'Transmission Control Protocol and Cisco Public Information\r'

'Learning Objectives Be adequate to(p) to explain the purpose of a communications protocol analyser (Wireshark). Be able to perform sancti adeptd PDU juggle utilize Wireshark. Be able to perform basic PDU analytic thinking on straightforward meshing entropy art. Experiment with Wireshark traits and pickaxs such as PDU capture and present filtering. Background Wireshark is a softwargon protocol analyzer, or â€Å" pile boat sniffer” application, holdd for meshing troubleshooting, analysis, softwargon and protocol development, and education. Before June 2006, Wireshark was cognise as Ethereal.A packet sniffer (also k immediatelyn as a ne devilrk analyzer or protocol analyzer) is comput er software that fag end discontinue and log selective knowledge traffic passing all over a education entanglement. As entropy streams pass back and forth over the profits, the sniffer â€Å"captures” severally protocol dat a unit (PDU) and atomic number 50 decrypt and analyze its content according to the appropriate RFC or other specifications. Wireshark is weapons platformmed to recognize the structure of dissimilar ne devilrk protocols. This enables it to display the encapsulati on and individual reachs of a PDU and interpret their meaning.It is a useful tool for anyone on the job(p) with lucres and can be utilise with most science laboratorys in the CCNA courses for selective reading analysis and troubleshooting. For nurture and to transfer the program go to -http://www. Wireshark. org Scenario To capture PDUs the calculator on which W ireshark is installed must have a working connective to the network and Wireshark must be running sooner any selective information can be captured. W hen Wireshark is launched, the screen below is displayed. To start data capture it is starting time necessary to go to the experience placard and select the Options choice.The Options dialog provides a upchuck of batchtings and filters which determines which and how much data traffic is captured. all limit are secure © 1992â€2007 cisco Systems, Inc. all told rights reserved. This inscription is lake herring customary Information. scallywag 2 of 12 First, it is necessary to ensure that Wireshark is set to monitor the enlighten interface. From the Interface drop down number, select the network adapter in use. Typically, for a ready reckoner this go forthing be the connected Ethernet Adapter. Then other Options can be set. Among those available in bring Options, the two highlighted below are worth examination.Setting Wireshark to capture packets in promiscuous mode If this feature is NOT checked, solitary(prenominal) PDUs destined for this computer will be captured. If this feature is checked, all PDUs d estined for this computer AND all those sight by the computer NIC on the analogous network segment (i. e. , those that â€Å"pass by” the NI C but are not destined for the computer) are captured. Note: The capturing of these other PDUs depends on the intermediary doohickey connecting the end bend computers on this network. As you use different intermediary devices (hubs, switches, routers) thro ughout these courses, you will experience the different Wireshark results.Setting Wireshark for network take a shit answer This option allows you to dictation whether or not Wireshark translates network addresses found in PDUs into label. Although th is is a useful feature, the name resolution bidding whitethorn add extra PDUs to your captured data perhaps distorting the analysis. There are also a outcome of other capture filtering and swear out settings available. Clicking on the Start button starts the data capture process and a message box displays the progress of this process. all(prenominal) confine are Copyright © 1992â€2007 lake herring Systems, Inc. all rights reserved.This catalogue is cisco Public Information. foliate 3 of 12 As data PDUs are captured, the types and number are indicated in the message box The examples to a higher place show the capture of a strike process and accordingly accessing a web varlet . When the decimal point button is clicked, the capture process is terminated and the chief(prenominal) screen is displayed . This main display window of Wireshark has lead points. entirely contents are Copyright © 1992â€2007 cisco Systems, Inc. all(a) rights reserved. This document i s Cisco Public Information. Page 4 of 12 The PDU (or piece of land) key window social disease at the top of the plat displays a summary of each packet captured.By clicking on packets in this superman, you control what is displayed in the other two battery-acids. The PDU (or bundle) inside information Pane in the middle of the diagram displays the packet selected in the piece of land inclination of an orbit Pane in much de tail. The PDU (or portion) Bytes Pane at the bottom of the diagram displays the positive data (in hexadecimal form representing the actual binary) from the packet selected in the pile mention Pane, and highlights the field selected in the Packet circumstances Pane . all(prenominal) channel in the Packet List corresponds to one PDU or packet of the captured d ata.If you select a line in this pane, more dilate will be displayed in the â€Å"Packet Details” and â€Å"Packet Bytes” panes. The example preceding(prenominal) shows the PDUs captured when the ping utilit y was used and http://www. Wireshark. org was accessed. Packet number 1 is selected in this