Chapter 4

Wireshark Lab

1. Start wireshark and view the packets that are being picked up by your computer.
2. Look at several packets and then complete the following :
1. Look at a packet that is using TCP and then answer the following:

                                                               i.      What is the source port? Why is this source port used?

Source port is 80, it is the standard port used for TCP/IP.

                                                             ii.      What is the destination port?  Why is this destination port used?

Destination port 50342, a random port available to allow incoming traffic.

                                                            iii.      What is the flag? Why is this flag used?

The flag used is 0x12 (Syn, Ack), it’s used for acknowledgment.

                                                           iv.      What is the source and destination IP address? Is this packet coming or going from your computer? (Use IP config  command from the command prompt to view the IP address of your computer).

Source IP:  98.137.80.31 Destination:  192.168.2.5, this packet was coming into my computer.

                                                             v.      What is the Time To Live for this packet? What does TTL mean?

The TTL for this packet is:  55.  TTL is the time in seconds or number of hops set for the packet on how long or how many times it can hop before it is discarded.

                                                           vi.      What is the Differentiated Services field?  List the current value. What does this mean?  List 4 other possible values.

The Differentiated Service Field is a mechanism for traffic management.  The current value is 0x00.

                                                          vii.      What is the protocol field set to? What does this mean?

The protocol field is set to TCP and this means Transmission Control Protocol.

                                                        viii.      What else did you see that was interesting about the IP packet?

I noticed that the packet was not only broken down with source and destination from my computer to the router, but also from the router to the internet.

                                                           ix.      What is the framing type used?

The framing type used is Ethernet II

                                                             x.      What is the source and destination MAC addresses?  Is this frame coming or going from your computer? (Use IP config /all command from the command prompt to view the MAC address of your computer).

Source MAC:  00:22:75:bf:07:43  Destination MAC:  00:26:18:0d:44:41 and this packet is coming to my computer.

                                                           xi.      What else did you see that was interesting about the Frame?

I could see the MAC addresses for my router and my computer but I could not see the MAC address for the server that was sending the frames and packets to my modem and then my router then to my computer.

2. Look at a packet that is using UDP and then answer the following:

                                                               i.      What is the source port? Why is this source port used?

Source Port:  3540 and it is used by tcp/udp for a PNRP (Peer Network Resolution Protocol) user port.

                                                             ii.      What is the destination port?  Why is this destination port used?

Destination Port: 3540 and just like the source port it is used by tcp/udp for a PNRP user port.

                                                            iii.      What is the flag? Why is this flag used?

Flag:  0

                                                           iv.      What is the source and destination IP address? Is this packet coming or going from your computer?

Source:  fe80::2461:f7e4:a714:e67d  Destination:  fe80::2d9a:74c4:fdb7:86bd  IPv6 was used and this packet is coming to my computer.

                                                             v.      What is the Time To Live for this packet? What does TTL mean?

The TTL is 128.  TTL is the time in seconds or number of hops set for the packet on how long or how many times it can hop before it is discarded.

                                                           vi.      What else did you see that was interesting about the IP packet?

I thought that it was very interesting that the packet used IPv6 instead of the normal IPv4.

                                                          vii.      What is the framing type used?

The framing type used is Ethernet II.

                                                        viii.      What is the source and destination MAC addresses?  Is this frame coming or going from your computer?

Source MAC:  e0:cb:4e:40:23:24 Destination MAC:  00:26:18:0d:44:41 and it is coming to my computer.

                                                           ix.      What else did you see that was interesting about the Frame?

Again, the fact that IPv6 was used instead of IPv4.  This is a really odd thing to see as I’m use to nothing but IPv4, however it is the new thing is IPv6 so I should expect to see more of it in the future.

3. Intercept several TCP packets until you can view the three way handshake (read about this on pg 118 and 119). What are the sequence and acknowledgement numbers on all 3 segments?

4. Intercept an ARP frame.  List the following:

                                                               i.      What is the destination MAC address? Why is this address used?

Destination MAC: e0:cb:4e:40:23:24 It is used because ARP knows the MAC address of the computer it want to speak but not the IP address.

                                                             ii.      What is the source MAC address? Why is this address used?

Source MAC:  00:26:18:0d:44:41  It is used for the same reason as above.

                                                            iii.      What is the destination IP address? Why is this address used?

Destination IP:  192.168.2.5  It is used because ARP was used before to discover it so the computers can talk via IP instead of MAC.

                                                           iv.      What is the source IP address? Why it this address used?

Source IP:  192.168.2.4 It is used for the same reason as above.

5. Write at least a half page about Wireshark.  What did you learn? What was interesting? Do you feel this is a valuable program? Etc;

Using Wireshark was very interesting.  The amount of traffic that is sent and received over a connection in such a short period of time is truly mind boggling.  I never thought that it was as much as what I saw.  The information in the packets are very useful for tracking things as well as trouble shooting.  You can track and trace every packet that leaves or enters your computer.  By doing this you can very easily see where the problem or the security threat in your system is or is coming from.  On the other hand it is also an extremely useful tool for hackers because they can see what you’re sending out and what you’re receiving it.  I definitely think this is a very useful tool, but the real question is:  Who is it more useful for, the trouble shooter or the hacker?

DHCP Lab

In this Lab we setup D-Link routers and set them to have specified DHCP pool of IP addresses for the computers connected to them to choose from.

The first step was to bring up the command prompt and do an ipconfig command so we could see the IP address of the router which would allow us to get to the interface shown below.

Once the interface was up we had to maneuver through the available menus until we got to the DHCP settings area.  While this sounds easy, and the menu surfing is, it does get much harder as you have to know what subnet and subnet mask you want/need to be using .  This information is crucial to the execution of this because without the proper subnets and masks the whole setup will not work.  For instance, you cannot use a standard class C subnet mask of 255.255.255.0 on a class C address that is subnetted down further because technically they are different addresses and it will throw the scheme off.  Once you have all your addresses in place you’ll see this:

Host File Lab

This lab was very useful for the computers in our networking lab because of the way they are setup on the schools network.  The setup that they have will now allow you to go directly to Blackboard by typing in the normal web address of blackboard.carteret.edu so you have to actually type in the IP address of 10.10.1.80.  Now if you didn’t know the IP address for Blackboard then you would be in a pretty sticky situation here because there would be no other way to get there.

To use the host file to solve this problem for other users that may not know the actual IP address you have to locate it first.  The path to it is the same for all computers and it’s really easy to get to.  Open your hard drive, which is normally the drive letter C: on your computer.  From there you will open the Windows folder, then the System32 folder, then the drivers folder and then finally the etc folder.  What you will have will look like this:

Here is where we open the host file and proceed to do our editing.  We will be putting the normal web address of blackboard.carteret.edu along with the IP address of 10.10.1.80 at the end of the file so the computer will recognize the website when we put in the normal blackboard.carteret.edu web address.  The finished product will look like this:

Doing this simple edit will allow the average user to just enter in normal well known web addresses for their sites when things aren’t working like they are accustom too.  Of course you could also play around with this and have some fun with the unsuspecting person and have the address of http://www.yahoo.com/ take them to www.google.com.