The following projects were taken from the text, Guide to TCP/IP, 0-619-03530-7 and were revised slightly so they would work with EtherPeek 4.5. The version of EtherPeek included on the CD in the back of this text (version 4.1) will time out in 2002. The revised projects below, will enable you to use your current text with EtherPeek, 4.5. This version does not time out and does not require a serial number.
If a project is not listed below, it may be followed as is, from the text.
Please note the following global changes that apply to all chapters:
- Once you install the packet files from the CD, you will retrieve these files going forward, from a folder called 18654-2\Ch#, on your hard disk. For example, the phrase in your current text, “Open the Trace Files folder on the CD” should be replaced with, “Open the 18654-2\Ch# folder on your hard disk”.
- The “adapter selection” window is now referred to as the “Select Adapter” window.
- The “Capture Buffer Options” window is now referred to as the “Capture Options” window
Differences between the EtherPeek figures in the book and the EtherPeek 4.5 for Windows demo software are:
Figures in Book / EtherPeek 4.5 for Windows demo software on the CDPrev and Next buttons (lower-right corner of Window) / Decode Prev and Decode Next (arrow buttons located above the packet window); lower-right contains information about the local NIC
Lower-left corner of window is blank / Lower-left corner of window displays the text “For Help, press F1.”
Title bar displays packet file name / Title bar displays “EtherPeek Demo” before the packet file name
Decode window does not include leading zeroes (00) before the numbers to the left of the colon / Decode window includes two leading zeroes (00) before the numbers to the left of the colon
Chapter One Revised Hands-on Projects
Project 1-1
The following Hands-on Projects assume that you are working in a Windows 2000 environment.
To manually install the EtherPeek for Windows demo software:
Before installing the software, ensure that you meet all the system requirements as listed in the Installation.txt file contained in the \Analyzers\Ether directory on the CD that accompanies this book.
1. Insert the CD-ROM included with this book in your CD-ROM drive.
2. Double-click the My Computer icon.
3. Double-click the CD-ROM drive icon.
4. Double-click the Ether folder icon.
5. Double-click the epwdemo.exe file.
6. After the WinZip Self-Extractor window appears, click Setup. The InstallShield Wizard runs.
7.Click Next on the Welcome screen.
8. In the installation Notes screen, read the pre-installation notes and click Next.
9. The User Information screen appears. Enter your name and company name, and then click Next.
10.The Choose Destination Location screen appears. Click Next to accept the default application destination (C:\Program Files\WildPackets\EtherPeek Demo).
11.If a previous version of the EtherPeek for Windows demo was installed, an uninstall window appears. Click Yes to uninstall any previous versions of the EtherPeek for Windows demo, and then click OK when you are notified that the Uninstall process was successfully completed.
12.In the Start Copying Files screen, click Back if you need to change any settings. If not, click Next.
13.In the Setup Complete screen, you are prompted to view the readme.txt file or start the EtherPeek demo. Clear both check boxes, and click Finish. The EtherPeek for Windows demo software is installed.
Project 1-4
This project assumes you followed the steps in Hands-on Project 1-3, and the EtherPeek for Windows demo program is open.
To explore basic packets and statistics:
1. The Capture window now displays the basic information about the packets you captured. Click the down scroll arrow to view the entire list of packets (if they scroll out of view). Click and drag the Capture window handles so you can view more packets, if desired.
2. Click the Nodes tab at the bottom of the Capture window to view the list of devices for which the EtherPeek analyzer captured packets. Do you recognize your IP addresses? Do you see any broadcast address?
3. Click the Protocols tab at the bottom of the Capture window to view the protocols identified by EtherPeek.
4. Click the Conversations tab at the bottom of the Capture window to view the conversations identified by EtherPeek. Highlight the lines that contain the value Ethernet Broadcast in the Net Node 2 column. View the associated values in the Net Node 1 field to identify the MAC addresses of the workstations that sent those broadcast packets to the network.
5. Click the Size tab at the bottom of the Capture window to view the packet size distribution of the packets in the trace buffer. Packet sizes are listed in bytes. Which packet size is most common in your trace buffer?
6. Click the Summary tab at the bottom of the Capture window to view the summary of information about the trace buffer contents. Scroll through the summary to identify the type of communications seen in the trace buffer.
7. Click the History tab at the bottom of the Capture window to view the Utilization graph created by EtherPeek for the time you captured data.
8. Click the Log tab at the bottom of the Capture window to view the EtherPeek Capture Log.
9. Close the Capture window by clicking the Close button in the upper-right corner. You’ll focus on the Filter tab in the next project.
Chapter Two Hands-on Projects
Project 2-1
In this project, you define a range of network and host addresses that can be used on a subnetted Class B network. The network number assigned to you is 191.15.0.0. You define a network addressing system that supports 24 networks by subnetting the given address. This project uses the IP Subnet Calculator on the CD that accompanies this book.
