Lab 2.6.2: Using Wireshark

Lab 2. 6. 2 apply Wireshark to View Protocol Data Units Learning Objectives Be able to dramatis personaeulate the purpose of a protocol analyser (Wireshark). Be able to commit elementary PDU witch victimization Wireshark. Be able to perform basic PDU analysis on straightforward lucre info traffic. Experiment with Wireshark features and pickaxes such as PDU capture and display filtering. Background Wireshark is a softw be protocol analyzer, or bundle sniffer application, used for net troubleshooting, analysis, software and protocol development, and education. earlier June 2006, Wireshark was k promptlyn as Ethereal.A parcel of land sniffer (also k straightn as a ne cardinalrk analyzer or protocol analyzer) is computing machine software that stop supplant and log spotive information traffic passing over a entropy ne cardinalrk. As entropy streams travel back and forth over the network, the sniffer captures distri barelyively protocol data unit (PDU) and bed decode and analyze its contentedness according to the appropriate RFC or other specifications. Wireshark is programmed to recognize the structure of diverse network protocols. This enables it to display the encapsulation and individual fields of a PDU and interpret their meaning.It is a reclaimable tool for anyone caterpillar track(a) with networks and can be used with most(prenominal) research labs in the CCNA courses for data analysis and troubleshooting. For information and to grimload the program go to http//www. Wireshark. org Scenario To capture PDUs the computer on which Wireshark is installed must have a working connection to the network and Wireshark must be running before any data can be captured. When Wireshark is launched, the screen below is displayed. pic To chute data capture it is first needful to go to the take into custody menu and select the Options choice.The Options dialog provides a range of settings and filters which determines which and how muc h data traffic is captured. pic First, it is essential to ensure that Wireshark is set to monitor the correct interface. From the Interface drop down list, select the network adapter in use. Typically, for a computer this go out be the connected Ethernet Adapter. Then other Options can be set. Among those unattached in Capture Options, the two highlighted below are worth examination. pic displace Wireshark to capture computer softwares in promiscuous modeIf this feature is NOT checked, only PDUs apprenticed for this computer will be captured. If this feature is checked, all PDUs articled for this computer AND all those detected by the computer NIC on the same network segment (i. e. , those that pass by the NIC but are not destined for the computer) are captured. Note The capturing of these other PDUs depends on the intermediary device connecting the end device computers on this network. As you use different intermediary devices (hubs, switches, routers) by dint ofout these cou rses, you will experience the different Wireshark results.Setting Wireshark for network name resolution This option allows you to control whether or not Wireshark translates network addresses found in PDUs into names. Although this is a useful feature, the name resolution process may add tautologic PDUs to your captured data perhaps distorting the analysis. There are also a design of other capture filtering and process settings available. Clicking on the runner button take downs the data capture process and a core loge displays the progress of this process. pic As data PDUs are captured, the types and number are indicated in the message box picpic The examples above show the capture of a strike process and whence accessing a meshing page. When the Stop button is clicked, the capture process is alter and the main screen is displayed. This main display window of Wireshark has iii dits. pic The PDU (or software package) disceptation acid at the top of the diagram displ ays a summary of apiece package captured. By clicking on computer softwares in this social disease, you control what is displayed in the other two panes. The PDU (or big money) expound paneling in the middle of the diagram displays the packet selected in the bundle itemization Pane in more detail.The PDU (or Packet) Bytes Pane at the bottom of the diagram displays the actual data (in hexadecimal form representing the actual binary) from the packet selected in the Packet List Pane, and highlights the field selected in the Packet elaborate Pane. Each breed in the Packet List corresponds to one PDU or packet of the captured data. If you select a line in this pane, more enlarge will be displayed in the Packet Details and Packet Bytes panes. The example above shows the PDUs captured when the tap utility was used and http//www. Wireshark. org was accessed. Packet number 1 is selected in this pane.The Packet Details pane shows the underway packet (selected in the Packet List pane) in a more detailed form. This pane shows the protocols and protocol fields of the selected packet. The protocols and fields of the packet are displayed using a tree, which can be have