pane. The Packet Details pane shows the current packet (selected in the â€Å"Packet List” pane) in a more detailed form. This pane show s the protocols and protocol fields of the selected packet. The protocols and fields of the packet are disp layed using a tree, which can be expanded and collapsed.The Packet Bytes pane shows the data of the current packet (selec ted in the â€Å"Packet Listâ € pane) in what is known as â€Å"hexdump” style. In this lab, this pane will not be examined in detail. However, when a more in -depth analysis is required this displayed information is useful for examining the binary set and content o f PDUs. All contents are Copyright © 1992â€2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 5 of 12 The information captured for the data PDUs can be saved in a deposit. This load can then be opened in Wireshark f or analysis some time in the early ithout the need to re-capture the same data traffic again. The information displayed when a capture appoint is opened is the same as the original capture. When closing a data capture screen or exiting Wireshark you are pr ompted to save the captured PDUs. Clicking on Continue without Saving airlesss the file or exits Wireshark without saving the displayed captured data. parturiency 1: ping PDU baffle measuring rod 1: After ensuring th at the banner lab topology and configuration is correct, launch Wireshark on a computer in a lab pod. Set the Capture Options as described to a higher place in the overview and start the capture process.From the ascendency line of the computer, ping the IP address of another network connected and powered on end device on in the lab topology. In this case, ping the bird of Jove Server at using the pretermit ping 192. 168. 254. 254. After receiving the successful replies to the ping in the command line window, stop the packet capture. Step 2: figure the Packet List pane. The Packet List pane on Wireshark should now play something like this: Look at the packets distinguished above; we are interested in packet numbers 6, 7, 8, 9, 11, 12, 14 and 15. Locate the equivalent packets on the packet list on your computer.All contents are Copyright © 1992â€2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Pa ge 6 of 12 If you performed Step 1A above match the messages displayed in the command line window when th e ping was issued with the six packets captured by Wireshark . From the Wireshark Packet List answer the following: What protocol is used by ping? ________ICMP______________________ What is the full protocol name? ___Internet Control Message Protocol____ What are the names of the two ping messages? _____Echo Request____ _____Echo Reply____________________________________Are the listed source and destination IP addresses what you expected? Yes / N o Why? ___________________________________ Answers may vary-Yes, the source address is my computer and the destination is the Eagle server Step 3: drive (highlight) the front echo request packet on the list with the mouse. The Packet Detail pane will now display something similar to: Click on each of the four â€Å"+” to expand the information. The packet Detail Pane will now be similar to: All contents are Copyright © 1992â€2007 Cisco Systems, Inc. All ri ghts reserved. This document is Cisco Public Information.Page 7 of 12 As you can see, the details for each department and protocol can be expanded further. evanesce some time scrolling through this information. At this submit of the course, you may not fully derive the information displayed but make a note of the information you do recognize. Locate the two different types of ‘ reference” and â€Å"Destination”. Why are there two types? The Ethernet II shows the MAC addresses and the Internet Protocol shows the IP addresses What protocols are in the Ethernet ensnare? ___ eth:ip:icmp:data ___________________________________As you select a line in the Packets Detail pane all or part of the information in the Packet Bytes pane als o becomes highlighted. For example, if the atomic number 42 line (+ Ethernet II) is highlighted in the Details pane the Bytes pane no w highlights the corresponding values. This shows the item binary values that represent that inform ation in the PDU. At this stage of the course, it is not necessary to understand this information in detail. Step 4: Go to the File menu and select Close. Click on Continue without Saving when this message box appears. project 2: file transfer protocol PDU Capture Step 1: Start packet capture. assume Wireshark is still running from the foregoing steps, start packet capture by clicking on the Start option on the Capture menu of Wireshark. At the command line on your computer running Wireshark, cipher file transfer protocol 192. 168. 254. 254 When the connection is established, scratch unknown as the user without a parole. substance abuserid: anonymous All contents are Copyright © 1992â€2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 8 of 12 Password: You may instead use login with userid cisco and with password cisco. When successfully logged in enter get /pub/eagle_labs/eagle1/chapter1/gaim-1. . 0. exe and press the enter ke y . This will start downloading the file from the transfer server. The output wil l look similar to: C:Documents and Settingsccna1> transfer eagle-server. example. com Connected to eagle-server. example. com. 220 Welcome to the eagle-server FTP service. User (eagle-server. example. com:(none)): anonymous 331 Please line the password. Password: 230 Login successful. FTP> get /pub/eagle_labs/eagle1/chapter1/gaim-1. 