Enterprise Network Systems
Laboratory Work - Examination of network traffic between client and server using a 'sniffer'
Assessment Value 2.5%

Introduction
Method
Writeup of the lab

Introduction

The object of today's laboratory work is to use Wireshark to  analyse data traffic on a network. Wireshark is a software package that allows the user to see the contents of data packets entering and leaving a PC. You will concentrate on setting up filters to display certain types of traffic from a premade display file.

This work will be assessed informally during the lab period and formally at the end of the first term.

Method

For the lab today, make sure that you note the results down as you get them and also that you keep electronic copies (screenshots) of the results from Wireshark. You may need to save these results using pbrush. If you save your results in jpg format, they will take up less disk space.

    1. Your PC should have a copy of Wireshark already installed. You may also complete this lab using your own PC or laptop and you may download a copy of Wireshark from the engweb.info server
    2. If you are conducting this lab on your own hardware, follow the on-screen instruction to install Wireshark.
    3. In the Network lab you will not be able to carry out a live capture of data so you should download the display file for this lab.
    4. How many packets of data are present in the display file?
    5. Examine the different  sources and destinations involved using Wireshark. What is the IP of the PC that made the display?
    6. Which is the most common destination that the host PC has contacted?
    7. How many different protocols are visible? Hint sort the display file by Protocol.
    8. Write a short description of the purpose for each of the protocols that are in the display.
    9. Note that mainly the traffic is that from one PC with different destinations and broadcasts.
    10. What impact does connection to a switch have on your network sniffing with regard to the other computers on the LAN?
    11. Read the Wireshark help page on display filters.
    12. What type of traffic is most common on the network?
    13. Devise a filter to only display this traffic.
    14. Now put the word 'NOT' in front of your filter and run Wireshark.
    15. What traffic has been displayed?
    16. Devise a filter to only display packets that contain ICMP messages and save the responses.
    17. Devise a filter to only display ARP requests on the network and save the responses.
    18. Devise a filter to only display DNS messages and save the responses.
    19. Devise a filter that displays only data that has the DNS server as its destination and prove this by running your filter.
    20. Devise a filter that will display both HTTP and DNS traffic on the network - try to test this if possible
    21. Create one filter of your own that will either block or allow a certain type of traffic to be displayed - explain the purpose of the filter.
Part 2 - Detective Work
Download the detective.pcap file and try to work out what is happening.
Write a brief account of the trancsactions that are taking place.

Write up this lab, following the instructions given below in your own words.


This means NO CUT & PASTE

Writeup of the lab

You are expected to write an account of the work that you carried out in the lab. Show CLEARLY the display filters that you have created and include printouts to show the effect of these filters.

Make sure that it is easy to find the answers to the questions above.

Printouts of Wireshark are allowed in your work and you may wordprocess this lab, but you WILL LOSE ALL MARKS if you are found to have used 'cut & paste' of text to complete this work i.e. do not plagiarise other websites etc.

This laboratory is worth 2.5% of the marks for this half of the course.

Keep a record of this work in your log book. Show it to your lab demonstrator before you leave. You will need to submit this work for marking.

© MMClements  Last updated : 07/11/2011 13:39




































Using Ping

Ping is a useful network utility to test the connection at the network layer between two computers. It is generally run from the command prompt.

An example is shown below. You will need to click start, Run then type cmd into the text field and click OK.

Type ping then follow this with a url or IP address.


You will see the repliesw from the chosen URL showing the number of bytes transferred , the time taken for the transfer of data and the Time to Live (TTL) field.

The usage is as follows:

C:\Documents and Settings\ab123\Desktop>ping

Usage: ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS]
            [-r count] [-s count] [[-j host-list] | [-k host-list]]
            [-w timeout] [-R] [-S srcaddr] [-4] [-6] target_name

Options:
    -t             Ping the specified host until stopped.
                   To see statistics and continue - type Control-Break;
                   To stop - type Control-C.
    -a             Resolve addresses to hostnames.
    -n count       Number of echo requests to send.
    -l size        Send buffer size.
    -f             Set Don't Fragment flag in packet (IPv4-only).
    -i TTL         Time To Live.
    -v TOS         Type Of Service (IPv4-only).
    -r count       Record route for count hops (IPv4-only).
    -s count       Timestamp for count hops (IPv4-only).
    -j host-list   Loose source route along host-list (IPv4-only).
    -k host-list   Strict source route along host-list (IPv4-only).
    -w timeout     Timeout in milliseconds to wait for each reply.
    -R             Trace round-trip path (IPv6-only).
    -S srcaddr     Source address to use (IPv6-only).
    -4             Force using IPv4.
    -6             Force using IPv6.