CS 460
Network Analyzer Lab





Purpose: This assignment gives you experience with the network analysis tool "ethereal". You will also use a physical layer that sends your Ethernet packets directly on the Ethernet in the lab. "ethereal" will allow you to monitor and analyze network packets on the LAN in the CS 460 lab (2244 TMCB). By capturing data and examining packets you will become more familiar with TCP/IP, and how layered protocols are represented within packets.

THIS LAB REQUIRES APPROX 2 HOURS TO COMPLETE, AND THERE ARE limited machines IN THE CS 460 LAB!! DON'T WAIT UNTIL THE LAST DAY!!! Please do this lab on your own. DO NOT WORK IN GROUPS!! You can ask the TA or other students for help, but you should do the work yourself. You will need to have your textbook handy to answer question 5a. Due to the interactive nature of this lab, the exercises are scattered throughout the text. Please e-mail your answers in the body of the email (not as an attachment) to the TA by the due date to cs460ta

II. Setup for this Lab

This lab requires simultaneous access to multiple PCs: one for running ethereal, and the another for generating network traffic. 

III. Determining important hardware addresses

The hardware addresses on our LAN are 6 byte Ethernet addresses. You will want to know 4 hardware addresses on the LAN: the address of the PC you will be using to generate network traffic ( cs460-7 for example), the PC on which you are running the Analyzer ("ethereal") and a target machine for you to telnet to (cs460-3 for example).

Note: If you get a "command not found" message when attempting to use the "ping", "arp" and "traceroute" commands, then they are not in your command search path. You can get around this by using the full pathnames ("/usr/sbin/ping or /sbin/arp or /usr/sbin/traceroute or /sbin/route") on the command line.

EXERCISES:

1. Telnet to cs460-1.cs.byu.edu using "cs460" as user and the pw is "ezA4U". Use the "ping <hostname>" command to contact cs460-9.cs.byu.edu. Ping will cause your local host to create an entry in the arp cache for each of these hosts. Using the "arp -a" command, find the IP and Hardware addresses of "cs460-9" .

Write the addresses in the spaces provided below:

cs460-9.cs.byu.edu                IP address: _______________________ Hw address: ___:___:___:___:___:___

2. Use the "/sbin/ifconfig" command on cs460-8 (ssh to cs460-8 and then type on cs460-8 /sbin/ifconfig). The "ifconfig" command will display the ethernet hardware address and the IP (inet) address for your ethernet interfaces. Write the addresses in the spaces provided:

cs460-8.cs.byu.edu       eth0 IP address: _______________________ Hw address: ___:___:___:___:___:___
cs460-8.cs.byu.edu       eth1 IP address: _______________________ Hw address: ___:___:___:___:___:___
cs460-8.cs.byu.edu       eth2 IP address: _______________________ Hw address: ___:___:___:___:___:___

3. Use "/sbin/route" to determine which ethernet card is used for the default route _________________.

IV. Capturing and Viewing packets
Open up a terminal window on your local machine.  Start up "/usr/bin/ethereal".  When "ethereal" is started up it will have three empty panes.  Go to the "capture" dropdown menu and select "Start".  A window will pop up and you can select either "eth0" or "eth1" or "eth2".  Select "eth0",  select "OK" and let the capture run until there about 100 packets captured.  If the packet capture process is too slow, type "ls -R ~/" to generate some Network File System (NFS) traffic.

EXERCISES:
4. Select the "+" sign in front of each of the protocol layers to get more detail about each protocol header.

a) View the captured broadcast packet data. Select the "Source" column to sort the packets by the source address.  What is the most common source address?

b) What protocols (ncp, sap, tcp, icmp, arp, udp, etc...) do you see? (HINT: select the "Protocol" column to sort by protocol)

c) Which protocol is most common in your captured packets?

d) Select a packet in the top frame that is labeled as a TCP packet.  Determine the following values for this packet
Ethernet destination address: ___:___:___:___:___:___
IP source address: ___:___:___:___
IP TTL ________
TCP source port ___________

e) Select the  "header length" field of the IP header.  This should cause a byte in the raw data pane to be highted.  What does this byte have and what does it mean?

______________________________________________________________________________________________

VI. Protocols supported on our LAN

Our LAN uses the IP (Ethernet_II) protocal to transmit TCP/IP packets. In addition to the link protocol, packets can also contain information from higher layers. Some of the higher layer protocols are listed below:

Some of the TCP/IP protocols: ip, Internet Protocol; icmp, Internet Control Message Protocol; udp, User Datagram Protocol; tcp, Transmission Control Protocol; arp, Address Resolution Protocol; rip, Routing Information Protocol.

The LAN in the CS 460 lab supports Ethernet_II, IEEE 802.3 and IEEE 802.2 link protocols. The IEEE 802.2 and 802.3 vary slightly and can be run concurrently on the same LAN without confusion because valid values for the "length" field in the 802.3 protocol are all less than valid values for the "type" field in the Ethernet protocol. (The 802.3 "length" field and the Ethernet "type" field are located at the same packet offset, and thus can be used to distinguish between the two protocols.) The Ethernet_II protocol is also sufficently different that it can be seperated from the other protocols.

EXERCISES:

5. Set up "ethereal" to capture data on eth0.   Before you start the capture, type "telnet cs460-1" in another xterm window but dont hit the enter key. DON'T type cs460-1.cs.byu.edu. Type just cs460-1.
Now, right after you start the capture, hit the enter key and login using cs460 as userid, and "ezA4U" as the passwd.  After you have finished entering the passwd, stop the capture.  You will probably want to filter out some of the traffic that is not directed to your machine.  If you are running on cs460-4, then go to "Analze"/"Filters" and enter a arbitrary filter name "foo" and a filter string "ip.addr==192.168.15.244" (where 192.168.15.244 is the address of cs460-4). This will filter out anything that is not associated with your machine.  A rich set of filters is described in the manual page for ethereal.

