CS  326e S2004

Lab 1. Basic LAN Setup & Trace analysis using Ethereal

Time: 2 hrs

Tasks:                                                                            Time: 2:00 hrs

(Task 1-6 should take 45 min; the rest of the time is for Ethereal)

1 - Verify that TCP/IP is installed on each of the computers

2 - Connect the computers together via an Ethernet switch

3 - Observe the configuration of each of the Network Interfaces for each computer

4 - Statically configure an IP address and subnet mask for each computer

5 - Verify connectivity in your network with ping

6 - Examine non-existent IP address and subnet conflicts

7 - Introducing Ethereal, a packet capture tool

8 - Capturing and Analyzing HTTP 1.1 using Ethereal

9 – Capturing and Analyzing HTTP 1.0 using Ethereal

10 – Extra Credit: Capturing and analyzing FTP using Ethereal

11 – Extra Credit: Capturing and analyzing TELNET and DNS

 

 

Each team of two students will use the following components for this experiment: 
 

2 computers with Microsoft Windows 2000 Professional

1 Cisco Systems Catalyst 2900 Series Switch

2 Ethernet Cables

Ethereal Network Analyzer Software

 

Each student will be in command of one computer. 

Task 1 - Verify that TCP/IP is installed on each of the computers

  1. Looking at the desktop window, find the icon labeled My Network Places. Right click on this icon and select "Properties."
  2. A window named “Network and Dial-up Connections” will appear with an icon named Local Area Connection. Right click on this icon and again select "Properties."
  3. Another window called "Local Area Connection Properties" will appear that has a white area with three items listed. One of these should be Internet Protocol (TCP/IP). Verify that this item is checked. If it is not, please do so.
  4. Select OK to exit 

 

Task 2 - Connect the computers together via a switch

  1. Observe the icon Local Area Connection in “Network and Dial-up Connections”. We will compare this with what happens after the computers are connected (in step 7)
  2. In the back of the computer there will be a slot that looks much like a phone cord slot. This is actually an RJ-45 connection that is meant for Ethernet cables. This port is part of a card that is plugged into the motherboard of the system. It is commonly referred to as a NIC, or Network Interface Controller. The card that you will be using is capable of transfers up to 100 Megabits per second, also referred to as the transfer rate.
  3. Each computer has been supplied with one Ethernet cable. Plug one end of this cable into the RJ-45 port. Listen for a click from the end of the cable to tell you that it is plugged in all the way.
  4. Locate the Ethernet switch that has also been supplied. (There is one switch for each group of two computers.) Plug the other end of the Ethernet cable into one of the ports on the switch. The ordering of ports does not matter.
  5. Turn on the switch when all computers have been plugged in.
  6. The switch will go through a boot up process, so there will be a sequence of lights switching on and off. These lights will begin as orange, and for the ports that are connected correctly, they will turn green after the boot up sequence is completed. Verify that the ports that are connected do indeed turn green.
  7. Observe the difference in the Local Area Connection icon. 

 

Task 3 - Observe the configuration of the Network Interface Cards (NICs) for each computer

  1. Click on the Start button at the lower left of the computer screen and select "Run..."
  2. In the field, type cmd, which will allow for a command prompt window to appear.
  3. Type in ipconfig /all and press enter.
  4. There is a lot of information that is returned, but we are interested in only a few items at this time. In particular, we would like to know whether DHCP is enabled, the IP address of the interface, and the Subnet Mask. Fill in the following table with values from the information that is returned.

DHCP enabled?

 

IP address of interface

 

Subnet Mask

 

Dynamic Host Configuration Protocol (DHCP) is a protocol that is used to allocate an IP address to each interface that requests one. In particular, a DHCP server sends this information to the DHCP client. In our current setup, there is no such server. Configuring IP addresses will, thus, need to be done manually.

 

 

Task 4 - Statically configure an IP address and subnet mask for each computer

  1. Again navigate to "Local Area Connection Properties" as in Task 1.
  2. Double click "Internet Protocol (TCP/IP)".  Select Use the following IP address.
  3. Set the computers' IP addresses as follows. 

