2 2
2 2
2 2
Objective
Introduce Address Resolution Protocol (ARP) and the arp a workstation command. Explore the arp command help feature using the -? option.
Background / Preparation
ARP is used as a tool for confirming that a computer is successfully resolving network Layer 3 addresses to Media Access Control (MAC) Layer 2 addresses. The TCP/IP network protocol relies on IP addresses like 192.168.14.211 to identify individual devices and to assist in navigating data packets between networks. While the IP address is essential to move data from one LAN to another, it cannot deliver the data in the destination LAN by itself. Local network protocols, like Ethernet or Token Ring, use the MAC, or Layer 2, address to identify local devices and deliver all data. A computer MAC address has been seen in prior labs. This is an example of a MAC address: 00-02-A5-9A-63-5C A MAC address is a 48-bit address displayed in Hexadecimal (HEX) format as six sets of two HEX characters separated by dashes. In this format each hex symbol represents 4 bits. With some devices, the 12 hex characters may be displayed as three sets of four characters separated by periods or colons (0002.A59A.635C). ARP maintains a table in the computer of IP and MAC address combinations. In other words, it keeps track of which MAC address is associated with an IP address. If ARP does not know the MAC address of a local device, it issues a broadcast using the IP address. This broadcast searches for the MAC address that corresponds to the IP address. If the IP address is active on the LAN, it will send a reply from which ARP will extract the MAC address. ARP will then add the address combination to the local ARP table of the requesting computer. MAC addresses and therefore ARP are only used within the LAN. When a computer prepares a packet for transmission, it checks the destination IP address to see if it is part of the local network. It does this by checking to see if the network portion of the IP address is the same as the local network. If it is, the ARP process is consulted to get the MAC address of the destination device using the IP address. The MAC address is then applied to the data packet and used for delivery. If the destination IP address is not local, the computer will need the MAC address of the default gateway. The default gateway is the router interface that the local network is connected to in order to provide connectivity with other networks. The gateway MAC address is used because the packet will be delivered there and the router will then forward it to the network it is intended for. If the computer does not receive any packets from an IP address after a few minutes, it will drop the MAC/IP entry from the ARP table assuming the device has logged off. Later attempts to access that IP address will cause ARP to do another broadcast and update the table.
All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 1 of 13
b. Try pinging a couple local addresses and a website URL. Then re-run the command. The figure below shows a possible result of the arp -a command. The MAC address for the website will be listed because it is not local, but that will cause the default gateway to be listed. In the example below 10.36.13.1 is the default gateway while the 10.36.13.92 and 10.36.13.101 are other network computers. Notice that for each IP address there is a physical address, or MAC, and type, indicating how the address was learned. c. From the figure below, it might be logically concluded that the network is 10.36.13.0 and the host computers are represented by 22, 1, 92, and 101.
d. What MAC address was used in delivering each of the pings to the URLs? ____________________________ Why? _____________________________________
Step 3 Use the ARP help feature
Try the command arp -? to see the help feature and look over the options. The purpose of this step is not so much the ARP command options but to demonstrate using the ? to access help, if available. Help is not always implemented uniformly. Some commands use /? instead of -?.
All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 2 of 13
Background
Wireshark is a software protocol analyzer, or "packet sniffer" application, used for network troubleshooting, analysis, software and protocol development, and education. Before June 2006, Wireshark was known as Ethereal. A packet sniffer (also known as a network analyzer or protocol analyzer) is computer software that can intercept and log data traffic passing over a data network. As data streams travel back and forth over the network, the sniffer "captures" each protocol data unit (PDU) and can decode and analyze its content according to the appropriate RFC or other specifications. Wireshark is programmed to recognize the structure of different network protocols. This enables it to display the encapsulation and individual fields of a PDU and interpret their meaning. It is a useful tool for anyone working with networks and can be used with most labs in the CCNA courses for data analysis and troubleshooting. For information and to download the program go to - http://www.Wireshark.org
Scenario
To capture PDUs the computer on which Wireshark is installed must have a working connection to the network and Wireshark must be running before any data can be captured.
All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 3 of 13
To start data capture it is first necessary to go to the Capture menu and select the Options choice. The Options dialog provides a range of settings and filters which determines which and how much data traffic is captured.