To manually install the IP Subnet Calculator:
1. Insert the CD that accompanies this book in your CD-ROM drive.
2.Open Windows Explorer, double-click the CD-ROM icon, scroll down totheSubnet folder, double-click it to open it, and then double-click the IPCALC.EXE file.
3. Click the WinZip Setup button.
4.Click Next in the Welcome! screen.
5. Click the I Agree button in the WildPackets IP Subnet Calculator 3.2.1 Installation window.
6.Click Next to accept the default installation path (unless your instructor gives you an alternate path).
7.Click Next to install the program.
8.Click Next after viewing the installation readme text.
9.Click Finish to complete the installation.
To use the IP Subnet Calculator:
1. Open the IP Subnet Calculator (click Start, point to Programs, and then click WildPackets IPSubnet Calculator).
2. Enter the address 191.15.0.0 in the IP Address field.
3. Click the Subnet Info tab.
4. Click the down arrow next to the Max Subnets field.
5. Your network must support 24 subnets. Choose the number 30 from the drop-down list. Note the Subnet Mask field automatically changes to identify the network mask required to support 30 subnets.
6. Click the Subnets/Hosts tab to view the list of possible subnetworks and the host ID range.
7. When you are finished with this project, close the IP Subnet Calculator program.
Project 2-2
You will need a computer with Internet access and a Web browser to complete this project.
To visit the Ralph Becker “IP Address Subnetting Tutorial” Web site:
1. Open your Web browser (click Start, point to Programs, and click InternetExplorer; or see your instructor if you use a different browser).
2. Enter the following URL in the Address text box:
3. Step through the tutorial, which provides more information and additional examples of IP subnetting.
4. Close the Web browser, unless you plan to proceed immediately to the next project.
Project 2-3
You will need a computer with Internet access and a Web browser to complete this project. You will access the 3Com Web site to look for information about IP addressing. Feel free to spend some time browsing this Web site after you complete the steps.
To find IP addressing information at the 3Com Web site:
Access and read the 3Com white paper “Understanding IP Addressing” to further cement the information covered in this chapter of the book.
1. Open your Web browser (click Start, point to Programs, and click Internet Explorer; or see your instructor if you use a different browser).
2. Enter the following URL in the Address text box:
3.Click the country link of your choice.
4.Type Understanding IP Addressing in the Search field, and then click the Search button.
5.Click the 3Com Press Box Technical Papers hyperlink. The Technical Papers list appears.
6. Scroll down the list to locate the document titled “Understanding IP Addressing: Everything You Ever Wanted To Know,” dated April 26, 1996, by Chuck Semeria. Click the hyperlink Understanding IP Addressing to access this document and read the article.
7. Close the Web browser, unless you plan to proceed immediately to the next project.
Chapter Three Hands-on Projects
Project 3-3
To open a saved trace file and examine an ARP packet decode:
You must copy the trace files from the CD that accompanies this book to your hard disk for use in the Hands-on Projects. To do so, insert the CD into your CD-ROM drive. In Windows Explorer, open the zip file in the Trace folder and save the contents to your hard disk. A folder named Course Technology\ 18654-2 is created that contains folders and trace files.
1.Click Start, point to Programs, and then click WildPackets EtherPeek Demo to start the analyzer program.
2.Click OK to close the EtherPeek demo information window.
3.Click File, Open.
4. Insert the CD that accompanies this book into your CD-ROM drive. Open the 18654-2\Ch3 folder on your hard disk.
5. Select the trace file arp.pkt. Click Open. The packet summary window appears and displays the seven packets in this trace file.
6. Double-click the first packet in the trace file to open the packet decode window. Carefully examine this ARP packet. Answer the following questions about Packet #1 in this trace:
a.What is the IP address of the source that sent this packet?
b.What IP address is this IP host trying to resolve?
c.What is the purpose of this packet?
7. Close the decode window of Packet #1. Leave the EtherPeek demo program open, and proceed immediately to Hands-on Project 3-4.
Project 3-4
To filter out all ARP traffic in the trace file:
1. Follow Hands-on Project 3-3 to open the arp.pkt trace file (if not already open).
2. This trace file includes some ARP, ICMP, and NetBIOS traffic. To highlight only the ARP packets (requests and replies), click the Protocols tab at the bottom of the trace file window. The Protocols window appears. If the window cannot display all the protocol entries, click the down scroll arrow until you can see the ARP protocol and the Req and Rsp rows.
3. Right-click the ARP row to open the protocols menu, as shown in Figure 3-24.
4.Click Select Related Packets, and then click By Protocol in the resulting shortcut menu. EtherPeek displays the Selection Results window and indicates the number of packets that are related to the ARP selection, as shown in Figure 3-25.
