Laboratory Seven – Sniffer
This laboratory introduces you how to capture the data in the LAN or over the Internet. This is related to data link layer (layer 2), IP layer (layer 3) and Application layer (Layer 7).
Objectives:
1) To capture the data in the data link layer, Internet Protocol (IP) and Transmission Control Protocol (TCP)
2) To analyse the data, protocol, IP address and the contents with and without (you should try it at home) encryption.
Tool: Etheral
Ethereal is a free network protocol analyzer for Unix and Windows. It allows the user to examine data from a live network or from a capture file on disk. We can interactively browse the capture data, view summary and find out the detailed information for each packet. Ethereal has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session.
Procedure:
Download the file from
http://personal.cityu.edu.hk/~dcykcho/dco20203/ethereal-setup-0.10.9.exe and install it into your PC.
(At home: you can access http://www.ethereal.com and click Binary Package under Download to try the latest version as follows)
and select Windows Installers (95/98/ME..XP)
You should also download WinPcap_3.0.exe to capture the data from
http://winpcap.polito.it/install/default.htm or from my web site
http://personal.cityu.edu.hk/~dcykcho/dco20203/WinPcap_3_0.exe
Click the downloaded software and install it into your workstation. The following is the first screen you will see. Note that the software was first developed in 1991.
You can choose any components you would like to install, I suggest you to install ethereal only as follows.
It will then extract the information and install it step by step as follows:
Now start it by invoking in your menu.
This time when you access it, it will show the following screen.
Now just enable MAC name
Now access my web site or you just leave all of them un-touched.
You will find that the screen will display the following: Note that there is a variation on your screen as I did it at home using switched line, while you are using LAN to access this web site.
Now up to here one mark______
Procedure:
Data analysis
Now select the web site http://personal.cityu.edu.hk/~dcykcho/dco20203/lab7.htm
Start capture and re-load the above page so that you can capture it.
And write down the following
Source:______
Destination:______
Protocol:______
Infor:______
click frame1 and write down the information (you should choose the one with source of numerical values such as 10.0.87.3
arrival time:
packet length:
now click IEE 802.3 Ethernet and write down
destination address: ______48 bits (6 bytes) MAC address
source address: ______
type: ______(what protocol)
now click Internet protocol:
write down source address:______destination address: ______
version: Header length (IP):
Now click user datagram protocol
Write down: src port: ______Dst port: ______
Source port domain: ______Destination port: ______
Length:______(byte)
Click Domain name: (This is optional and you might be able to capture)
Write down the queries (you have to click it) ______
Answer______class ______, address______(IP)
Now click the frame with HTTP protocol. You can then check the contents and find that it is exactly the source of lab7.htm
now show summary and determines the information as follows:
How many packet count you have received.______
Write down the interface______
One mark ______
If you still have time, find a secure server and see whether you can display the data. No need to write. The secure server starts with shttp://……. And you have to import a certificate in your browser. ssl uses shttp.
Appendix
Explanation on how to interpret the data
Physical address or called MAC address: 44:45:53:54:00:00
IP address: 144:214:2:32
here : 90 (hex) : 144 (decimal), d6: (214 decimal): 02: (02 decimal), 20 (32 decimal).
90 d6 dd 1f : is the destination address.
Port number: source number 00 35 (53 decimal) destination port 04 b6 (1206 decimal)
Contents of TCP
You can also capture e-mails as well.
1
26/02/2005