Packet Capture and Analysis

Aims:

  • To become familiar with the network packet capture tools available in Windows and Linux
  • To learn about the features of packet capture tools and how they are used
  • To capture and analyse packets from a simple TCP/IP session

Notes:

Handling Disk Drive Drawer

The drive drawers contain delicate hard disk drives and should be handled carefully.
  • Do not drop the drawer onto the desktop......
  • Do not remove or replace drive drawers with the power ON - Turn off the PC before removing or inserting drives
  • Do not handle any electronics without suitable anti-static precautions
Please be sure that the power is OFF before removal or  insertion of a drive drawer and that the drawer is properly seated before turning the power back on. If you are having difficulty with a drive drawer, please call you tutor....

Network hardware configuration data

A properly connected network interface can be configured using DHCP or using the static settings shown below:
 
NIC IP Mask Gateway DNS
First NIC
192.168.1.?? 255.255.255.0 192.168.1.254 192.168.1.254
Second NIC
192.168.2.?? 255.255.255.0 192.168.1.?? 192.168.1.254

Note: The IP numbers will be different for each system. See you tutor for details

Exercises

Follow the steps below. Make sure that someone in your group is making extensive notes about the actions taken.

The Windows XP environment

  1. Form a group and choose two neighbouring machines.
    Repeat the steps 2 thru 7 below on each....
  2. Make sure that the One-series disk is installed (The drive drawer label should start with "One").
    If not, replace the drive draw with the right one for your PC.
    Make sure that the Drive is firmly inserted and that the access key-lock is in the LOCKED position.
    Turn on the power and wait for the machine to boot Window XP.
  3. Login with the username Supervisor (you Tutor will announce the password).
    Verify:
    1. that the WinXP operating environment is OK,
    2. that PING 192.168.1.254 works, and
    3. that the Web browser works (eg. visit http://my.monash.edu.au).
If you encounter any problems check the cabling, driver configuration and browser proxy settings.
If there are more problems that you cannot remedy, call your tutor for assistance.
  1. In a command window, enter IPCONFIG  /ALL  and note the configuration details.
    How many network interfaces are configured and how was this achieved?
  2. In the Windows Start menu, click through to Settings|ControlPanel|Network.
    Right-click on the first Local Area Network icon and choose  Status.
    What kind of NIC is this and how is the IP number allocated?
    Can you see what the IP number has been set to?
  3. Open a DOS Command window and enter the command IPCONFIG /ALL.
    What is the IP configuration?

Packet Capture and Analysis in Windows

  1. Visit the WildPackets web site, register and download the EtherPeek evaluation package and install it on one of your machines. Details of how to do this are included in the README.TXT file included with the download.
  2. Use EtherPeek running in one machine to view the network traffic to/from a web browser open in another window and viewing the URL http:// www.monash.edu.au. Remember that this is an evaluation version and it will only capture packets for a limited amount of time, so you will have to carefully think about how you can do it (ie make a plan first!). You may need to repeat the experiment a few times to get it right (:-|
  3. Revisit the same web address (Dont use the Reload command). Has the web browser cache changed the retrieval pattern at all?
  4. You can see the packets going to or from your own machine. Can you see any HTTP packets going to any other machines in the Lab? What other traffic can you see?
  5. Repeat the Etherpeek packet capture experiment, but this time try monitoring a Telnet session.
  6. Repeat the Etherpeek experiment while doing a NET USE command (same as clicking the Map Network Drive button) in a DOS Command window on your machine.
  7. How many different protocols have your seen? Make a list.... and discuss this with your Tutor.
    What part of the various packets structures actually identifies the protocol type of the data contained in each packet?
  8. How useful would it be if you could save the Etherpeek output for later analysis?
  9. What are the network security implications of using programs like Etherpeek?
  10. Now uninstall Etherpeek using the Start|ControlPanel|AddRemovePrograms menu function
  11. Shutdown the machine and boot LINUX

The Linux environment

  1. After booting Linux investigate the Linux environment. Login as user "root". Your tutor will tell you what the password is....
  2. Open a shell window and using the ifconfig -a command, confirm the configuration of the first ethernet card as device eth0.
  3. If you need to change the configuration of the TCP/IP environment use ifconfig with appropriate parameters.You may need to enter the shell command /etc/init.d/network restart in order to activate the changes.
  4. Confirm the operation of the network interface using the command ping -c4 192.168.1.254

Packet Capture and Analysis in Linux

  1. Download and install either the Ethereal or TCPdump package. Your tutor will announce details of how to do this. You will now perform experiments similar to those done in the Windows XP environment with Etherpeek, but use the analyser you just downloaded.
  2. Capture and display HTTP traffic
  3. Capture and display Telnet traffic
  4. Shutdown the machine and Turn off the power then, if necessary, replace the original disk in the drive draw.
  5. Please don't leave the Lab until your tutor has inspected the machines used by your group. You must leave the machines in a tidy and correctly working state for the benefit of those who come after.... (:-)