The goal of this lab is to learn how to capture network traffic and do some very basic filtering of captured data using common network analysis tools. In the first part of the lab, you will use Wireshark to analyze an existing capture file. In the second part of the lab, you will capture packets from within a virtual machine using tcpdump.
Refer to the Wireshark User's Guide or the Wireshark wiki for help in this section. Also refer to the WireShark Filter Syntax and Reference during this lab. In particular, since Wireshark supports multiple network protocols, see the FILTER PROTOCOL REFERENCE section of the reference page for a comprehensive list of all filter fields available for each protocol type.
Download dump2.pcap to your cs340 account. You can do this by opening a terminal window and typing the following command:
wget http://www.cs.csub.edu/~melissa/cs340/dump2.pcapStart Wireshark by selecting either Internet->Wireshark from the Linux desktop menu or by typing the command
wireshark & in the terminal window.
Open dump2.pcap from the File->Open menu. When the file is open or when Wireshark is capturing live data, its display is divided into three windows. The upper window displays summary listing of packets, one line at a time. The middle windows displays the details of a single packet (whatever packet is highlighted in the top window). The bottom windows displays the data of the highlighted packet in HEX and ASCII. Filters for the pcap file are entered in the Filter box above the upper window.
The protocol filters you will use to analyze this pcap file are Internet Protocol (ip), Transmission Control Protocol (tcp), User Datagram Protocol (udp), and Internet Control Message Protocol (icmp). Other meaningful protocols for this particular pcap file are Ethernet (eth), and Internetwork Packet eXchange (ipx).
You can build a filter manually, or, if you click on the "Expression" button, you can use an expression builder that presents all possible choices to build the filter for you. For example, in the Expression builder, after you select the protocol, click on the + to open up the fields options. The fields in the expression primarily relate to the headers for the packet. Some sample fields for the expression are:
ip.host ip.src_host ip.dst_host ip.src ip.dst ip.addr tcp.srcport tcp.port tcp.dstportFilters are built by creating Boolean expressions from the fields. The expressions can consist of a comparison (either using a symbolic or alpha comparison operator), search or match. Multiple expressions can be joined together using the Boolean operators
and and or.
Comparison operators:
Alpha Symbolic Meaning
----- -------- -------
eq == Equal to
ne != Not Equal to
gt > Greater Than
lt < Less Than
ge >= Greater than or Equal to
le <= Less than or Equal to
Search and match operators:
Alpha Meaning
----- -------
contains Does the protocol, field or slice contain a value
matches Does the protocol or text string match the given regular expression
Note: Wireshark supports Perl regular expressions. For example, the following
filter will match any packet that contains strings like 'abc', 'Abc', 'ABC',
'aBC', etc.:
tcp matches "[Aa][Bc][Cc]"Some sample filters are:
(udp.dstport == 8116) and (udp.srcport == 8116) (tcp.srcport != 47783) or (tcp.dstport == 1177) ip.addr == 136.168.244.203 tcp
Your job is to write Wireshark filters to extract the relevant information from the pcap file. You will duplicate these filters with slightly different syntax for tcpdump in Part II. If your filters are working properly, the results from Wireshark and from tcpdump should match.
For each question provide the filter string from the WireShark filter bar as the answer to the question in your Moodle submission.
Question #1. Capture and count the number of tcp packets that are NOT to or from host helios.
Question #2. Capture and count the number of packets destined for telnet port 23 on any host.
Question #3. Capture and count the HTTP packets (tcp port 80) destined for 136.168.246.23.
Question #4. Capture and count all packets involved to and from LaserPrinters.
ln -s /usr/sbin/ring /usr/sbin/tcpdump
Tcpdump is the original packet capture utility and the de facto standard for packet capturing (sniffing) in the Unix world. Tcpdump is installed by default on many Linux and BSD distributions. Tcpdump has filtering capabilities but does not perform analysis - the output is raw packets in either binary or ASCII text format.
High-level analysis software such as traffic/protocol analyzers and IDSs are built on top of a sniffer. In high-level analysis you do not look at raw packets. But as always, it is a good idea to understand the output of a sniffer such as tcpdump at the low-level if you want to truly understand high-level analysis. There also may be times in which the pieces of the puzzle can only be uncovered by looking at what is happening at the lowest level.
Refer to the tcpdump man page for help in this section.
Running tcpdump to capture packets on a network requires a NIC card in promiscuous mode, a library of packet capturing software installed in the OS kernel, and user priviledge to do so (usually root). Sniffing is a wiretap and a federal crime unless you have proper authorization.
So we are all working on the same page to begin with, we will start by using tcpdump to analyze the same pcap file that we analyzed in Part 1. This file was actually created with tcpdump originally using the command:
tcpdump -s 0 -c 300 -w dump2.pcapThis captures all of the bytes (-s 0) of the next 300 packets (-c 300) to go across the interface into the pcap file (-w dump2.cap). Note that this was also the same basic command as "ring around the rosie" used in Lab 4; "ring" was just tcpdump renamed and "rosie" was the pcap file.
