NETW240 Week 7 Lab: Wireshark Protocol AnalyzerLaunching Your Lab The status of your lab is displayed at the top of the left navigation column.

Click the Start Lab Now button. A progress bar displays while the lab is being initialized. During this time you can view items under the Content area of the left navigation bar. When Initialization is complete, the status changes to In Progress. The clock starts and a lab diagram displays in the main content area.

Click on the diagram that appears and your virtual lab experience will begin.

If your connection isn't working, verify connectivity by clicking Verify Connection in the Tools section on the left navigation bar.

Assignment Learn about running Wireshark in the Fedora Linux environment.

Story You will install and configure Wireshark on the Vlab Linux PC. You will capture ARP, DHCP, and HTTP packets and analyze them.

Virtual Machine Login Information:Username: vlab Password: password

Diagram

Fedora_Wireshark_Lab.doc 1 Revision Date: 1111

Task 1: Installing Wireshark on Fedora Linux

After logging into the Fedora Linux PC as the vlab user using a password of password, bring up a Terminal session and switch to the superuser (su root) using the password of password.

Use the ifconfig command to verify your IP address and subnet mask. Make a note of the interface (eth0 .. eth3). Use the route command to determine the default gateway. Record this information in the table below. Your Ethernet interface and IP address may be different from that shown below, but the active IP address should be in the 10.254.*.*/24 network.

IP Address Subnet Mask Default Gateway

All data collected will need to be transferred to the Lab Report document.

Fedora_Wireshark_Lab.doc 2 Revision Date: 1111

From the terminal, as root user, install the Wireshark Protocol Analyzer using the command yum –y install wireshark*. The –y switch answers yes to all installation questions. The * is needed to get the Wireshark program and also the Gnome interface so we can run the application from the X-Windows GUI. An abbreviated installation log is shown below.

Task 2: Starting Packet Capture and Generating Traffic

Open Wireshark from Applications -> Internet -> Wireshark Network Analyzer. Before it opens, you will be prompted for the root password. Enter password and click OK.

Fedora_Wireshark_Lab.doc 3 Revision Date: 1111

Click on the Capture menu and select Interfaces. Select the interface with the 10.254.*.* IP address and click the Start button. Wireshark should now be collecting packets.

Return to the terminal windows and generate some ARP packets and DHCP packets by releasing and renewing the DHCP lease on the active interface. Execute the command dhclient –r eth2 followed by dhclient eth2. If your active interface is not eth2, change the eth number to the number that is active.

We also need to generate some HTTP traffic by opening a website such as www.yahoo.com or www.cisco.com (using the Firefox browser) and quickly clicking on three or four links. Then close the Firefox browser.

Stop the capture of packets by clicking the Stop Capture toolbar button.

Fedora_Wireshark_Lab.doc 4 Revision Date: 1111

Task 3: Changing the View Settings for Wireshark

Click on the Protocol column to sort the packets by protocol type.

Click the View menu and uncheck the box

labeled Packet Bytes.

The last configuration setting we need to make is to resize the columes so we can see all of the columns on one screen.

Click on the View menu and select Resize All Columns.

Task 4: Analyzing ARP Request and Reply Packets

Select an ARP frame labeled Who has ##.##.##.##? where ##.##.##.## is the default gateway address recorded on page 1. Make the Wireshark Application window full screen if it isn’t already.

In the View menu, uncheck Packet List so that the packet details fill the entire Wireshark View window. That way, we can see more of the frame data.

Fedora_Wireshark_Lab.doc 5 Revision Date: 1111

From the information in your captured frame, answer the following question:What is the MAC (physical) address of the host requesting the MAC address of the default gateway (router)?

_____________________________

In the View menu, check the Packet List check box and select an ARP reply that contains the label ##.##.##.## is at xx:xx:xx:xx:xx:xx, where ##.##.##.## is the default gateway IP address.

Return to the View menu and uncheck the Packet List check box.

From the information in your captured frame, answer the following question:

What is the MAC (physical) address of the Host requesting the MAC address of the default gateway (router)?

_____________________________

Fedora_Wireshark_Lab.doc 6 Revision Date: 1111

Capture the Wireshark ARP Request Packet details from the Element-K desktop and paste this image into the text box provided in your Lab Report document.

Capture the Wireshark ARP Reply Packet details from the Element-K desktop andpaste this image into the text box provided in your Lab Report document.

Task 5: Analyzing DHCP Acknowledgement Packets

In the View menu, check the Packet List checkbox. Select a DHCP ACK. Return to the View menu and uncheck the Packet List checkbox. The DHCP ACK packet shown below is an example. Your packet information may be different.

Note: DHCP clients send a DHCP DISCOVERY broadcast frame to the local network to request configuration information from a DHCP server. The DHCP server responds to the DISCOVERY frame with an DHCP OFFER frame. The DHCP client accepts the offer from the DHCP server with a DHCP REQUEST frame. Lastly, the DHCP server sends a DHCP ACKNOWLEDGE frame. This frame contains all of the configuration information that will be used by the DHCP client. The DHCP ACK frame provides the client with an IP address, a subnet mask, and the IP address of the DHCP server. Additional information may include the default gateway IP address, DNS servers’ IP addresses, and the domain name of the network.

Expand the details of a DHCP OFFER frame as shown above and provide the following information from the frame details. If the information is not specified in the packet, write N/A.

DHCP Client UDP Port # ___________ DHCP Server UDP Port # _________

Client IP Address: ____________________________

Server IP Address: ____________________________

Router IP Address: ____________________________ DNS Sever IP Address: ____________________________

DHCP Lease Time ____________________________

All collected data must be transferred to the Lab Report document.

Fedora_Wireshark_Lab.doc 7 Revision Date: 1111

Task 6: Analyzing HTTP Packets

In the View menu, check the Packet List checkbox. Select an HTTP packet that has the word GET in the Info column. Return to the View menu and uncheck the Packet List checkbox. An HTTP packet is shown below as an example. Your packet information may be different.

What is the MAC address of the default gateway? ___________________

What field in the IP header determines the transport layer protocol that will handle the contents of the packet? ___________________

What is the window size indicated for the segment? ___________________

What is the sequence number for the segment? ___________________

What is the acknowledgement number for the segment? ___________________

What field in the TCP header of your frame contains aWell-known port number that maps to an applicationlayer protocol that will handle the segment Data Stream? ___________________

Fedora_Wireshark_Lab.doc 8 Revision Date: 1111

Capture the Wireshark DCP ACK Packet details from the Element-K desktop and paste this image into the text box provided in your Lab Report document.

Capture the Wireshark HTTP Packet details from the Element-K desktop and paste this image into the text box provided in your Lab Report document.

Remember to transfer all data collected and answered questions to your Lab Report document.

Fedora_Wireshark_Lab.doc 9 Revision Date: 1111