 

Computer 1

Computer 2

Computer 3

Computer 4

IP Address

192.168.0.5

192.168.0.6

192.168.0.7

192.168.0.8

 

  1. Set the Subnet mask to be 255.255.255.0. Clear the Default Gateway and DNS Server fields and click on OK for both windows.
  2. Verify that the IP Address for the computer has indeed changed. To do this, execute the "ipconfig /all" command again. 

Task 5 - Verify connections in a larger network (2 teams) with ping

Once each of you have set up the configuration correctly, it is time to verify that all computers are on the same network, and can indeed communicate with each other. There is one commonly used command that can verify communication between hosts. This command is called ping.

  1. Connect your team's switch with another team's via a crossover cable provided by the lab proctor (in order to ping all 4 hosts).
  2. Type ping X in the command prompt where X is one of the IP addresses of the four computers in your network.
  3. Repeat for each of the four IP addresses.
  4. Fill in the following table with values returned after each execution.

IP Address

Success (Yes/No)

Time Out  (Yes/No)

Unreachable

(Yes/No)

Packet Sent

Packets Received

Packets Lost

Minimum RTT

Maximum RTT

Average RTT

192.168.0.5

 

 

 

 

 

 

 

 

 

192.168.0.6

 

 

 

 

 

 

 

 

 

192.168.0.7 

 

 

 

 

 

 

 

 

 

192.168.0.8 

 

 

 

 

 

 

 

 

 

 

Wait for all four people in your group to finish, then continue to Task 6.

 

 

Task 6 - Examine non-existent IP address and subnet conflicts

  1. Wait for everyone to reach this step, then, change the IP addresses according to the following table. Note that the Subnet Mask remains the same as before.

Computer 1

Computer 2

Computer 3

Computer 4

Subnet Mask

192.168.1.10

192.168.0.11

192.168.1.12

192.168.2.13

255.255.255.0

 

  1. Ping all 4 computers. Fill in the following table with values returned after each execution.

IP Address

Success

Time Out 

Unreachable

Packet Sent

Packets Received

Packets Lost 

Minimum RTT

Maximum RTT

Average RTT

192.168.1.10

 

 

 

 

 

 

 

 

 

192.168.0.11

 

 

 

 

 

 

 

 

 

192.168.1.12

 

 

 

 

 

 

 

 

 

192.168.2.13

 

 

 

 

 

 

 

 

 
  1. Why were you not able to reach some of the computers? Explain.






  2. Ping an address that is in your subnet but is not connected (for example, ping an address that matches your subnet but ends with .100). Is the result different from the Step 2? Explain.

 

 

Task 7 - Introducing Ethereal

We will be running one particular application, Ethereal.  It can capture all the packets that are transmitted to and from your Ethernet interface. Once it has finished capturing, it will display the packets in a list ordered by a value that can be changed like time, protocol, or source.

We will first capture network traffic generated by ping which uses ICMP (Internet Control Messaging Protocol).

  1. Return your computer to the IP number that was used in Task 4.
  2. Launch Ethereal. The icon is on the desktop.
  3. To begin capturing packets, under the Capture menu choose Start.
  4. Verify that the first, fourth, fifth, and sixth options after the Capture Length are selected.
  5. Note that many packets can be collected within a short time after Capture is started. It is best to start capturing only right before you do a transfer of packets that you want to analyze. In this case, you need to be ready to ping before start capturing. When you are ready, click OK to start collecting packets.
  6. Ping all 4 hosts on the network.
  7. Stop capturing by the click Stop button in Ethereal when you have completed pinging all the hosts click.
  8. Wait until Ethereal loads all the captured packets onto the screen.
  9. Order the packets according to Protocol by clicking on Protocol column heading.
  10. Scroll down in the upper window to packets that are ICMP. Note that in the Info column, there are basically two types of ICMP packets that were transferred. What were these two types of ICMP packets?


