![]() |
Networks -- CS 125CS 125 Lab - Observing a Network at the TOP with WiresharkDue date: Check the course for the due date. |
In this assignment, you will use Wireshark, a packet sniffer, to capture and interpret frames transmitted on an Ethernet.
Because there can be security issues with a packet sniffer, sniff only what you are asked to sniff. If you would like to sniff other traffic, then PRIOR to sniffing, talk to me and I will get permission from the appropriate network users and administrators.
As a packet sniffer, Wireshark captures packets as they are
being sent/received from/by your computer. Wireshark will store and/or
display the contents of various protocol fields in the captured
messages. Wireshark is passive
in that it observes messages being sent and received by
applications and protocols running on your computer, but never sends
packets itself. Similarly, received packets are never explicitly
addressed to the packet sniffer. Instead, the packet sniffer receives
copies of the packets, so the packets still make their way to the
intended recipient.
A packet sniffer has two parts: a packet capture library and a packet analyzer. The packet capture library receives a copy of every link-layer frame that is sent from or received by your computer. Almost all Unix-based packet sniffers use libpcap. Capturing all link-layer frames gives you all messages that are sent or received by all protocols and applications executing in your computer. The packet analyzer helps you interpret the data collected by the packet capture library. It displays the contents of all fields within a protocol message. Thus, the packet analyzer must understand the structure of all messages exchanged by protocols.
You are to work in your pairs.
There is no additional preparation required beyond reading the introduction to the assignment. If you like, you can read more about Wireshark at its web site, http://www.wireshark.org
You should have all been given permission to run Wireshark with administrative privileges on the cs network. Verify that you can do so. To run wireshark, open a terminal, type wireshark or use ssh to X into a machine running wireshark.
Explore the user interface. Wireshark. has five major components as mentioned above
Experiment with creating filters. Try these two different ways to exclude packets that are not related to a particular protocol:
How do the packets you see differ? Form a hypothesis as to why there is a difference.
When you run wireshark you can create a lot of data. Store your captures in /tmp where the data will go away and not cause a problem with your quota.
In the Capture menu, choose Options.
Observe the option to Capture in promiscuous mode. In promiscuous mode, the trace will include all packets seen, regardless of whether they are addressed to or from your machine. Since the cs network is a switched network, it usually does not matter whether this is checked.
Click Start to begin a capture.
What traffic might you expect to find on a "quiet network," that is, one in which no user is deliberately using a network application such as a web browser? Consider both useful background activity and potentially malicious activity.
Read about Snort, an excellent open source network intrusion detection system. You can use Snort to monitor your local network for suspicious traffic patterns. Snort users write rules that specify what suspicious traffic is using the same type of information captured by Wireshark (source and destination IP address, protocol, etc.) From what you have learned in this exercise, briefly discuss how Snort might work and suggest some traffic patterns that might indicate malicious activity.