cnet124 lab 4 packet sniffing
DESCRIPTION
FreeTRANSCRIPT
School of Engineering Technology and Applied Science (SETAS)
Information and Communication Technology (ICET)
CNET124
Network Technologies
Lab #4: Packet Sniffing
Version 1 – February 2012
Introduction
One part of being a network administrator is to gain a familiarity with the quantity and types of
traffic found on the various network segments. By understanding what is ‘normal’ one can
easily spot ‘abnormal’ traffic types or patterns. Once detected, the sources of these
abnormalities can be investigated and where possible, any necessary remedial actions
necessary to maintain the integrity and performance of the network can be taken.
Many different tools exist to facilitate the analysis of network traffic types and patterns. Some
of these tools offer advanced automated capabilities and others are very simplistic in their
approach. Wireshark is an open source solution that allows the collection and profiling of
network traffic to assist in the management and troubleshooting of production networks.
Lab Overview
The purpose of this lab is to introduce the filtering capabilities of Wireshark and to use a packet
sniffing tool (Wireshark) to examine the quantity and type of traffic found on an Ethernet hub
and switch based network.
In this lab the learner will:
• Use the filter feature of Wireshark
• Capture traffic from a hub and switch based network
• Compare the traffic volume and types between a hub an switch based network
• Locate and examine an ARP exchange from a live network.
Pre-lab Preparation
Before attempting this lab review the material covered in labs #1 and #3 . Also review the OSI
model and answer the following questions.
1. Outline the ARP process with emphasis on the communication types (unicast, multicast
or broadcast) of all packets involved in the information exchange.
2. Differentiate between a collision domain and a broadcast domain. What types of
network devices bound each?
3. On an Ethernet network composed of a single 24 port hub, how many collision domains
and how many broadcast domains exist?
4. On an Ethernet network composed of a single 24 port switch in its default
configuration, how many collision and how many broadcast domains exist?
Lab Procedure
Note: Be certain to save all captures to be able to answer th
and also for future study.
Part A: Introduction to Filters
On a network with large volumes of traffic it becomes difficult to isolate the packets of specific interest.
Wireshark provides the capability to filter traffic either during or after data capture. The data filtering
capabilities provided by Wireshark are
Filters will be revisited in a future lab
1. Connect your PC to a network and capture about 100 packets.
captures to be able to answer the questions presented in Part E of this lab
On a network with large volumes of traffic it becomes difficult to isolate the packets of specific interest.
Wireshark provides the capability to filter traffic either during or after data capture. The data filtering
capabilities provided by Wireshark are great and this portion of the lab only introduces this capability.
Filters will be revisited in a future lab.
Connect your PC to a network and capture about 100 packets.
e questions presented in Part E of this lab
On a network with large volumes of traffic it becomes difficult to isolate the packets of specific interest.
Wireshark provides the capability to filter traffic either during or after data capture. The data filtering
great and this portion of the lab only introduces this capability.
2. Select an ARP request packet and expand all fields until you can see the
the frame type field.
3. Select Analyze | Apply as Filter | Selected
to show only frame types corresponding to the one selected. Notice at the top of the capture
window there is now a filter type displayed. This same
will appear if you right-click on the desired filter field.
Select an ARP request packet and expand all fields until you can see the frame type
Analyze | Apply as Filter | Selected from the menu bar. This should change the display
to show only frame types corresponding to the one selected. Notice at the top of the capture
window there is now a filter type displayed. This same filter can be created using the menu that
click on the desired filter field.
frame type. Highlight
from the menu bar. This should change the display
to show only frame types corresponding to the one selected. Notice at the top of the capture
filter can be created using the menu that
4. Now that you have a filter created you can use this filter to
only the desired packets are displayed. Wireshark will keep track of any filters you have recently
created and these may be selected from the drop
valid filter is selected (the filter expression field will be green) and then start a new capture. If
prompted, select ‘Continue
captured.