5.Click Hide Unselected. You should now have a trace summary window that displays only three ARP packets—Packets #1, #4, and #5. What is the purpose of Packets #4 and #5?
6. If the capture stopped notification dialog box appears, click OK. Close the trace summary window, and proceed immediately to Hands-on Project 3-5.
Chapter Four Hands-on Projects
Project 4-4
To interpret the difference between two ICMP Echo packets:
1. Start the EtherPeek demo according to the instructions in Project 4-1.
2.Click File, Open, and select the trace file ping.pkt contained in the 18654-2\Ch4 folder on your hard disk.
3. Double-click Packet #1. This is an ICMP Echo Request packet. Review the ICMP portion of the packet. Answer the following questions about this packet:
a.What is the ICMP Identifier number in Packet #1?
b.What is the ICMP Sequence Number in Packet #1?
c.What is the ICMP Checksum value of Packet #1?
4. Click the DecodeNext button to view Packet #2 and answer the following questions.
a.What is the ICMP Identifier number in Packet #2?
b.What is the ICMP Sequence Number in Packet #3?
c.What is the ICMP Checksum value of Packet #4?
5. The Identifier and Sequence Numbers are the same in both packets. Why is the ICMP Checksum value different in each packet?
6. Close the EtherPeek demo program, unless you proceed immediately to the next project. In that case, skip Step 1 in Hands-on Project 4-5.
Project 4-6
This Hands-on Project assumes that you have Internet access.
To trace the route to another device on the Internet:
1.Click Start,point to Programs,point to Accessories,and then click Command Prompt. The Command Prompt window opens.
2.Enter tracert to view the available command-line parameters. Keep the Command Prompt window open while you follow the next steps to launch the EtherPeek demo program.
3.Click Start,point to Programs,and then click WildPackets EtherPeek Demo.
4. The list of EtherPeek demo limitations appears. Click OK.
5. The Select Adapter window may appear. Click the adapter installed in your system. Click OK to close the Adapter Selection window.
6.Click Capture on the menu bar, and then click Start Capture.
7. The Capture Options window appears. Click OK to accept the default buffer size of 1024 kilobytes. The Capture window appears. The Capture window number increments each time you start a new capture process.
8. Click the Filters tab and select the My IP Address filter (created in Hands-on Project 4-2).
9.Click Start Capture in the Capture window.
10.Click the Command Prompt button on the taskbar, or use Alt+Tab to make the Command Prompt window active.
11.Type tracert ip_address, where ip_address is the address supplied by your instructor for this project, and then press Enter.
12.Once your route tracing session completes successfully, close the Command Prompt window. Make the EtherPeek Demo window active.
13.If the demo is still capturing, click the Stop Capture button. (If the program automatically stopped capturing, click OK in the resulting message box.) Click the Packets tab. Scroll through the packets you captured in your trace buffer. Answer the following questions about your TRACEROUTE process:
a.What was the starting TTL value?
b.How many routers did you cross to reach your destination?
c.Did all the routers along the path answer?
d.How many packets did this route tracing process require?
Chapter Five Hands-on Projects
One global change for this chapter’s projects is:
- The instruction to “click the Next button at the bottom of the decode window,” should be replaced with “click the Decode Next button at the bottom of the decode window,”
To examine the TCP header structure:
1. With the EtherPeek demo program open, click File, Open, and open the
transfer.pkt file located in the 18654-2\Ch5 folder on your hard disk. There are94 packets in this trace file.
2. Answer the following questions based on the contents of the packets in this trace file:
a.What well-known port number(s) is(are) used in this communication?
b.How many handshake processes occur between these devices? List the packets that contain handshake sequences, and the ports referenced during each of the handshake sequences.
c.Does either host ever advertise a window size of zero?
d.Which packet provides the acknowledgment for the data sent in Packet #84?
e.Are there any out-of-order packets in this communication?
f.What is the minimum window size seen in this communication?
3. Click the Close button to close the EtherPeek for Windows demo program.
Chapter Six Hands-on Projects
Project 6-3
For this Hands-on Project, your instructor provides a target domain name.
To view and analyze Whois communications:
1. The NetScanTools 4.12 trial program should already be running. If not, refer to Hands-on Project 6-2 to start the program.
2. To start the EtherPeek demo program, click Start, point to Programs,and then click WildPackets EtherPeek Demo.
3.Click OK to close the EtherPeek Demo information window.
4. If the Select Adapter window appears, select your network adapter, and click OK.
5.Click Capture on the menu bar, and then click Start Capture.
6. The Capture Options window appears. Click OK to accept the default buffer size of 1024 kilobytes. The Capture window appears. The Capture window number increments each time you start a new capture process.