  11. Click on the first row of the ICMP packets. This should be a request packet and should have the source listed as the IP address/name of your computer, and the destination listed as the address/name you first pinged. The middle and bottom screens should have changed to represent the content of that particular packet. Note that the bottom screen is primarily listed as a hexadecimal representation of the binary bits of the packet, though the rightmost column also lists the contents in an ASCII format.
  12. In the middle window, expand the content by clicking on the + within the boxes. Note that you can contract the content again by clicking on the - within the boxes.
  13. Fill in the table below. All information can be found within the middle screen for this packet. 

Arrival Time

Source IP Address

Destination MAC Address

Internet Protocol Version #

Sequence #

 

 

 

 

 
  1. Now click on the second row of the ICMP packet. This should be the reply packet from the host that you pinged in the previous packet. Fill in the table below with the information for this reply packet.

Arrival Time

Source IP Address

Destination MAC Address

Internet Protocol Version #

Sequence #

 

 

 

 

 

15.   Note that when clicking on something in the middle of the screen the actual bits of the packet are highlighted in the bottom screen. This is both done in hexadecimal and in ASCII.

16.   In ASCII, what are the 32 bytes of data that fill the end of either of these packets?

17.   What packets besides those generated by ping do you see? What generated these packets?

Task 8 - Capturing and Analyzing HTTP 1.1 using Ethereal

We will be using Ethereal to capture and analyze the packets that are generated when we run a network application on the networked machines. The applications we will be running are a Web Server and a Web Browser. These applications make use of the HTTP protocol. The second application we will be running is an FTP server and a FTP client. We shall see the difference in these protocols by analyzing the packets that we capture.

  1. Each group must designate one machine as the Web Server machine. (Say Machine 1 and 3, machines 2 and 4 will then be the client machines).

 

  1. Confirm that the Web Server is running on the server machine by going to Control Panel | Services, and check for Web service as being ‘started’.

 

  1. Start a browser on the client machine.

 

  1. Clear the browser cache. On IE this is done by going to Tools | Internet Options…| General Tab, click on Delete Files in the Temporary internet files section. In the window that pops up check Delete all offline content and press OK. Press OK on the General Tab. Close the browser and reopen it.

 

  1. Start Ethereal on the client by clicking on the Ethereal icon on the Desktop.

 

  1. Start capturing packets by clicking on the menu Capture à Start.

 

  1. Verify that the first, fourth, fifth, and sixth options after the Capture Length are selected.  Switch the Interface to the second choice, which represents the 2nd  Ethernet card.

 

  1. Click on Ok to start capturing packets.

 

  1. Type in the following URL into the address bar of the browser http://ip_address_of_webserver_machine/index.html

 

  1. Once the browser displays the entire page on the browser, stop capturing packets in Ethereal by clicking on the Stop button in the Ethereal window.  How many images does the web page have?

 

  1. Wait until Ethereal loads all the captured packets onto the screen.

 

  1. The Ethereal window is divided into 3 parts. The top displays the captured packets. The middle displays the encapsulated headers (for each layer) and their values for the packet highlighted in the top pane  (for more detail select display à expand). The bottom part displays the actual raw bytes from the packet (in hex).

 

  1. View the packets that have been captured by Ethereal. There may be some other protocol packets that were also captured. To help facilitate your understanding of the data, we will apply several filtering techniques to limit the data presented on the screen.

 

  1. At the bottom of the window, there is a field for entering filters. Type in HTTP in the filter box and press enter. This will show only the HTTP packets.

 

  1. Note the different HTTP commands sent; GET, OK, etc.
    What does the http Continuation mean?

 

 

 

  1. To help keep track of each TCP connection, we are going to color code each connection. Ethereal supports color coding and filtering on a variety of variables such the protocol, IP, and port numbers. For our color coding, we will be assigning each unique port used by the client a different color.

    Expand the TCP information in the middle pane by clicking the plus arrow. Note that each event has a source port and destination port. The web server always uses port 80, while the client used a unique port for each TCP connection it creates. Therefore, we will color code based on those ports unique to each TCP connection.