kittensed and collapsed. The Packet Bytes pane shows the data of the current packet (selected in the Packet List pane) in what is known as hexdump style. In this lab, this pane will not be examined in detail. However, when a more in-depth analysis is required this displayed information is useful for examining the binary determine and content of PDUs.The information captured for the data PDUs can be saved in a shoot down. This accommodate can then be opened in Wireshark for analysis some time in the approaching without the need to re-capture the same data traffic again. The information displayed when a capture file is opened is the same as the original capture. When closing a data capture screen or exiting Wireshark you are prompted to save the captured PDUs. pic Clicking on Continue without Saving closes the file or exits Wireshark without saving the displayed captured data. working class 1 Ping PDU CaptureStep 1 After ensuring that the standard lab topology and strain is correct, launch Wireshark on a computer in a lab pod. Set the Capture Options as described above in the overview and start the capture process. From the command line of the computer, ping the IP address of another(prenominal) network connected and powered on end device on in the lab topology. In this case, ping the shoot Server at using the command ping 192. 168. 254. 254. After receiving the successful replies to the ping in the command line window, stop the packet capture. Step 2 run into the Packet List pane.The Packet List pane on Wireshark should now look something like this pic Look at the packets listed above we are interest in packet numbers 6, 7, 8, 9, 11, 12, 14 and 15. get back the equivalent packets on the packet list on your computer. If you performed Step 1A above match the messag es displayed in the command line window when the ping was issued with the six packets captured by Wireshark. From the Wireshark Packet List answer the following What protocol is used by ping? _icmp_____________________________ What is the full protocol name? _____________________________ What are the names of the two ping messages? __echo ping requet, echo ping reply _____________________________________________________________________ Are the listed source and conclusion IP addresses what you expected? Yes / No Why? _no. frst time using wireshark. Results are amazing______________________ Step 3 Select (highlight) the first echo request packet on the list with the mouse. The Packet Detail pane will now display something exchangeable to pic Click on each of the four + to expand the information.The packet Detail Pane will now be similar to pic As you can see, the details for each section and protocol can be expanded further. Spend some time scrolling through this information. At th is stage of the course, you may not fully understand the information displayed but make a note of the information you do recognize. Locate the two different types of Source and Destination. Why are there two types? __________________________________________________________________ What protocols are in the Ethernet frame? ____________________________________________________________As you select a line in the Packets Detail pane all or part of the information in the Packet Bytes pane also becomes highlighted. For example, if the abet line (+ Ethernet II) is highlighted in the Details pane the Bytes pane now highlights the corresponding values. pic This shows the particular binary values that represent that information in the PDU. At this stage of the course, it is not necessary to understand this information in detail. Step 4 Go to the rouse menu and select Close. Click on Continue without Saving when this message box appears. pic assess 2 FTP PDU Capture Step 1 Start packet captur e. Assuming Wireshark is still running from the previous steps, start packet capture by clicking on the Start option on the Capture menu of Wireshark. At the command line on your computer running Wireshark, enter FTP 192. 168. 254. 254 When the connection is established, enter anonymous as the substance abuser without a password. Userid anonymous Password You may alternatively use login with userid lake herring and with password cisco. When successfully logged in enter get / bar/eagle_labs/eagle1/chapter1/gaim-1. 5. 0. exe and machinate the enter key .This will start downloading the file from the ftp server. The yield will look similar to CDocuments and Settingsccna1>ftp eagle-server. example. com Connected to eagle-server. example. com. 220 get to the eagle-server FTP service. User (eagle-server. example. com(none)) anonymous 331 Please specify the password. Password 230 Login successful. ftp> get /pub/eagle_labs/eagle1/chapter1/gaim-1. 5. 0. exe 200 PORT command successfu l. Consider using PASV. 150 Opening BINARY mode data connection for pub/eagle_labs/eagle1/chapter1/gaim-1. 5. 0. exe (6967072 bytes). 26 File send OK. ftp 6967072 bytes received in 0. 59Seconds 11729. 