Infrastructure Defense Lab 1: WireShark

Instructions
This lab is written for a Windows system and some commands will need to be changed for other operating systems This lab assumes a wired network connection Questions to be answered are indicated by a numbered blank. Write your answer in the matching blank on the answer sheet supplied as the last page of this document The lab should take a well-prepared student approximately 60 minutes to complete

Introduction to Wireshark
Wireshark, previously known as Ethereal, is a full-function network analyzer that is available for free download at www.wireshark.org In this lab, you will use Wireshark to sniff and analyze various types of traffic in order to become familiar with its usage and capabilities.

Starting Wireshark
If necessary, download and install the appropriate version of Wireshark from www.wireshark.org. Start Wireshark by double clicking on the icon If the icon is not present on the desktop, go to Start->All Programs->Security Applications->Wireshare The first screen provides a list of the network interfaces on your system as well as links to useful information.

Page 1 of 8

Infrastructure Defense Lab 1: WireShark

However, for this lab, you will use the Capture->interfaces dialog. Open this dialog by clicking on Capture on the toolbar and then Interfaces from the drop down menu.

You may have multiple network interfaces on your system and may need to observe the Packets count to identify an active interface (HP Netserver 10/100TX PCI LAN Adapter in the above). When you have identified the active interface, click on the Start button next to it. Note that the Capture drop-down menu also includes options for stopping and restarting a capture.

ARP
Wireshark will now start capturing frames and display them. Wait a few moments for a few frames to be captured and watch for at least one ARP frame. The first protocol you will examine is the ARP or Address Resolution Protocol. In the display filter box, type the word ARP and click the Apply button to display only ARP frames. ARP is used on Ethernet local area networks to resolve IP addresses to the MAC (media access control) addresses used on the local LAN segment. Select one of the Who has frames by clicking on it and then click the + sign next to the Address Resolution Protocol in the packet details pane.

Page 2 of 8

Infrastructure Defense Lab 1: WireShark

1.

What is the Sender MAC address in your capture? This is the node that is trying to send IP traffic and needs to find out the MAC address of the destination. In the illustration, the workstation is trying to send traffic to the default gateway (you can determine the default gateway on your network with either the ipconfig (Windows) or ifconfig (Linux) command). Note that in the request, the target MAC address is all zeroes. Click on the ARP reply frame (a.b.c.d is at . should be within the next few frames). 2. What is the Target MAC Address in your capture? Click Clear next to the display filter to remove the ARP filter. Download the file arp-storm.pcap (a Wireshark sample capture) from the course website and open it in Wireshark. A denial of service attack is mounted by generating sufficient spurious traffic to interfere with legitimate traffic. 3. Do you see any indications that this traffic may have been generated by an automated tool rather than being normal network traffic? 4. Recalling that a flooding attack attempts to fill the switch port address tables with spurious MAC addresses, do you see evidence that this traffic was part of a flooding attack?

DNS
DNS (the Domain Name System) is used to resolve friendly names such as www.microsoft.com to an IP address. Start a new capture (click on the Continue without saving button in the pop-up menu). In the filter box on Wireshark, type dns and click on Apply. Open a command (or terminal window) and type the command nslookup. This should generate two DNS packets in Wireshark.

Page 3 of 8

Infrastructure Defense Lab 1: WireShark

When nslookup starts up, it attempts to do a reverse lookup on the DNS servers IP address. Notice that the query supplies and IP address and the response supplies a friendly name this is why it is called a reverse lookup. 5. What is the IP address of the DNS server for your system and what is the friendly name of the DNS server? A forward lookup determines the IP address corresponding to a friendly name. In the command window where nslookup is running, type www.microsoft.com.

Expand the answers port of the reply from your DNS servers. 6. How many servers does the name www.microsoft.com map to?

Page 4 of 8

Infrastructure Defense Lab 1: WireShark This illustrates a common technique used by high-traffic websites where multiple physical servers host the same content. The DNS reply will actually rotate between the servers (the DNS client normally uses the first server in the returned list). This is sometimes called round-robin DNS. Clear the DNS filter.

Examining an Echo Request

Open a command window and perform an ipconfig command. Make a note of the default gateway address. In a command window, type ping ipaddress where ipaddress is the address of the default gateway. You can use icmp as a display filter to only display the ICMP packets

Expand the ICMP tree by clicking on the + sign next to it 7. How long is the data portion of the ping request? 8. _______________________ 8. Examining the raw capture pane, what is the data used in the ping request?

Examining a HTTP Request

In this example, were going to walk through connecting to a web site (www.microsoft.com) This will involve some protocols we will cover later in the course (DNS for example) Open a web browser window Start a new capture in Wireshark In the address bar of the browser, type the url www.microsoft.com and press return Capture 20 or so packets and click on Stop

Page 5 of 8

Infrastructure Defense Lab 1: WireShark

The first task that must be accomplished is to determine the IP address associated with the name www.microsoft.com and this is done by a query using the DNS (Domain Name System) protocol. Select the DNS Standard Query frame in the top pane. Expand the DNS and Queries subtrees to produce a display like this:

9. What protocol does DNS use? 10. What is the destination port for a DNS query?

Page 6 of 8

Infrastructure Defense Lab 1: WireShark 11. What is the source port used for the query? 12. What is the type of query being performed? 13. Select the first TCP frame in the main Wireshark window (the one with the SYN) and display it in a new window. This is the first frame in something called the 3way handshake which is how one opens a TCP connection. During the handshake, the sender and receiver negotiate some important parameters of their communication. Open the Options subtree and determine what the maximum segment size your computer is prepared to recive from Microsoft.com. 14. Open the second TCP frame and expand the Flags subtree. What is the window size that Microsoft .com will use in communicating with your computer? This is the maximum amount of data that can be in transit between Microsoft.com and your computer without an acknowledgement. 15. Select the first frame using the HTTP protocol (a GET). Expand the HTTP protocol subtree. What language will your browser accept from Microsoft.com? This lab has introduced you to some of the basic capabilities of Wireshark. For more information, explore some of the sample captures available from the Wireshark.org main page.

Page 7 of 8

Infrastructure Defense Lab 1: WireShark

Name Date

1. _____________________________________________________________________ 2. _____________________________________________________________________ 3. _____________________________________________________________________ 4. _____________________________________________________________________ 5. _____________________________________________________________________ 6. _____________________________________________________________________ 7. _____________________________________________________________________ 8. _____________________________________________________________________ 9. _____________________________________________________________________ 10. _____________________________________________________________________ 11. _____________________________________________________________________ 12. _____________________________________________________________________ 13. _____________________________________________________________________ 14. _____________________________________________________________________ 15. _____________________________________________________________________

Page 8 of 8