Lab Project Analyzing Ethernet using Wireshark Packet Analyzer and DOS Commands Developed by: Dr.

Natarajan Meghanathan In this project, you will use analyze the local Ethernet and the Internet with the Wireshark (other name: Ethereal) packet analyzer and DOS commands. For better analysis, I recommend going to the Computer Networks Lab (AT&T Lab) and work on the project. The Wireshark analyzer is available for free at www.wireshark.org/ You will learn and analyze the following three protocols in this section of the project: (1) Domain Name Service - DNS (2) Dynamic Host Configuration Protocol DHCP (3) Hyper Text Transfer Protocol - HTTP DHCP The main motivation behind DHCP is to enable individual computers in an IP network to extract their configuration information (predominantly the IP address) from a server called the DHCP server. The DHCP server has no exact information about the individual computers until they request the information. Using DHCP, a machine can be assigned a dynamic IP address, each time it boots up. GETTING STARTED WITH WIRESHARK 1) When you start Wireshark, the following GUI will appear:

2) To start capturing packets, pull down the Capture Menu and click Options. It will display a GUI similar to this.

3) Make sure, you are using the correct network interface card that is connected to the network (Ethernet) whose packets you want to capture. Then, click Start 4) The packet capture begins and a window something like this will appear.

5) After doing the required tasks as mentioned in the project question, stop packet capturing, by pressing the stop button in the packet capture screen. The main Wireshark window with

some packet information will appear (sample shown below): The window will have three parts as illustrated in the figure:

Listing of captured packets

Details of selected packet

Packet content in Hexadecimal/ASCII

Questions Pertaining to HTTP Protocol 1) Start up the Wireshark packet analyzer 2) Enter the following URL into your Internet Explorer browser: http://www.jsums.edu/cms/reu/2010/html/photos2010.html 3) After the web page is loaded, stop Wireshark. 4) You will get the main window with packet information similar to this:

5) Type http in the Filter field in the above screen. You will now get only the packet information pertaining to the HTTP protocol.

6) Select each packet in the top section of the window, and click on the + in the packet details section, to see the details of the packet headers corresponding to each layer:

Find the IP address of your machine using the ipconfig DOS command.

In the filter field on the packet screen, enter, ip.addr==YOUR_IP_ADDRESS && http, where YOUR_IP_ADDRESS is the ip address of your machine. Note that there are two = symbols. After analyzing each packet in the trace, answer the following questions: (Include Screenshots for each of your answers) 1) 2) 3) 4) 5) Is your browser using HTTP version 1.0 or 1.1? What are the accepted languages of your browser? What is the IP address of the HTTP server, your machine is trying to contact? When was the html file your are trying to retrieve last modified at the server? What is the HTTP response code returned by the server?

DNS Domain Name Service is used to resolve hostnames into IP addresses. Normally, we remember only the name of machines like ccaix.jsums.edu, not their IP addresses. But, if your machine wants to contact another machine in the Internet, it needs to know the IP address of that machine. The software that does this translation of computer names into equivalent IP addresses is called DNS software and the database that stores this translation information is called the DNS database. The DNS database is distributed across the Internet in multiple name servers. A client contacts a name server, which may contact another name server until the name gets resolved. 1) Start Wireshark, Make sure the filter field in the packet screen is empty. 2) Load the webpage www.rediff.com 3) Stop Wireshark Find the IP address of your machine using the ipconfig DOS command. In the filter field on the packet screen, enter, ip.addr ==YOUR_IP_ADDRESS && http, where YOUR_IP_ADDRESS is the ip address of your machine. Note that there are two = symbols. You will get a screen similar to the sample shown below:

Answer the following questions: (Include Screenshots for each of your answers): 1) Locate the DNS query and response messages. Are they sent over UDP or TCP? 2) What is the destination port for the DNS query message? What is the source port of DNS response message? 3) To what IP address is the DNS query message sent? Use ipconfig to determine the IP address of your local DNS server. Are these two IP addresses the same? 4) Examine the DNS response message. How many answers are provided? What do each of these answers contain? 5) This webpage contains images. Before retrieving each image, does your host issue new DNS queries? Why you think it behaves like that? DHCP 1) 2) 3) 4) 5) Make sure the filter field in the packet screen is initially empty. Start the Wireshark. Open the Windows command prompt. Type ipconfig/release and press enter Type ipconfig/renew and press enter Stop Wireshark

