CNET124 Lab 4 Packet Sniffing

Download as pdf or txt
Download as pdf or txt
You are on page 1of 8

School of Engineering Technology and Applied Science (SETAS) Information and Communication Technology (ICET)

CNET124 Network Technologies

Lab #4: Packet Sniffing

Version 1 February 2012

Introduction One part of being a network administrator is to gain a familiarity with the quantity and types of traffic found on the various network segments. By understanding what is normal one can easily spot abnormal traffic types or patterns. Once detected, the sources of these abnormalities can be investigated and where possible, any necessary remedial actions necessary to maintain the integrity and performance of the network can be taken. Many different tools exist to facilitate the analysis of network traffic types and patterns. Some of these tools offer advanced automated capabilities and others are very simplistic in their approach. Wireshark is an open source solution that allows the collection and profiling of network traffic to assist in the management and troubleshooting of production networks. Lab Overview The purpose of this lab is to introduce the filtering capabilities of Wireshark and to use a packet sniffing tool (Wireshark) to examine the quantity and type of traffic found on an Ethernet hub and switch based network. In this lab the learner will: Use the filter feature of Wireshark Capture traffic from a hub and switch based network Compare the traffic volume and types between a hub an switch based network Locate and examine an ARP exchange from a live network. Pre-lab Preparation Before attempting this lab review the material covered in labs #1 and #3 . Also review the OSI model and answer the following questions. 1. Outline the ARP process with emphasis on the communication types (unicast, multicast or broadcast) of all packets involved in the information exchange. 2. Differentiate between a collision domain and a broadcast domain. What types of network devices bound each? 3. On an Ethernet network composed of a single 24 port hub, how many collision domains and how many broadcast domains exist? 4. On an Ethernet network composed of a single 24 port switch in its default configuration, how many collision and how many broadcast domains exist?

Lab Procedure
Note: Be certain to save all captures to be able to answer the questions presented in Part E of this lab the and also for future study. Part A: Introduction to Filters On a network with large volumes of traffic it becomes difficult to isolate the packets of specific interest. Wireshark provides the capability to filter traffic either during or after data capture. The data filtering capabilities provided by Wireshark are great and this portion of the lab only introduces this capability. Filters will be revisited in a future lab lab. 1. Connect your PC to a network and capture about 100 packets.

2. Select an ARP request packet and expand all fields until you can see the frame type. Highlight type the frame type field.

3. Select Analyze | Apply as Filter | Selected from the menu bar. This should change the display to show only frame types corresponding to the one selected. Notice at the top of the capture window there is now a filter type displayed. This same filter can be created using the menu that will appear if you right-click on the desired filter field. click

4. Now that you have a filter created you can use this filter to filter traffic during capture so that only the desired packets are displayed. Wireshark will keep track of any filters you have recently created and these may be selected from the drop down list in the filter menu. Make sure that a d drop-down valid filter is selected (the filter expression field will be green) and then start a new capture. If prompted, select Continue without Saving. Only packets that match the applied filter should be ch captured.

Experiment with Wireshark filtering capabilities until you are comfortable with applying simple filters to analyze previously captured files and to filter during capture. In future labs we will build more complex filters to analyze for specific traffic. To demonstrate you ability to apply filters create a series of screen captures that show unfiltered and filtered traffic that matches a filter other than the ARP used in this exercise.

Part B: Two Computer Peer-to-Peer Network 1. Using the crossover cable you constructed in lab #1 connect two PCs together. (a) Is the link light on the PC NIC on? What does this tell you? 2. Set the IP addressing information on both PCs so that they are both on the same subnet. (a) What three pieces of information would you normally have to supply to do this? What is the purpose of each? (b) For this particular lab experiment only two pieces of information is required. Explain why only two pieces are needed versus three in a typical IP network? 3. Ping from each machine to the other. If this does not work check your connections and addressing information. Troubleshoot as necessary. You must be able to ping between the two machines before proceeding further. (a) What protocol does ping use? (b) If a ping is successful which layers of the OSI model are working? 4. Set up a shared directory on one of the PCs and place a large file into this directory. This will be PC_A. On the other PC map a drive to the shared directory. This will be PC_B. 5. Start Wireshark on PC_A. Collect approximately 100 packets from the network. (a) How long did it take you to capture 100 packets? (b) What type(s) of traffic did you capture? (c) Approximately what percentage of the total captured traffic did each type account for?

6. Start a new capture and while capturing traffic copy the file from step 4 above from the shared directory to a local directory on PC_B. (a) What type(s) of traffic did you capture? (b) Approximately what percentage of the total captured traffic did each type account for?

Part C: Hub Based Network 1. Connect your PC to the common classroom hub using the cable you constructed I lab #1. (a) What type of cable did you use? Why? 2. Set the addressing information on your PC as indicated by your instructor. It is important that all PCs connected to the common hub are on the same network. Ping between machines to ensure that all are able to connect to each other. Note the number of PCs connected to the hub as this information will be required for part D. 3. Once multiple machines are connected to the hub start a capture and collect approximately 100 packets. (a) How long did it take you to capture 100 packets? (b) What type(s) of traffic did you capture? (c) Approximately what percentage of the total captured traffic did each type account for?

Part D: Switch Based Network 4. Connect your PC to the common classroom switch using the cable you constructed I lab #1. (b) What type of cable did you use? Why? 5. Set the addressing information on your PC as indicated by your instructor. It is important that all PCs connected to the common switch are on the same network. Ping between machines to ensure that all are able to connect to each other. Make sure to have the same number of machines connected to the hub in part C as you had connected to the switch in part D.

6. Once multiple machines are connected to the switch start a capture and collect approximately 100 packets. (d) How long did it take you to capture 100 packets? (e) What type(s) of traffic did you capture? (f) Approximately what percentage of the total captured traffic did each type account for?

Part E: Questions Use the data collected in parts B, C and D to answer the following questions. 1. Was there any difference in the types of traffic observed on the three different networks? 2. Was there any difference in the proportion of each type of traffic observed on the three different networks? 3. Was there any difference in the volume of traffic captured per unit time between the hub based and the switch based network? How can you explain this difference? 4. Locate an ARP request for a machine other than your own in the captures from both the switched and the hubbed network. Can you see the ARP reply to the request in both captures? Why or why not?

You might also like