学习使用 Wireshark 工具。
Objectives
The goal of this assignment is to help you understand what is going on in the
network by seeing and focusing on exactly what bits, packets, and information
flows across a network link. This task is rather difficult because network
protocol designers have worked hard to provide significant abstraction to the
higher layer applications (and they have done an excellent job). Therefore, as
a user (and at the highest layer of the protocol stack), you are able to see
very little of what happens in the network. However, there are tools that we
can use.
Assignment Details
The goal of this assignment is to examine real protocols in use and understand
the communication that takes place in a network by examining the bits that
flow across a network hop. Using the right tools, you will be able to inspect
the the DLL/MAC, Network, Transport, and Application layers.
For this assignment you will use the application Wireshark (once upon a time
called Ethereal and before that TCPdump). Wireshark lets a user capture
packets from the network in real-time and/or save them for viewing at a later
time. When running Wireshark you should see something like Figure 1. Wireshark
is available for most platforms, including Windows, from
http://www.wireshark.org/ . It is also available
in the CSIL lab either in KDE under “Internet”, or by simply typing
“wireshark” at the command line.
Wireshark usually requires “root privilege” to run. Of course, this is a good
thing because it should be hard to capture packets on the network! So, the
capturing has been done for you, and a capture file has been created. Take the
f20-176-proj-trace.pcapng file (right click and use the “Save Link As…”
option). The file is also posted on GauchoSpace. Use it as the source file for
Wireshark (HINT: do a “man wireshark” and look at how to use the -r option.).
While you cannot run Wireshark to snoop packets off the network in real-time
without root privilege, you can run Wireshark on a file without any additional
permissions. Part of doing this assignment well is learning how to effectively
use Wireshark, so you will likely want to read and/or reference the User’s
Guide. You will also want to use the GUI in Wireshark to more closely
investigate what is happening in the homework trace.
Some of the things going on in the trace will contain protocols we have not
yet gone over in class, have covered only very briefly, or won’t ever cover.
You will have to use the course textbook or Google as references to find
information about all of these protocols. Finally, Piazza will be used
extensively to answer questions about the trace. So be prepared to ask
questions.
So, how should you proceed? Start by considering the following questions:
- How many total packets are in the trace file?
- What DLL/MAC layer addresses can be seen in the trace?
- What IP addresses can be seen in the trace?
- How do the DLL/MAC and IP addresses map to each other?
- What is the Ethernet packet type and what does it mean?
- Can you tell from the trace file which Ethernet card is used to capture the traffic data, a normal 10/100M Ethernet card or an 802.11b wireless card?
- Can you deduce anything about the network topology on which this trace was taken, i.e. on which machine is the trace being taken? How many hosts are on the local network? What is the default gateway? What is the network mask? Which hosts are on the local network? Which ones are remote?
- How “far” away are the remote hosts?
- What different IP packet types can be seen what does each mean?
- Does IP fragmentation occur?
- Why would some packets have the “Don’t fragment” bit set?
- Why the difference in the TTL values? If there was suddenly a change in the reported TTL, what would that be an indicator of?
- Are there any protocols that appear to be operating differently than as described in class?
- Assuming there is some web traffic in the trace, do you see any cookies? What can you say about the cookies that are in the file?
- This packet trace is full of surprises, especially for someone who has never looked at a packet trace in detail before. Think about some of the things that were surprising to you and pursue those further to understand what is happening.
One of the key aspects of this assignment is developing a way of organizing
all of the information in the trace into something coherent and meaningful.
This aspect of the assignment will be as important to your grade as
understanding the trace–if you can’t explain what’s there, how will we know
what you see in the trace?
The format for your write-up will be a single PDF report/file. Within the
report, you are free to organize information about the packet trace in any way
you like. To use an over-used phrase: think outside of the box-you definitely
will not just want to just describe each packet one by one. Use some
creativity in organizing how to present the vast amount of information in the
packet trace in a way that conveys your understanding of what is in the trace.
Note, being “creative” is not a substitute for technical thoroughness.
The single most helpful suggestion I can give you is: consider if you were
reading a report about a packet trace, how would you want to see the
information organized so that it provided you a detailed description of what
is in the packet trace, what the packets represent, and what activity has been
captured? For example, let’s say you were a network administrator at a company
and you had assigned an employee to monitor the network for certain kinds of
behavior and then write a report on what was happening. What would that report
look like?
Before even starting your write-up, you should first think about the questions
listed above, what kind of information they ask about, and what the answers
are. In other words, first think about what is happening in the trace and then
start to organize that knowledge into a report.
When it comes to the write-up, you definitely will not want to just include
the list of questions with answers. You’ll need to better organize the
information in the trace. But knowing the answers is a critical first step
before you can think much about how to organize your report. In addition to
the individual questions, you will also want to pay attention to some high
level questions, including the following: What activity did the trace capture?
What does the local network topology look like (and what nodes/devices have
what addresses)? Who sent traffic and to whom? Who responded?
As a high-level goal, try to present the trace in a way that provides multiple
levels of detail. For example, first describe whatever you can about devices
in the network (e.g., hosts, switches, routers, printers) and “where” they are
located with respect to each other. Then describe the data flows (transport
layer). Then describe the packets in a flow. At each level, you will want to
describe the basics of what the packets are, including headers and anything
you can glean about the data. You will also want to identify and attempt to
explain anything unusual you see in the trace.
Organizing the large amount of information in the trace into a clear and
coherent format will be one of the harder parts of the assignment. Because
there is so much information, you will have to make some important decisions
and use some creative solutions to clearly convey to a reader what is
happening.
If you are still reading, a couple more hints. First, explore the various
menus within Wireshark. There are some nice analysis options that will allow
you to understand what is happening. Second, use a filter to try and eliminate
“noise” from the trace. In the packet trace, I collected ALL packets. It will
help you understand the “main” aspects of the trace by first filtering out
miscellaneous/background packets. But once you have figured out the main
aspects, you can go back and analyze the miscellaneous packets separately.