Answer the following questions by analyzing the packet screen: (Include Screenshots for each of your answers): 1) What is the IP address and Ethernet address of the DHCP server that offers the IP address to your machine? 2) Are DHCP messages sent over UDP or TCP? Why? 3) What are the port number used by the DHCP server and your machine? 4) What is the IP address and Ethernet address of your machine at the end of the process? 5) What are the four messages exchanged between the DHCP server and your client and in what order? 6) What is the subnet mask of the network your machine is located? 7) What is the renewal time value set by the DHCP server for the IP address assigned to your machine?

DOS Commands and Utilities

The DOS commands we will be studying are: ping, tracert, arp, ipconfig, nslookup, route, netstat and finger. To get an idea of the commands, refer to the documentation (Help Module), included after the questions in the next page. Submission: In addition to presenting the results, show how you tried to answer each of the questions by capturing the DOS screen using the PrintScreen key in your keyboard and then pasting it in the Paint Brush application in your PC. Save the picture as a jpeg file and present the picture in your submission report.

1. Submit a hardcopy of your report in class 2. Compress your report into a zip file and send to me in an email. Questions: (5 Points Each) 1. Use an efficient algorithm and any one of the above command tools to find the maximum data size that can be handled by the physical network to which your computer is attached. 2. Use the ping command to determine how long it takes for a request packet with data size 50 bytes to reach a website operated from India: www.sify.com. Try sending another request packet of data size 1200 bytes to the same website and observe the delay it takes this time. Compare the delays you observed in the two cases. Are they significantly different? If so, why? If not, why there is no significant difference? 3. Find the number of hops and the corresponding delay it takes to reach www.abc.com and www.eduaustralia.co.kr. What is the percentage increase in the number of hops and delay to reach the site in Korea compared to reaching www.abc.com, a website in California? If you observe that the increase in the delay is not proportional to the increase in the number of hops, comment?

4. Find the domain name of the machine with IP address 192.251.58.37? 5. Find the number of unicast Ethernet frames sent and received by each of the network interfaces of your PC? 6. What is the physical address of the Ethernet adapter of the PC in which you are working? 7. Find whether port number 4123 is part of an active connection? 8. What is the IP address and physical address of the default router to which your machine forwards a packet for which it has no other next-hop forwarding router information in its local routing table?

Help Module on DOS Network Tools and Commands To go to the DOS promot, click Start-> Run-> Type cmd and Press enter. Type cd\ on the DOS window, it will take you to the root directory, commonly the C:\ To get and idea of the commands, we will now see the primary utilities of each them. Ping: Used to check the availability of systems by using the ICMP Echo Request / Response messages.

Tracert: The traceroute command is used to find the sequence of hops (i.e., the name of the intermediate hops/routers) from the source to a remote destination host.

Route: The route command is used to display and modify the entries in the local routing table.

Finger: The finger command is used to display information about users running in a specific host.

Arp: The arp command is used to display and modify the address resolution cache, which stores the mapping between the IP address of systems and their resolved physical addresses.

IPconfig: The ipconfig command is used to display the current TCP/IP network configurations. Also, try IPconfig /all to display full configuration information

Netstat: When used without parameters, netstat displays active TCP connections. Use netstat -e option to learn about the statistics of the Ethernet. netstat a option to learn about the active TCP connections and also the ports on which the computer is waiting for incoming TCP/UDP messages. netstat n option to learn about the numerical values of the IP addresses and ports used for active TCP connections. netstat p <protocol> to learn about the statistics for a specific protocol. The valid values for <protocol> include tcp, udp, ip, icmp.

nslookup: The nslookup command is used to study the DNS infrastructure.