Do this assignment with the partner I assign you. I will post partner assignments on Slack under #announcements.
Goals
- Start using the protocol analyzer / packet sniffer Wireshark
- Observe the network traffic associated with some simple protocols
- Try to make sense of the information Wireshark gives you
Experiments to perform
- Launch and login to Kali. (If you're using REMOTELAB, the user name and password are both "kali".
If you installed Kali yourself, you specified a user name and password during the setup.)
- Launch Wireshark. Select the Applications menu in the upper left of Kali's desktop,
then "Sniffing & Spoofing", then Wireshark. Alternatively, you can type
"wireshark &" in a terminal window.
Ask a National Institute of Standards and Technology (NIST)
time server for the current time.
The first thing we want to observe is a minimal TCP interaction: handshake
followed by a server response of some kind followed by connection termination.
Fortunately, the daytime protocol gives us a
readily available service that involves just that.
- Choose a time server from this list
of National Institute of Standards and Technology time servers.
- In Wireshark, go to the Capture→Options menu. In the resulting dialog, select
your Ethernet interface (e0 or e1, probably), and then enter "tcp port 13" in the
Capture Filter blank. The blank should turn green to indicate a valid filter.
Then hit the Start button.
- Open a terminal and type
nc [domain-or-IP] 13
where "[domain-or-IP]" is the domain name or IP address of the NIST time server you selected
from the list of time servers.
- Wait for the time server to respond. Sometimes it takes a few seconds to respond.
You'll be able to tell that the server has responded once the date and time are printed in your terminal.
- Once you get a response, go to Wireshark and click on the red square Stop button.
- Examine the list of network frames/packets shown in the main Wireshark display, and
answer the questions listed in the What to hand in section below.
Navigate to a web page.
- Start a new capture (Capture→Options) with the filter "host 45.79.89.123" (which
will only capture packets where either the sender or the destination are the host
cs231.jeffondich.com.
- In a web browser in Kali, navigate to this special page:
http://cs231.jeffondich.com/index.html.
- Watch out: If you try this a second time, your
browser might decide not to retrieve the page over the network, but instead
just display the copy of index.html that it retrieved the first time and
stored in the browser cache. The way to make sure you get a fresh HTTP
query each time is to open a new Private or Incognito window and navigate
to the page from there.
- Hit the Wireshark Stop button.
- Examine the list of network frames/packets shown in the main Wireshark display, and
answer the questions listed in the What to hand in section below.
Possibly handy information
What to hand in
- Put your answers in your repository in a text file named tools/wireshark.txt.
Start this file with your name and your partner's name.
- Study the list of network frames/packets shown in the main Wireshark display for the
daytime protocol experiment. In tools/wireshark.txt, add a heading
(like "===== DAYTIME =====") to show me where your daytime protocol answers
are, and then give brief answers to the following questions:
- Identify the parts of the TCP 3-way handshake by listing the frame summaries of the
relevant frames. Your summaries should looks something like this:
3 10.0.2.15 129.6.15.27 TCP [SYN]...
(i.e. the frame number 3, the source IP address, the destination IP address, the protocol,
and the "Info" for the frame).
- What port number does the client (i.e. nc on your Kali computer) use for this interaction?
And why does the client need a port?
- What frame contains the actual date and time? (Show the frame summary as in question 1 above.)
- What is the full content (not counting the Ethernet, IP, and TCP headers) of the frame?
What do each of the pieces of the frame content represent? (Most of the frame content is
things like the year, month, day, hour, etc., but there's a little more info, too.)
- What does [SYN] mean?
- What does [ACK] mean?
- What does [FIN] mean?
- Which entity (the nc client or the daytime server) initiated the closing of the TCP connection?
How can you tell?
- Study the list of network frames/packets shown in the main Wireshark display for the
web browser experiment. In tools/wireshark.txt, add a heading
(like "===== HTTP =====") to show me where your HTTP/browser answers
are, and then give brief answers to the following questions:
- How many TCP connections were opened?
- Can you tell where my homepage (index.html) was requested? (If not, why not?
If so, include frame summaries and/or other info that supports your answer.)
- Can you tell where my photograph (jeff_square_head.jpg) was requested? (If not, why not?
If so, include frame summaries and/or other info that supports your answer.)
- Put one more heading in wireshark.txt (like "===== QUESTIONS ====="), and write down
a few questions that you would like answered about how to interpret Wireshark output.