IDENTIFYING TCP CONVERSATIONS
The purpose of this lab is to practice examining traffic with a display filter.
A packet trace of normal network traffic will contain more than just the packets you want to look at. You can apply a display filter to isolate conversations within the trace. For this exercise you will use a trace file of a student at home using a browser to connect to UMUC. The trace captures the traffic that resulted when the student pointed a browser to www.umuc.edu.
If you are using an older, or newer version of ethereal/wireshark, or different OS some of the buttons may be in different windows or positions.
I. Answer the following questions about trace file www_umuc_edu.cap.
1. Download trace file www_umuc_edu.cap (see attached) and open it with Wireshark.
2. Find the first TCP handshake. These are packet numbers ____, _____, and _____.
3. What is the IP address of the host that started the handshake? __________________.
4. What is the TCP port connection pair for this handshake? ______, ______.
5. In the first packet of the handshake, the source port is the ephemeral port this host wants to use for the connection, and the destination port indicates the application the host wants to use on the serving host. What application does the host want to use on the serving host?______________
6. Look at packet number 14. Is this part of the conversation initiated by the first handshake? ______
II. Build a filter to see only the first handshake and the conversation for this connection.
1. Click Analyze (or &Edit& on other versions of ethereal) and select Display Filters from the drop-down list. This brings you to the Edit Display Filters List.
2. Click &Expression&
3. Expand TCP (click the plus sign next to TCP), and highlight &Source or Destination Port&.
4. In the Relation section highlight == .
5. In the Value field type the source port used by the host that initiated the conversation. (The source port should be 1097 in this example).
6. Click &OK&. Now there is a filter string in the Edit Display Filter List window. (The filter string should be &tcp.port == 1097&.)
7. In the Filter name box type &Conversation on 1097&.
8. Click New, then OK. Now you have defined a filter (but not yet applied it).
III. Answer question 4.
The handshake establishes the initial sequence numbers for each connection. Try to follow the sequence numbers in the conversation. Now change the display to show relative sequence numbers:
1. Click Edit and select Preferences from the drop-down list.
2. Drill down into Protocols until you get to TCP.
3. Highlight TCP and select the options, &Analyze TCP sequence numbers& and &Relative sequence numbers and window scaling.& Click OK. Try again to follow the sequence numbers.
4. You cannot see the &next sequence number& in the summary pane for packet number 6. Look for it in the protocol tree pane. Explain why packet number 7 says &ACK =344.&
IV. Extra practice
If you would like to try the same exercise on another trace file without the hints, you can practice on link_to_umuc.cap. This is a trace of a student who is already at www.umuc.edu/students/ clicking on the link to enter the online class. Or, if you want to capture function of Ethereal, you will need to download and install the packet driver, winpcap, from http://netgroup.polito.it/tools . (Note: For privacy or security reasons, the network usage policy at your place of work may not allow you to use packet sniffing software on the network. Do not practice capturing network traffic at work without first checking the policy and obtaining written permission from your employer.)
Attached you may find the files needed for this lab.
This exercise does not specify that you should perform the trace yourselves, because not all of you may have permissions to do that. However, it does encourage those who can make their own captures, and it would be great if some of you could do that and post your traces for discussion.
The prerequisites are listed:
If you want to capture your own packets, you will need Winpcap. The download location is given in the last section of the exercise (http://netgroup.polito.it/tools).
Winpcap is the packet driver that sets the network interface in promiscuous mode. Without it, the NIC simply ignores frames not addressed to it, and it won’t echo anything up to the packet analyzing application. However, some of you will not be able to install the packet driver (because it talks directly to the network interface hardware and may violate a workstation policy), and others may not be able to use the driver (because of settings in a personal firewall or IDS).
2. Clear browser cache
Those who can run the driver do need to clear their browser cache. Otherwise, the browser will simply display what’s in the cache instead of initiating the new connection they are trying to capture.
A firewall on your network is unlikely to prevent anyone from capturing files. However, a firewall on the network probably also means you are using someone else’s network and shouldn’t be capturing files on it anyway, without permission of the owner. On the other hand, a firewall or IDS installed directly on the your computer could prevent you from capturing packets, depending how the firewall/IDS is configured.
You are welcome to view attached Dick Hazeleger’s &Packet Sniffing – A Crash Course.& It’s especially non-threatening and very encouraging.
Also you may see Mike Schiffman’s book, Building Open Source Network Security Tools: Components and Techniques, (Wiley, 2003). This book shows how to use the libraries included with Ethereal (and TCPDump, WinDump, etc) to actually replay packets.