The goal of this assignment is to help you understand what is going on in the network by seeing and focusing on exactly what bits, packets, and information flows across a network link. This task is rather difficult because network protocol designers have worked hard to provide significant abstraction to the higher layer applications (and they have done an excellent job). Therefore, as a user (and at the highest layer of the protocol stack), you are able to see very little of what happens in the network. However, there are tools that we can use.
The goal of this assignment is to examine real protocols in use and understand the communication that takes place in a network by examining the bits that flow across a network hop. Using the right tools, you will be able to inspect the the DLL/MAC, Network, Transport, and Application layers.
For this assignment you will use the application Wireshark (once upon a time called Ethereal and before that TCPdump). Wireshark lets a user capture packets from the network in real-time and/or save them for viewing at a later time. When running Wireshark you should see something like Figure 1. Wireshark is available for most platforms, including Windows, from http://www.wireshark.org/. It is also available in the CSIL lab either in KDE under “Internet”, or by simply typing “wireshark” at the command line.
Wireshark usually requires “root privilege” to run. Of course, this is a good thing because it should be hard to capture packets on the network! So, the capturing has been done for you, and a capture file has been created. Take the f20-176-proj-trace.pcapng file (right click and use the “Save Link As…” option). The file is also posted on GauchoSpace. Use it as the source file for Wireshark (HINT: do a “man wireshark” and look at how to use the -r option.).
While you cannot run Wireshark to snoop packets off the network in real-time without root privilege, you can run Wireshark on a file without any additional permissions. Part of doing this assignment well is learning how to effectively use Wireshark, so you will likely want to read and/or reference the User’s Guide. You will also want to use the GUI in Wireshark to more closely investigate what is happening in the homework trace.
Some of the things going on in the trace will contain protocols we have not yet gone over in class, have covered only very briefly, or won’t ever cover. You will have to use the course textbook or Google as references to find information about all of these protocols. Finally, Piazza will be used extensively to answer questions about the trace. So be prepared to ask questions.
So, how should you proceed? Start by considering the following questions:
- How many total packets are in the trace file?
- What DLL/MAC layer addresses can be seen in the trace?
- What IP addresses can be seen in the trace?
- How do the DLL/MAC and IP addresses map to each other?
- What is the Ethernet packet type and what does it mean?
- Can you tell from the trace file which Ethernet card is used to capture the traffic data, a normal 10/100M Ethernet card or an 802.11b wireless card?
- Can you deduce anything about the network topology on which this trace was taken, i.e. on which machine is the trace being taken? How many hosts are on the local network? What is the default gateway? What is the network mask? Which hosts are on the local network? Which ones are remote?
- How “far” away are the remote hosts?
- What different IP packet types can be seen what does each mean?
- Does IP fragmentation occur?
- Why would some packets have the “Don’t fragment” bit set?
- Why the difference in the TTL values? If there was suddenly a change in the reported TTL, what would that be an indicator of?
- Are there any protocols that appear to be operating differently than as described in class?
- Assuming there is some web traffic in the trace, do you see any cookies? What can you say about the cookies that are in the file?
- This packet trace is full of surprises, especially for someone who has never looked at a packet trace in detail before. Think about some of the things that were surprising to you and pursue those further to understand what is happening.
One of the key aspects of this assignment is developing a way of organizing all of the information in the trace into something coherent and meaningful. This aspect of the assignment will be as important to your grade as understanding the trace–if you can’t explain what’s there, how will we know what you see in the trace?
The format for your write-up will be a single PDF report/file. Within the report, you are free to organize information about the packet trace in any way you like. To use an over-used phrase: think outside of the box-you definitely will not just want to just describe each packet one by one. Use some creativity in organizing how to present the vast amount of information in the packet trace in a way that conveys your understanding of what is in the trace. Note, being “creative” is not a substitute for technical thoroughness.
The single most helpful suggestion I can give you is: consider if you were reading a report about a packet trace, how would you want to see the information organized so that it provided you a detailed description of what is in the packet trace, what the packets represent, and what activity has been captured? For example, let’s say you were a network administrator at a company and you had assigned an employee to monitor the network for certain kinds of behavior and then write a report on what was happening. What would that report look like?
Before even starting your write-up, you should first think about the questions listed above, what kind of information they ask about, and what the answers are. In other words, first think about what is happening in the trace and then start to organize that knowledge into a report.
When it comes to the write-up, you definitely will not want to just include the list of questions with answers. You’ll need to better organize the information in the trace. But knowing the answers is a critical first step before you can think much about how to organize your report. In addition to the individual questions, you will also want to pay attention to some high level questions, including the following: What activity did the trace capture? What does the local network topology look like (and what nodes/devices have what addresses)? Who sent traffic and to whom? Who responded?
As a high-level goal, try to present the trace in a way that provides multiple levels of detail. For example, first describe whatever you can about devices in the network (e.g., hosts, switches, routers, printers) and “where” they are located with respect to each other. Then describe the data flows (transport layer). Then describe the packets in a flow. At each level, you will want to describe the basics of what the packets are, including headers and anything you can glean about the data. You will also want to identify and attempt to explain anything unusual you see in the trace.
Organizing the large amount of information in the trace into a clear and coherent format will be one of the harder parts of the assignment. Because there is so much information, you will have to make some important decisions and use some creative solutions to clearly convey to a reader what is happening.
If you are still reading, a couple more hints. First, explore the various menus within Wireshark. There are some nice analysis options that will allow you to understand what is happening. Second, use a filter to try and eliminate “noise” from the trace. In the packet trace, I collected ALL packets. It will help you understand the “main” aspects of the trace by first filtering out miscellaneous/background packets. But once you have figured out the main aspects, you can go back and analyze the miscellaneous packets separately.