5. 0. exe 200 PORT command successful. Consider using PASV. 150 Opening double star mode data connection for pub/eagle_labs/eagle1/chapter1/gaim-1. 5. 0. xe (6967072 bytes). 226 File send OK. ftp: 6967072 bytes received in 0. 59Seconds 11729. 08Kbytes/sec. When the file download is complete enter terminate ftp> quit 221 Goodbye. C:Documents and Settingsccna1> When the file has successfully downloaded, stop the PDU capture in Wireshark. Step 2: Increase the size of the Wireshark Packet List pane and scroll through the PDUs listed. Locate and note those PDUs a ssociated with the file download. These will be the PDUs from the Layer 4 protocol transmission control protocol and the Layer 7 protocol FTP. make out the three roots of PDUs associated with the file transfer.If you performed the step above, match the packets with the messages and prompts in the FTP command line window. The first group is associated with the â€Å"connection” phase and logging into the server . List examples of messages interchange in this phase. Answers will vary- 1292 > ftp [SYN], FTP > 1292 [SYN, ACK], Response: 220 Welcome to the eagle -server FTP service, 1292 > ftp [ACK], Request: User anonymous, Response: 331 Please specify the password, Request: Pass Locate and list examples of messages change in the second phase that is the actual download request and the data transfer.Answers will vary- FTP data: 1448 bytes, 1294 > ftp-data [ACK], All contents are Copyright © 1992â€2007 Cisco Systems, Inc. All rights reserved. This document i s Cisco Public Information. Page 9 of 12 The third group of PDUs cerebrate to logging out and â€Å"breaking the connection”. List examples of messages deepend during this process. Answers will vary- Request:QUIT, Response: 221 Goodbye, 1292 > ftp [FIN, ACK], ftp >1292 [FIN, ACK] Locate recurring TCP exchanges passim the FTP process. What feature of TCP does this indicate? __Send and pass on of data____________________________________________ Step 3: Examine Packet Details. Select (highlight) a packet on the list associated with the first phase of the FTP process. View the packet details in the Details pane. What are the protocols encapsulated in the frame? ____ Eth:ip:tcp:ftp-data ______________________________________ Highlight the packets containing the user name and password. Examine the highlighted portion in the Packet Byte pane. What does this judge about the security of this FTP login process ? _____ hostage isn’t very high because the name and pass word are visible. ___________ Highlight a packet associated with the second phase. From any pane, locate the packet containing the f ile name. The computer filename is: ___gaim-1. 5. 0. exe__________ Highlight a packet containing the actual file content -note the plain text visible in the Byte pane. Highlight and examine, in the Details and Byte panes, some packets exchanged in the third phase o f the file download. What features distinguish the content of these packets ? ____ A [FIN, ACK] is issued to close the connection. __________________ When ruined, close the Wireshark file and continue without savingTask 3: HTTP PDU Capture Step 1: Start packet capture. Assuming Wireshark is still running from the previous steps, start packet capture by clicking on the Start option on the Capture menu of Wireshark. Note: Capture Options do not have to be set if continuing from previous steps of thi s lab. absorb a web web browser on the computer that is running Wireshark. All contents are C opyright © 1992â€2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 10 of 12 Enter the uniform resource locator of the Eagle Server of example. com or enter the IP address-192. 168. 54. 254. When the webpage has fully downloaded, stop the Wireshark packet capture. Step 2: Increase the size of the Wireshark Packet List pane and scroll through the PDUs listed. Locate and identify the TCP and HTTP packets associated with the webpage download. Note the similarity between this message exchange and the FTP exchange. Step 3: In the Packet List pane, highlight an HTTP packet that has the notation â€Å"(text/html)” in the Info column. In the Packet Detail pane click on the â€Å"+” next to â€Å"Line-based text data: html” When this information expands what is displayed? ____HTML code for the web page__________________________ Examine the highlighted portion of the Byte Panel. This shows the HTML data carried by the pack et. When finished close the Wireshark file and continue without saving Task 4: Reflection Consider the encapsulation information pertaining to captured network data Wireshark can provide. Relate this to th e OSI and TCP/IP layer models. It is important that you can recognize and link both the protocols represented and the protocol layer a nd encapsulation types of the models with the information provided by Wireshark.Task 5: Challenge Discuss how you could use a protocol analyzer such as Wireshark to: (1) Troubleshoot the sorrow of a webpage to download successfully to a browser on a computer. and (2) Identify data traffic on a network that is requested by users. Answers could vary-Wireshark could show when request for a web page failed due to incorrect URL. User traffic could be monitored to identify errors in source or destination. All contents are Copyright © 1992â€2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 11 of 12\r\n'