5a. Click on the destination column and then the protocol column.  Scroll down until you come to the section for the TELNET protocol.  Try clicking on some of the protocol header and individual fields in the decode (middle) window and watch the corresponding hexadecimal data in the bottom window get highlighted. Then click on some data bytes in the bottom window and watch the middle window to see which protocol element the bytes represent. Compare what you see to the diagrams in the text representing IP packets (p. 252) and TCP packets (p 377). The offsets (in Hex) are listed at the left of the bottom window. What is the offset (in Hex) of the first byte of the IP header (hint: click on one of the protocol header lines in the middle window to highlight the IP data in the bottom window)(The offset is the number of bytes from the start of the frame)? ________

5b. The first byte of the IP data field is actually the TCP header! What is the offset (in hex) of this byte? _________

5c. What is the relative order of the different protocols within the packet. Rank them 1 to 3, with 1 being located mostly at the front of the packet and 3 being located at the end of the packet.

____ TCP ____ Ethernet ____ IP

5d. Believe it or not, you have captured enough data (if you look at the right tcp packets) to reveal the cs460 unix password! That is why data analyzers like LANalyzer aren't usually allowed on broadcast networks like the ethernet. Don't ever use the LANalyzer to intercept anyone else's password; besides being unethical, if you are caught you could get kicked out of BYU! Look at some of the first packets you captured that arrived from TELNET.   Look at the last TELNET packet you have recorded.  One of the packets containing a data field will have the words "login:" inside it. Shortly thereafter, the packets sent from your local machine to destination cs460-1 will have the password (ezA4U) you typed in contained in the data field of the Telnet part of the packet.  There will be one character for each TELNET packet.  Why is security a problem with broadcast networks?

VII. Traceroute

Traceroute is a program that allows you to see the routers between your machine and a remote host. IP packets have a time-to-live field which gets decremented as the packet passes through intermediate nodes on the way to its final destination. If the time-to-live count ever gets decremented to 0, the packet is discarded and an ICMP error message is returned to the sending host. Traceroute uses this feature to find the path between your machine and a destination host by sending UDP packets with abnormally small time-to-live counts and then taking notice of the IP address of the host generating the ICMP error message. Traceroute's first sends a packet with ttl=1, then sends one with ttl=2, ... until finally the destination is reached. In the meantime, the router at each hop along the way will have sent back an ICMP error message. There are other details, but that is basically how traceroute works. Remeber traceroute is located in the /usr/sbin directory.

EXERCISES:

6a. Prepare to execute the traceroute command from your local machine (the syntax is "traceroute <host name>"). Select a host close to BYU, such as "www.utah.edu". Before actually issuing the traceroute command, start capturing packets again (same as exercise 5).  When the traceroute program terminates, click on "Stop" to stop capturing data. What host did you query and how many hops (including the final hop to the destination) were required?

host: __________________ # hops: _______

6b. View the captured packet data. Select one of the ICMP packets containing "Time-to-live exceeded" in the description field (Don't pick one of the first three). What is the IP address of the router that sent the error message? (Hint: Look in the first ======Internet Protocol===== section of the middle window.) What is the corresponding hop number shown in the traceroute results on your Linux screen?

IP address: ___________________ hop #: _______

The data portion of a "Time Exceeded" packet includes a copy of the "original packet's" IP header. In other words, it includes a copy of the IP header from the packet that caused the router to send the "time Exceeded" reply. (In this case, the "original packet" is the one sent by your PC when you issued the "traceroute" command.)

The IP header of the original packet you sent is contained in the Internet Control Message Protocol "Data" field.  Refer to page 252 in the text for a description of the IP header. You will notice that the Time to Live (TTL) field immediately preceedes the Protocol field. The protocol specifies the next higher level protocol (UDP which is 17=11H). You can look for the 11 hex in the next byte to verify that you have the correct offset for the TTL field.

6c. Look at the "Time Exceeded" reply packet. What is the value shown for the original packet's "Time to Live" field? What is the offset (in the "Time Exceeded" reply packet) of the original packet's "Time to Live" field?

Time-to-live value: _____

offset (in hex): _____

6d. Look at the "udp" packet sent prior to the "Time Exceeded" packet (click on the "No." column to sort the entries by arrival, and then page down until you find the ICMP packet that you selected before). Look at the IP section of this packet. What is the value shown for this packet's "Time to Live" field? Why do the values differ?

Time-to-live value: _____

VIII. NFS and FTP

EXERCISES

7. Set up "ethereal" to capture packets in the same way as the setup for Exercise 6.  Start capturing data. Type the "ls -R /usr/local" on your local machine.  Stop capturing and move to the decode window. What protocol does ls use to transfer files between the file server where "/usr/local" is mounted and your local machine?

8. Are files in your home directory stored on the local machine or on the file server?

9. Set up "ethereal" to capture TCP/IP packets in the same way as exercise 6. Start the capture. Run "ftp cs460-1" (DON'T type cs460-1.cs.byu.edu, but cs460-1) and login with "cs460" userid, and "ezA4U" as the passwd.  Type the following commands to ftp (lcd /tmp) (cd /boot) (get vmlinuz /dev/null) (quit).  Stop the capture and decode the data (sort on the protocol column and look for FTP).

How secure is your password when using FTP?  _____________

What is the approximate packet size for TCP packets: _____

What is the average number of packets between Acks (window size): _____