 

  1. First, write down each unique port used in the events, excluding port 80.

 

 

 

  1. Next, we will add a coloring rule for each unique port you find.
    To add a color coding:
    1. Click on the menu View -> Coloring Rules
    2. Click on the New button to add a new rule.
    3. In the name field, give the rule a unique name. (connection 1, for example).
    4. In the string field, enter tcp.port == <unique port #>
      For example, tcp.port == 1046, if 1046 was the port used by the TCP connection we want to highlight.
    5. Click on Background Color and select a color easy to read as a background.
    6. Click Ok to add the coloring rule.
    7. Repeat as necessary for every unique port you noted.

 

 

  1. Now that we’ve colored each TCP connection, we’ll display all the captured data. Click on the Clear button at the bottom of the screen, next to the filter box.

 

  1. Browse the top display. Look for a TCP trace showing the SYN (connection request) and the SYNACK (reply).  These represent the TCP RTT that we calculated when studying HTTP and connections. Then look for a TCP trace with a FIN, followed by an ACK.  Whichever host sent the first FIN is the one that is initiating the close of a connection.

 

  1. For the fetching of the index.html page only,
     A) At what time was the SYN sent?  What is the client’s port #?  How many bytes were transmitted over the Ethernet link?
    B) At what time was the first data segment sent? How many bytes were in the HTTP request?
    C) At what time was the last server segment sent of the index.html page?

  2. Continuing with the connection that you analyzed in #21.
    A) How many total images were fetched via this one connection?

    B) At what time was the last data segment (of any data) sent on this connection?

    C) At what time was the FIN sent on this connection? 

    D) Was the connection closed? By the server or client? If not closed, how can this affect server performance?

 

 


  1. How many TCP connections were opened to fetch the page (and images) and when? How were the images fetched, were any optimizations performed in fetching the images?  (If the connection is persistent, then is pipelining used?)  Cite the data you found to support your observations, and draw a timespace diagram depicting what happened.




 

 

 

 

 

 

 

 

 

 

 

 

 



  1. Browser caching drastically changes the amount of data retrieved when loading a webpage. We’ll examine this by capturing the retrieval of the now cached webpage.

 

  1. Start capturing packets by clicking on the menu Capture à Start.

 

  1. Click on Ok to start capturing packets.

 

  1. In Internet Explorer, click on the menu View -> Refresh

 

  1. Once the browser displays the entire page on the browser, stop capturing packets in Ethereal by clicking on the Stop button in the Ethereal window. 

 

  1. As before, you may want to color each TCP connection to help make the data easier to read.

 

  1. How many TCP connections were opened to fetch the page (and images) and when? How were the images fetched, were any optimizations performed in fetching the images? 

 

 

 

 

 

Task 9 - Capturing and Analyzing HTTP 1.0 using Ethereal

 

Comparing the difference between a persistent connection and non-persistent connection.

 

  1. Turn off HTTP 1.1 in the browser. In IE this is done by going to Tools | Internet Options | Advanced Tab, scroll down to the HTTP 1.1 settings, uncheck Use HTTP 1.1.

 

  1. On the server turn off HTTP keep-alive. This is done by going to Control Panel | Administrative Tools | Internet Services Manager. Expand the tree on the left of the window that comes up. Right click on Default Web Site and go to the properties. Select the Web Site tab and uncheck the HTTP Keep-Alives enabled check box. Click OK.

 

  1. Clear the browser cache. On IE this is done by going to Tools | Internet Options…| General Tab, click on Delete Files in the Temporary internet files section. In the window that pops up check Delete all offline content and press OK. Press OK on the General Tab. Close the browser and reopen it.

 

  1. Fetch http://ip_address_of_webserver_machine/index.html page again

 

  1. How many connections were opened to fetch the page (and images)?  How does this example compare to the time-space diagrams we drew in class.  Does the browser open multiple concurrent connections?

 

 

Task 10 – Extra Credit: Capturing and Analyzing FTP using Ethereal

 

  1. Choose one of the machines as the FTP server (switch machines from the previous task, i.e. use the server machine as the client now and vice versa). Confirm that the FTP server is running on the machine by going to Control Panel | Services, and check for FTP Publishing service as being ‘started’.

