CMIT 265 Name:_____________________________ Download from the local web server the wireshark...exe Install it. Start Wireshark/Ethereal Wireshark/Ethereal is a network protocol analyzer. To capture frames: Capture | Interfaces | Capture button of the active NIC Click Stop to stop the capturing. The top pane is a list of the frames: captured frame number, time since start of capture, source and destination addresses, "top-level" protocol, and brief description. The rows are sortable by these columns (sort by No. to get original order back). The middle pane is the selected frame: each encapsulation's fields are displayed. The bottom pane is a hex and ASCII display of the frame. Highlighted is what is currently selected in the middle pane. Start capturing. Download a file from the web so your system gets some traffic. Then stop the capture. How many frames were captured:____________ How much time did the capture last:__________ What are the different protocols listed in the Protocol column: _______________________________________________ Download etherealDump1 from the class web site. This is a saved capture taken on 192.168.1.120 in the 192.168.1.0/24 network. It's in tcpdump format, a binary format used by Wireshark/Ethereal. We'll use it for this exercise so that we are all on the same page. Open it in Wireshark/Ethereal. Frame 20 is an ARP request. What is the size of the frame:___________ Source MAC address:_______________________ What manufacturer, based on the OUI (Wireshark's built-in database):___________ Source IP address:_______________________ What is this source IP address in hexadecimal:_____________ Destination MAC address:_______________________ What IP address does it want to know the MAC address of:_________ Frame 21 is the ARP repsonse to the previous ARP request. Source MAC address:_____________ What manufacturer, based on the OUI:___________ Source IP address:_____________ Destination MAC address:_______________ Destination IP address:_______________ Frame 22 is what kind of packet:___________ Size of this frame:_____ What is the Time to Live value:________ What is the ICMP Type and Code:__________ How much and what is the "data" that is sent:__________________________ Frame 23 is the Echo Reply. What is the ICMP Type and Code:__________ Is the Data the same or different:_______ Frame 8 is what top-level protocol:_____ Being sent to what IP:_______________ The Type____ and Code____ Frame 40 is a DNS query being sent to a DNS server. Size of this frame:_______ What transport layer protocol is used:_______ What is the source port:_______ What is the destination port:______ What name is being queried for translation to its IP address: _________________ Frame 41 is the response from the DNS server. There are several aliases reported but the ultimate IP address to use is in the Answers section as the first type A address:______________ Frame 42 is a ping of the address. Where is the response:____never gets one?_____ Frame 74 is the start of a tracert to www.microsoft.com Size of this frame:______ Its Time to Live:________ How much and what is the data sent:_______________ Frame 75 is the TTL Exceeded ICMP packet from the first hop, the default gateway. What is its ICMP Type and Code:________ Notice that inside its ICMP it contains the IP and ICMP parts of the packet whose TTL expired. This is how ICMP error messages are used to help the original sender know what failed. Find the last TTL exceeded packet is this series. What is the TTL remaining in this packet:_______ What was the starting TTL of the ping request that got sent to it:________ Frames 157-204 are the downloading of a web page. The web server's IP address:_______________ 157, 158 and 159 are the 3-way handshake between the two TCP peers that establishes the connection. Notice it's [SYN], [SYN, ACK], [ACK]. Frame 160 is the client's HTTP GET Request for a web page. What ephemeral port is the client using:_______ (this low number confuses Wireshark into thinking it is a well-known port, hence the name pt2-discover). What HTTP Request Method is the client using:_____ What is the Request URI:________________ What is the Request Version:_______ Frame 161 is the Acknowledgement from the server. Frame 162 is the contents of the web page from the server. What is size of this frame:_______ The Response Code:__________ What kind/model of web server on what OS:________________ The Content-Length of this web page:_______ The Content-Type of this web page:_______ The first line of the text data:___________________ The web page has five inline images, each of which is a separate request and download. That's what the following frames are about. Frame 163 is the request for the ip_packet.gif file. It's 4193 bytes, so it has to be segmented to fit in Ethernet frames. Frames 164, 166 and 170 are the bulk of it (binary image data). Frames 201-204 are the teardown of the connection. The [FIN, ACK], [ACK], [FIN, ACK], [ACK] Close your web browser and any other networking applications. Start capturing. In CMD, telnet to the Linux server at 192.168.100.xxx. Issue the date command. Logoff. Stop capturing. The TelnetData frames contain the data between your host and the Linux server. Paste two lines that the server sent you: __________________________________ __________________________________ Paste some of the data contents you sent to the server: _ _ _ _