All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 4 of 13
First, it is necessary to ensure that Wireshark is set to monitor the correct interface. From the Interface drop down list, select the network adapter in use. Typically, for a computer this will be the connected Ethernet Adapter. Then other Options can be set. Among those available in Capture Options, the two highlighted below are worth examination.
Setting Wireshark to capture packets in promiscuous mode If this feature is NOT checked, only PDUs destined for this computer will be captured. If this feature is checked, all PDUs destined for this computer AND all those detected by the computer NIC on the same network segment (i.e., those that "pass by" the NIC but are not destined for the computer) are captured. Note: The capturing of these other PDUs depends on the intermediary device connecting the end device computers on this network. As you use different intermediary devices (hubs, switches, routers) throughout these courses, you will experience the different Wireshark results. Setting Wireshark for network name resolution This option allows you to control whether or not Wireshark translates network addresses found in PDUs into names. Although this is a useful feature, the name resolution process may add extra PDUs to your captured data perhaps distorting the analysis. There are also a number of other capture filtering and process settings available. Clicking on the Start button starts the data capture process and a message box displays the progress of this process.
All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 5 of 13
As data PDUs are captured, the types and number are indicated in the message box
The examples above show the capture of a ping process and then accessing a web page. When the Stop button is clicked, the capture process is terminated and the main screen is displayed. This main display window of Wireshark has three panes.
All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 6 of 13
The PDU (or Packet) List Pane at the top of the diagram displays a summary of each packet captured. By clicking on packets in this pane, you control what is displayed in the other two panes. The PDU (or Packet) Details Pane in the middle of the diagram displays the packet selected in the Packet List Pane in more detail. The PDU (or Packet) Bytes Pane at the bottom of the diagram displays the actual data (in hexadecimal form representing the actual binary) from the packet selected in the Packet List Pane, and highlights the field selected in the Packet Details Pane. Each line in the Packet List corresponds to one PDU or packet of the captured data. If you select a line in this pane, more details will be displayed in the "Packet Details" and "Packet Bytes" panes. The example above shows the PDUs captured when the ping utility was used and http://www.Wireshark.org was accessed. Packet number 1 is selected in this pane. The Packet Details pane shows the current packet (selected in the "Packet List" pane) in a more detailed form. This pane shows the protocols and protocol fields of the selected packet. The protocols and fields of the packet are displayed using a tree, which can be expanded and collapsed. The Packet Bytes pane shows the data of the current packet (selected in the "Packet List" pane) in what is known as "hexdump" style. In this lab, this pane will not be examined in detail. However, when a more in-depth analysis is required this displayed information is useful for examining the binary values and content of PDUs.
All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 7 of 13
The information captured for the data PDUs can be saved in a file. This file can then be opened in Wireshark for analysis some time in the future without the need to re-capture the same data traffic again. The information displayed when a capture file is opened is the same as the original capture. When closing a data capture screen or exiting Wireshark you are prompted to save the captured PDUs.
Clicking on Continue without Saving closes the file or exits Wireshark without saving the displayed captured data.
Look at the packets listed above; we are interested in packet numbers 6, 7, 8, 9, 11, 12, 14 and 15. Locate the equivalent packets on the packet list on your computer.
All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 8 of 13
If you performed Step 1A above match the messages displayed in the command line window when the ping was issued with the six packets captured by Wireshark. From the Wireshark Packet List answer the following: What protocol is used by ping? ______________________________ What is the full protocol name? ______________________________ What are the names of the two ping messages? ______________________________ _____________________________________________________________________ Are the listed source and destination IP addresses what you expected? Yes / No Why? ___________________________________
Step 3: Select (highlight) the first echo request packet on the list with the mouse. The Packet Detail pane will now display something similar to:
Click on each of the four "+" to expand the information. The packet Detail Pane will now be similar to:
All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 9 of 13
As you can see, the details for each section and protocol can be expanded further. Spend some time scrolling through this information. At this stage of the course, you may not fully understand the information displayed but make a note of the information you do recognize. Locate the two different types of 'Source" and "Destination". Why are there two types? __________________________________________________________________ What protocols are in the Ethernet frame? ____________________________________________________________ As you select a line in the Packets Detail pane all or part of the information in the Packet Bytes pane also becomes highlighted. For example, if the second line (+ Ethernet II) is highlighted in the Details pane the Bytes pane now highlights the corresponding values.