 

  1. Run Ethereal and start capturing packets.

 

  1. Bring up the command prompt on the client machine, by choosing the windows Start | Run. Type in cmd <Enter>.

 

  1. Type cd c:\temp <Enter> at the command prompt.

 

  1. Type ftp ip_address_of_server_machine <enter>
  2. When prompted for user name type anonymous
  3. When prompted for password, type any valid email id.

 

  1. Once at the ftp> prompt, type get index.html <enter>
  2. The index.html file will be fetched and stored in the c:\temp directory on the client machine.

 

  1. Type bin to change over to binary mode.
  2. Type get oe_a01.gif <enter>.

 

  1. Exit the ftp client by typing quit at the ftp> prompt.

 

  1. Stop capturing packets in Ethereal on both machines by clicking on the Stop button in the Ethereal window.
  2. Wait until Ethereal loads all the captured packets onto the screen.
  3. View the packets captured in the Ethereal window.

  4. FTP is a what we call a cleartext protocol, it is not encrypted.  Another example is telnet.  Can you find a packet that contains your login and password?

 

  1. Which side initiated creating the TCP data connections? What FTP command was used to initiate the TCP connection handshake?  Which side closed the control connection?

 

 

 

  1. What port numbers were used for the client and the server for:
    1. Control :

 

    1. Data connection 1:

 

    1. Data Connection 2:

 

Task 11 – Extra Credit: Capturing and analyzing TELNET and DNS

TELNET:

  1. For these activities, we will be using the NIL infrastructure to access the Internet. First, you must enable access to the NIL infrastructure:
  2. Looking at the desktop window, find the icon labeled My Network Places. Right click on this icon and select "Properties."
  3. A window named “Network and Dial-up Connections” will appear with an icon named Local Area Connection. Right click on this icon and again select "Disable."
  4. Right click on the icon named NIL Infrastructure and select “Enable.”
  5. Run Ethereal and start capturing packets.

  6. Bring up the command prompt by choosing the windows Start | Run.
    Type in cmd <Enter>.

  7. Type telnet 192.168.1.100 <enter>.

  8. When asked whether to send your password, answer yes.

  9. Log in using the user telnetuser with a password of nil2001.

  10. Type dir.

  11. Type exit.

 

  1. Stop capturing packets in Ethereal.

  2. Wait until Ethereal loads all the captured packets onto the screen and view the packets captured in the Ethereal window.

  3. When entering your username and password, is the data transmitted at once or character by character?

 

  1. When entering commands during the telnet session, does the client simply display what you type, or is the keyboard input being echoed to the clients screen by the server?


  2. Is the backspace character being sent? How about the return character?

 

  1. Observe what is transmitted after you type exit. Who closes the connection and how did the responsible party know to close the connection?

DNS:

  1. If you have not already enabled the NIL Infrastructure, do so by following instructions 1 through 4 from task 11.

 

  1. Start a browser on the client machine.

 

  1. Start Ethereal and begin capturing packets.

 

  1. In the browser, load up a webpage of your choice.

 

  1. Once the browser displays the entire page on the browser, stop capturing packets in Ethereal.

 

  1. Was a DNS request sent to resolve the name of the website to an IP? (i.e. the local name server). If not, repeat the process above and try a different site.

 

  1. What IP did the browser send the DNS request to?

 

  1. Bring up the command prompt by choosing the windows Start | Run.
    Type in cmd <Enter>.

  2. Type ipconfig /all.

  3. Find the section for the NIL Infrastructure. Of the listed attributes and values, which was used in resolving the website’s name to an IP?

 

 

 

 

 

 

If time, explore what you wish…. Here are some ideas.

 

  1. What other protocols did Ethereal capture as you were running Ethereal?  Can you guess what these protocols do?
  2. Looking back to Task 2, step 6, repeat this task using Ethereal to capture any packets related to the switch’s “boot up sequence”.

3.       If you have time you can try capturing other traffic (SSL, Yahoo/Hotmail logins, etc.)