Download the pcap file to the Linux virtual machine using the wget command:
wget http://www.cs.csub.edu/~melissa/cs340/dump2.pcapWe will be using command line options to read from this file and filter the packets. For example, this command displays the first 3 packets including the link level headers from dump2.pcap:
tcpdump -c 3 -e -r dump2.pcapThe output should resemble:
reading from file dump2.pcap, link-type EN10MB (Ethernet) 08:32:21.225574 00:16:d4:b0:86:12 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 136.168.1.100 tell 136.168.247.79 08:32:21.233691 00:00:00:00:fe:01 (oui Ethernet) > Broadcast, ethertype IPv4 (0x0800), length 79: 0.0.0.0.8116 > 136.168.0.0.8116: UDP, length 37 08:32:21.234445 00:e0:d8:0a:02:14 (oui Unknown) > 00:13:72:4d:9c:ab (oui Unknown), ethertype IPv4 (0x0800), length 60: 136.168.0.0 > 0.0.0.0: [|icmp]The output format varies by protocol type. For example, the second packet is a broadcast packet and its output is interpretted as follows:
Field in Output Meaning --------------- ------- 08:32:21.233691 timestamp 00:00:00:00:fe:01 (oui Ethernet) hardware address for Ethernet source > Broadcast destination is Ethernet broadcast address ethertype IPv4 (0x0800) this is a TCP/IP v4 IP packet length 79 bytes in the Ethernet frame 0.0.0.0.8116 source IP is 0.0.0.0 and port 8116 > 136.168.0.0.8116: destination IP is 136.168.0.0 and port 8116 UDP, protocol is UDP length 37 UDP data field is 37 bytesSee the man page OUTPUT FORMAT section for a more detailed explanation of the output.
Tcpdump has a sophisticated filtering mechanism. The tcpdump man page contains good examples (half-way down under EXAMPLES). The dump file was created without filters, but you can filter the output from the captured file by adding filters after the -r {filename} option.
The filter syntax has some similarities to Wireshark filters. You will again be using different header fields in the packet to create the filter. Some common header fields are:
host src host dst host port src port dst portYou can also do comparisons and create complex Boolean expressions. The comparisons in the basic filter expressions are primarily equal to and not equal to (Note: Advanced filter syntax supports much more but is beyond the scope of this lab). The default comparison for a header field is equality. Example of comparisons:
Expression Meaning ---------- ------- port 80 source port is 80 or destination port is 80 not host helios source host and destination host are not heliosYou can also filter on specific protocols, such as ip, udp, tcp, and so on. Only packets from those protocols will be included in the output. You can join a protocol keyword to a comparison expression to further restrict the matching files to a specific protocol. For example:
Expression Meaning ---------- ------- tcp port 80 TCP source port is 80 or TCP destination port is 80 udp All UDP packetsTo join multiple expressions together, you use the keywords
and
and or, similar to how you did so in Wireshark. You should use
double quotes to enclose any expression with parentheses, so that the shell
does not try to parse the parentheses. Double quotes are optional for
expressions without shell metacharacters in them.
Here are some example tcpdump commands using the filter expressions:
tcpdump -r dump2.pcap host helios tcpdump -r dump2.pcap "dst host helios" tcpdump -r dump2.pcap udp tcpdump -r dump2.pcap "udp dst port 53" tcpdump -r dump2.pcap ip host helios and not port 80 tcpdump -r dump2.pcap "(tcp and host helios) or udp port 53"
For Questions 1 - 4, provide the command used AND describe the output of the command. You cannot copy and paste from the Linux virtual machine, so you do not need to give the exact output of the command. However, you do need to give the EXACT command used, with the complete tcpdump filter and all tcpdump options.
For Questions 5 & 6, describe the output of the given command.
Question #1. Capture and count the number of tcp packets that are NOT to or from host helios.
Question #2. Capture and display the number of packets destined for telnet port 23 on any host.
Question #3. Capture and display the HTTP packets (tcp port 80) destined for 136.168.246.23.
Question #4. Capture and display all packets involved to and from LaserPrinters. Hint: use the -A switch for tcpdump and the -i switch for grep.
Question #5. Explain the output of this command (Hint: use IANA's well-known port list, dig, and /etc/services):
tcpdump -r dump2.pcap "host 136.168.241.81" reading from file dump2.pcap, link-type EN10MB (Ethernet) 12:22:48.652560 IP 136.168.241.81.631 > 136.168.255.255.631: UDP, length 128 12:22:49.652992 IP 136.168.241.81.631 > 136.168.255.255.631: UDP, length 128 12:22:50.653493 IP 136.168.241.81.631 > 136.168.255.255.631: UDP, length 129Question #6. Explain the output of this command (Hint: look in tcpdump man page):
tcpdump -r dump2.pcap "icmp[icmptype] = icmp-echo" reading from file dump2.pcap, link-type EN10MB (Ethernet) 12:22:49.088774 IP statseeker.csub.edu > 136.168.211.39: ICMP echo request, id 2 56, seq 256, length 24 12:22:50.104633 IP statseeker.csub.edu > 136.168.1.145: ICMP echo request, id 25 6, seq 256, length 24
For this part of the lab, we will capture some traffic from the Linux virtual machine. Start the packet capture with the following command:
tcpdump -s 0 -w lab5.pcap host sleipnirOpen another terminal in the Linux virtual machine by pressing ALT+F2 and log in again. You don't need to sudo to root in this second terminal. Try to ssh to Sleipnir using a FAKE password (and username if you wish):
ssh doesnotexist@sleipnirNext try to ftp into Sleipnir, again using a FAKE password and username:
telnet sleipnir 21 USER doesnotexist PASS myFakePassword QUITExit out of the F2 terminal and switch back to the original terminal using ALT+F1. Hit CTRL-C to stop the packet capture that tcpdump is doing. Send the pcap file to your Linux desktop with the following scp command (look at Lab 4 to see how to find out the VMware host IP address):
scp lab5.pcap cs340@{vmware_host_ip}:Desktop/
Question #1. What type of network traffic are you seeing in your capture file?
Question #2. Find the ssh login attempt. Can you see your fake username and/or password in the packets?
Question #3. Find the ftp login attempt. Can you see your fake username and/or password in the packets?
What to Submit for This LabSubmit the answers to the questions for each part of the lab in the Moodle submission box. There is no ability to do file uploads for this lab.