethernet

Using the trace you just captured, answer the following questions. To limit the number of packets shown, apply the filter "protocol is HTTP".

1. What is the Ethernet address of your computer?

2. What is the destination address in the Ethernet frame for the HTTP request? Whose address is this, the web server or a router? Why do you think so? How might you find out for sure?

3. Give the hexadecimal value for the two-byte frame type field in the Ethernet frame. What does this field indicate?

4. For each bit that is on (1) in the Flag field, explain what that bit means.

5. Which struct would you use in dealing with an Ethernet header? Why?

   /* Version 1 */
   struct ethhdr {
    unsigned int h_dest[ETH_ALEN]; /* destination eth addr */
    unsigned int h_source[ETH_ALEN]; /* source eth addr */
    unsigned int h_proto; /*packet type ID field */
   }
   
   /* Version 2 */
   struct ethhdr {
    unsigned char h_dest[ETH_ALEN]; /* destination eth addr */
    unsigned char h_source[ETH_ALEN]; /* source eth addr */
    unsigned short h_proto; /*packet type ID field */
   }
   
   /* Version 3 */
   struct ethhdr {
    unsigned short h_dest[ETH_ALEN]; /* destination eth addr */
    unsigned long h_source[ETH_ALEN]; /* source eth addr */
    unsigned int h_proto; /*packet type ID field */
   }

6. Fill in the correct values for XX in the following defines.

   /* IEEE 802.3 Ethernet maginc constants. The frame sizes omit the preamble
    and FCS/CRC (frame check sequence). */
   
   #define ETH_ALEN XX /* Octets in one ethernet addr */
   #define ETH_HLEN XX /* Total octets in ethernet header */
   #define ETH_ZLEN XX /* Min. octets in frame sans FCS */
   #define ETH_DATA_LEN XXX /* Max. octets in payload */
   #define ETH_FRAME_LEN XXX /* Max. octets in frame sans FCS */

Part E: Ecology of another network

Obtain a trace of another network via one of the following two options.

Option 1: Your own network

1. Identify a network other than the MathLAN that you have access to, and obtain permission from network users to capture packets. This does not need to be Ethernet, but could instead be wireless, or even just a computer connected to a cable modem. I suggest a network in a campus house (not a dorm or academic building), or, better yet, an off-campus house or apartment. This is so you can easily identify all the network users and obtain their permission. 

2. Install Wireshark on your own computer. 

3. In your lab notebook, record the location and type of the network.

4. As in part B, start a trace. Uncheck the Capture in promiscuous mode option so that you only capture packets to or from your machine!

5. Capture at least 2 minutes and no more than 10 minutes. During this time, fetch a web page. If you like, do some more things to generate network traffic; record what you did. 

6. End the capture and save the trace file.

Option 2: A canned trace

1. Open /home/davisjan/364-web/labs/tcp-trace.cap (or your locally saved copy). This trace was taken by me, at my home, on a machine connected to an Ethernet. I fetched a web page during the trace, and some other things were going on as well.

Using this new trace, address questions 1 - 3 (and 5 if you like) from part C. How do the protocols seen on this other network compare to those you saw on the MathLAN? Can you make any inferences about the network configuration or hosts?

Assessment

To earn a B, complete parts A - D and answer the discussion questions. 

To earn an A, complete parts A - E and answer the discussion questions.

Advice

Wireshark includes built-in help that is very informative, but difficult to search. The web site appears to have the same information in a format that is easier to read and search.

If you are not seeing what you expect to see, ask for help! 

Lab Notebook

Tell me where I can find your trace files.

Include your answers to A.4, part C, part D, and part E (if you are doing part E), along with the discussion questions.

Discussion Questions

1. Many system administrators do not allow users to run packet sniffers on shared networks. Why do you think this is? How could this policy be enforced? Investigate the policies for networks that you regularly use.

2. What traffic might you expect to find on a "quiet network," that is, one in which no user is deliberately using a network application such as a web browser? Consider both useful background activity and potentially malicious activity.

3. Read about Snort, an excellent open source network intrusion detection system. You can use Snort to monitor your local network for suspicious traffic patterns. Snort users write rules that specify what suspicious traffic is using the same type of information captured by Wireshark (source and destination IP address, protocol, etc.) From what you have learned in this exercise, briefly discuss how Snort might work and suggest some traffic patterns that might indicate malicious activity.

4. How much time did you spend on this lab?

Janet Davis (davisjan@cs.grinnell.edu)