08Kbytes/sec. When the file download is complete enter quit ftp> quit 221 Goodbye. CDocuments and Settingsccna1> When the file has successfully downloaded, stop the PDU capture in Wireshark. Step 2 Increase the size of the Wireshark Packet List pane and scroll through the PDUs listed. Locate and note those PDUs associated with the file download. These will be the PDUs from the Layer 4 protocol TCP and the Layer 7 protocol FTP. Identify the three groups of PDUs associated with the file transfer.If you performed the step above, match the packets with the messages and prompts in the FTP command line window. The first group is associated with the connection mannequin and logging into the server. List examples of messages interchange in this phase. ____________________________________ _______________________________ Locate and list examples of messages exchanged in the second phase that is the actual download request and the data transfer. __________________________________________________________________ ___________________________________________________________________The third group of PDUs refer to logging out and breaking the connection. List examples of messages exchanged during this process. __________________________________________________________________ ___________________________________________________________________ Locate recurring TCP exchanges throughout the FTP process. What feature of TCP does this indicate? ___________________________________________________________________ ___________________________________________________________________ Step 3 Examine Packet Details. Select (highlight) a packet on the list associated with the first phase of the FTP process.View the packet details in the Details pane. What are the protocols encapsulated in the frame? ___________________________________________________________________ Highlight the packets containing the user name and password. Examine the highlighted portion in the Packet Byte pane. What does this say almost the security of this FTP login process? ___________________________________________________________________ Highlight a packet associated with the second phase. From any pane, locate the packet containing the file name. The filename is ______________________________Highlight a packet containing the actual file content note the plain text visible(a) in the Byte pane. Highlight and examine, in the Details and Byte panes, some packets exchanged in the third phase of the file download. What features distinguish the content of these packets? ___________________________________________________________________ When finished, close the Wireshark file and continue without saving Task 3 HTTP PDU Capture Step 1 Start packet capture. Assuming Wireshark is still running from the previous steps, start packet capture by clicking on the Start option on the Capture menu of Wireshark.Note Capture Options do not have to be set if continuing from previous steps of this lab. Launch a web browser on the computer that is running Wireshark. Enter the URL of the Eagle Server of example. com or enter the IP address-192. 168. 254. 254. When the webpage has fully downloaded, stop the Wireshark packet capture. Step 2 Increase the size of the Wireshark Packet List pane and scroll through the PDUs listed. Locate and identify the TCP and HTTP packets associated with the webpage download. Note the semblance between this message exchange and the FTP exchange.Step 3 In the Packet List pane, highlight an HTTP packet that has the notation (text/html) in the Info column. In the Packet Detail pane click on the + next to Line-based text data html When this information expands what is displayed? ___________________________________________________________________ Examine the highlighted portion of the Byte Panel. This shows the HTML data carried by the packet. When finished close the Wireshark file and continue without saving Task 4 Reflection Consider the encapsulation information pertaining to captured network data Wireshark can provide.Relate this to the OSI and TCP/IP layer models. It is important that you can recognize and refer both the protocols represented and the protocol layer and encapsulation types of the models with the information provided by Wireshark. Task 5 Challenge Discuss how you could use a protocol analyzer such as Wireshark to (1)Troubleshoot the failure of a webpage to download successfully to a browser on a computer. and (2)Identify data traffic on a network that is requested by users. _____________________________________________________________________________ _____________________________________________________________________________ ____________________________________________________________________________ _____________ ________________________________________________________________ _____________________________________________________________________________ _____________________________________________________________________________ _____________________________________________________________________________ Task 6 Cleanup Unless instructed other than by your instructor, exit Wireshark and properly shutdown the computer. &8212&8212&8212&8212&8212&8212&8212 Packet List Pane Packet Details Pane Packets Bytes Pane