This shows the particular binary values that represent that information in the PDU. At this stage of the course, it is not necessary to understand this information in detail.
Step 4: Go to the File menu and select Close. Click on Continue without Saving when this message box appears.
When successfully logged in enter get /pub/eagle_labs/eagle1/chapter1/gaim-1.5.0.exe and press the enter key <ENTER>. This will start downloading the file from the ftp server. The output will look similar to: C:\Documents and Settings\ccna1>ftp eagle-server.example.com Connected to eagle-server.example.com. 220 Welcome to the eagle-server FTP service. User (eagle-server.example.com:(none)): anonymous 331 Please specify the password. Password:<ENTER> 230 Login successful. ftp> get /pub/eagle_labs/eagle1/chapter1/gaim-1.5.0.exe 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for pub/eagle_labs/eagle1/chapter1/gaim-1.5.0.exe (6967072 bytes). 226 File send OK. ftp: 6967072 bytes received in 0.59Seconds 11729.08Kbytes/sec. When the file download is complete enter quit ftp> quit 221 Goodbye. C:\Documents and Settings\ccna1> When the file has successfully downloaded, stop the PDU capture in Wireshark.
Step 2: Increase the size of the Wireshark Packet List pane and scroll through the PDUs listed. Locate and note those PDUs associated with the file download. These will be the PDUs from the Layer 4 protocol TCP and the Layer 7 protocol FTP. Identify the three groups of PDUs associated with the file transfer. If you performed the step above, match the packets with the messages and prompts in the FTP command line window. The first group is associated with the "connection" phase and logging into the server. List examples of messages exchanged in this phase. ___________________________________________________________________ Locate and list examples of messages exchanged in the second phase that is the actual download request and the data transfer. __________________________________________________________________ ___________________________________________________________________ The third group of PDUs relate to logging out and "breaking the connection". List examples of messages exchanged during this process. __________________________________________________________________ ___________________________________________________________________
All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 11 of 13
Locate recurring TCP exchanges throughout the FTP process. What feature of TCP does this indicate? ___________________________________________________________________ ___________________________________________________________________
Step 3: Examine Packet Details. Select (highlight) a packet on the list associated with the first phase of the FTP process. View the packet details in the Details pane. What are the protocols encapsulated in the frame? ___________________________________________________________________ Highlight the packets containing the user name and password. Examine the highlighted portion in the Packet Byte pane. What does this say about the security of this FTP login process? ___________________________________________________________________ Highlight a packet associated with the second phase. From any pane, locate the packet containing the file name. The filename is: ______________________________ Highlight a packet containing the actual file content - note the plain text visible in the Byte pane. Highlight and examine, in the Details and Byte panes, some packets exchanged in the third phase of the file download. What features distinguish the content of these packets? ___________________________________________________________________ When finished, close the Wireshark file and continue without saving
All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 12 of 13
Note the similarity between this message exchange and the FTP exchange. Step 3: In the Packet List pane, highlight an HTTP packet that has the notation "(text/html)" in the Info column. In the Packet Detail pane click on the "+" next to "Line-based text data: html" When this information expands what is displayed? ___________________________________________________________________ Examine the highlighted portion of the Byte Panel. This shows the HTML data carried by the packet. When finished close the Wireshark file and continue without saving
Task 4: Reflection
Consider the encapsulation information pertaining to captured network data Wireshark can provide. Relate this to the OSI and TCP/IP layer models. It is important that you can recognize and link both the protocols represented and the protocol layer and encapsulation types of the models with the information provided by Wireshark.
Task 5: Challenge
Discuss how you could use a protocol analyzer such as Wireshark to: (1) and (2) Identify data traffic on a network that is requested by users. Troubleshoot the failure of a webpage to download successfully to a browser on a computer.
Task 6: Cleanup
Unless instructed otherwise by your instructor, exit Wireshark and properly shutdown the computer.
All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 13 of 13