Now that you have a filter created you can use this filter to filter traffic during capture so that
only the desired packets are displayed. Wireshark will keep track of any filters you have recently
d and these may be selected from the drop-down list in the filter menu. Make sure that a
valid filter is selected (the filter expression field will be green) and then start a new capture. If
prompted, select ‘Continue without Saving’. Only packets that match the applied filter should be
filter traffic during capture so that
only the desired packets are displayed. Wireshark will keep track of any filters you have recently
down list in the filter menu. Make sure that a
valid filter is selected (the filter expression field will be green) and then start a new capture. If
ch the applied filter should be
Experiment with Wireshark filtering capabilities until you are comfortable with applying simple filters to
analyze previously captured files and to filter during capture. In future labs we will build more complex
filters to analyze for specific traffic. To demonstrate you ability to apply filters create a series of screen
captures that show unfiltered and filtered traffic that matches a filter other than the ARP used in this
exercise.
Part B: Two Computer Peer-to-Peer Network
1. Using the crossover cable you constructed in lab #1 connect two PCs together.
(a) Is the link light on the PC NIC on? What does this tell you?
2. Set the IP addressing information on both PCs so that they are both on the same subnet.
(a) What three pieces of information would you normally have to supply to do this?
What is the purpose of each?
(b) For this particular lab experiment only two pieces of information is required. Explain
why only two pieces are needed versus three in a typical IP network?
3. Ping from each machine to the other. If this does not work check your connections and
addressing information. Troubleshoot as necessary. You must be able to ping between the two
machines before proceeding further.
(a) What protocol does ping use?
(b) If a ping is successful which layers of the OSI model are working?
4. Set up a shared directory on one of the PCs and place a large file into this directory. This will be
PC_A. On the other PC map a drive to the shared directory. This will be PC_B.
5. Start Wireshark on PC_A. Collect approximately 100 packets from the network.
(a) How long did it take you to capture 100 packets?
(b) What type(s) of traffic did you capture?
(c) Approximately what percentage of the total captured traffic did each type account
for?
6. Start a new capture and while capturing traffic copy the file from step 4 above from the shared
directory to a local directory on PC_B.
(a) What type(s) of traffic did you capture?
(b) Approximately what percentage of the total captured traffic did each type account
for?
Part C: Hub Based Network
1. Connect your PC to the common classroom hub using the cable you constructed I lab #1.
(a) What type of cable did you use? Why?
2. Set the addressing information on your PC as indicated by your instructor. It is important that
all PCs connected to the common hub are on the same network. Ping between machines to
ensure that all are able to connect to each other. Note the number of PCs connected to the hub
as this information will be required for part D.
3. Once multiple machines are connected to the hub start a capture and collect approximately 100
packets.
(a) How long did it take you to capture 100 packets?
(b) What type(s) of traffic did you capture?
(c) Approximately what percentage of the total captured traffic did each type account
for?
Part D: Switch Based Network
4. Connect your PC to the common classroom switch using the cable you constructed I lab #1.
(b) What type of cable did you use? Why?
5. Set the addressing information on your PC as indicated by your instructor. It is important that
all PCs connected to the common switch are on the same network. Ping between machines to
ensure that all are able to connect to each other. Make sure to have the same number of
machines connected to the hub in part C as you had connected to the switch in part D.
6. Once multiple machines are connected to the switch start a capture and collect approximately
100 packets.
(d) How long did it take you to capture 100 packets?
(e) What type(s) of traffic did you capture?
(f) Approximately what percentage of the total captured traffic did each type account
for?
Part E: Questions
Use the data collected in parts B, C and D to answer the following questions.
1. Was there any difference in the types of traffic observed on the three different networks?
2. Was there any difference in the proportion of each type of traffic observed on the three
different networks?
3. Was there any difference in the volume of traffic captured per unit time between the hub based
and the switch based network? How can you explain this difference?
4. Locate an ARP request for a machine other than your own in the captures from both the
switched and the hubbed network. Can you see the ARP reply to the request in both captures?
Why or why not?