L a b: Wireshark ARP

 

 

In this lab, we’ll investigate the Ethernet protocol and the ARP protocol, which is used by an IP device to determine the Ethernet or MAC address of a remote interface whose IP address is known. 

 

 

Objectives :

In this lab exercise you will complete the following tasks:

1.          Capture and analyze Ethernet frames.

2.          Observe ARP protocol.

3.          Observe ARP.

 

Remember to read the report requirements at the end of this document to see what is necessary to hand in. You may be required to take screenshots as you proceed.

 

Step 1.        Logon to your VMware as directed from the following website:

https://www.up.ist.psu.edu/vhol/gettingstarted-web.php

The password for Administrator is “password”.

 


 

 

 

 

 

 

 

 

Ta s k 1: Capture and Analyze Ethernet Frames.

 

Step 1 First, clear your browser’s cache AND your ARP cache ( IMPORTANT! ). 

a.       Open Firefox (Applications > Internet > Firefox.  Go to History > Clear Recent History. In the “Time range to clear” drop down menu, select “Everything”. Check all checkboxes and then click the “Clear Now” button.

 

b.       Open Terminal (Applications>Accessories>Terminal).

Then, type “sudo arp -d 192.168.0.2” followed by the word “ password ”.

             

Step 2 Next, start up Wireshark and begin to capture traffic.

a.          Go to Applications > Internet> Wireshark .

b.          In the terminal screen type the word “ password ” (no quotes) as the password and hit enter on the keyboard.

c.          Click “OK” where it says running as user ‘root’ can be dangerous.

d.         In the window, not the file menu, in the category of “Capture,” under the “Interface” list, select your Ethernet followed by a number “ eth(n) .”

e.          Go to Analyze > Enabled Protocols and scroll down to “ IPv4 ” and make sure it is checked. Click “OK.”

 

Step 3               Enter the following URL into your Firefox browser http://192.168.0.2/scarlet.txt                  Your browser will display A Study in Scarlet by Sir Arthur Conan Doyle.

 

 

 

 

Step 4                             Stop the Wireshark packet capture by clicking on the icon that looks like a Network Card               with a red ‘X’ sign on it. It is 4 th from the left on the tool bar.

 

Step 5               Get message

a.      First, find the packet numbers of the HTTP GET message that was sent from your computer to 192.168.0.2 (the leftmost column in the upper Wireshark window). Write it down.

b.      Also locate the beginning of the HTTP response message sent to your computer by 192.168.0.2. You should see a screen that looks something like this (where packet 6 in the screen shot below contains the HTTP GET message).

 

 

 

Step 6               In order to answer the following questions, you’ll need to look into the packet details and packet contents windows (the middle and lower display windows in Wireshark).

 

a.          Select the Ethernet frame containing the HTTP GET message. Recall that the HTTP GET message is carried inside of a TCP segment, which is carried inside of an IP datagram, which is carried inside of an Ethernet frame. 

 

b.                  Expand the Ethernet II information in the packet details window. Note that the contents of the Ethernet frame (header as well as payload) are displayed in the packet contents window, which is the Hex code in the lowest window.

 

 

Answer the Following Questions (Question Set 1)

 

Answer the following questions, based on the contents of the Ethernet frame containing the HTTP GET message. When answering a question you should take screenshot of the packet(s) within the trace that you used to answer the question asked. Annotate the screenshot to explain your answer.

 

1.                   What is the 48-bit Ethernet address of your computer?

 

2.                   What is the 48-bit destination address in the Ethernet frame? Which machine has this as its Ethernet address?

 

3.                   Give the hexadecimal value for the two-byte Frame type field

 

Next, answer the following questions, based on the contents of the Ethernet frame containing the first byte of the HTTP response message. This will be the packet with the beginning of the book A Study in Scarlet in it. The most notable feature is the words “Project Gutenberg” in the bottom window.

 

4.                   What is the value of the Ethernet source address? What device has this as its Ethernet address?

 

5.                   What is the destination address in the Ethernet frame? Is this the Ethernet address of               your computer?

 

6.                   Give the hexadecimal value for the two-byte Frame type field. 

 

 

Task 2 – Analyze ARP frames.

 

In Wireshark, look at the frames that use the ARP protocol. One of the first things you will notice is the message listed in the info section of the packet. It says, “Who has 192.168.0.2 Tell 192.168.0.100” in the image below. Your packets will use somewhat different numbers because your addresses will be different, or because you might be looking at an ARP packet sent by one of your classmates. What the packet is doing is sending a broadcast message, a message addressed to everyone, asking if anyone knows the MAC address of the machine with the IP address listed.

 

 

 

 

 

 

Next, look at the Responding ARP packet…

 

 

 

 

Notice the senders address. The owner of the IP address responded. Also notice the Target MAC address.  In the Request Packet the Target MAC Address was listed as zeros. In the response the target MAC address was listed as the MAC requested in the Request packet, which in this particular packet is the same as the senders packet. 

 

Answer the Following Questions (Question Set 2)

 

7.             What are the hexadecimal values for the source and destination addresses in the Ethernet frame               containing the ARP request message? What is the Target MAC address? What is the significance of               this MAC address?

 

8.             Give the hexadecimal value for the two-byte Ethernet Frame type field. 

 

 

9.             Download the ARP specification from ftp://ftp.rfc-editor.org/in-notes/std/std37.txt. A readable,               detailed discussion of ARP is also at http://en.wikipedia.org/wiki/Address_Resolution_Protocol

a.                   How many bytes from the very beginning of the Ethernet frame does the ARP opcode field               begin?

b.                   What is the value of the opcode field within the ARP-payload part of the Ethernet frame in               which an ARP request is made?

c.                    Does the ARP message contain the IP address of the sender?

d.                   Where in the ARP request does the “question” appear – the Ethernet address of the               machine whose corresponding IP address is being queried?

 

10.        Now find the ARP reply that was sent in response to the ARP request.

a.                   How many bytes from the very beginning of the Ethernet frame does the ARP opcode field               begin?

b.                   What is the value of the opcode field within the ARP-payload part of the Ethernet frame in               which an ARP response is made?

c.                    Where in the ARP message does the “answer” to the earlier ARP request appear – the IP               address of the machine having the Ethernet address whose corresponding IP address is               being queried?

 

11.        What are the hexadecimal values for the source and destination addresses in the Ethernet frame               containing the ARP reply message?

 

 

Int e r e s t i ng L i n ks:

 

http://www.youtube.com/watch?v=1ujt0lSs - QY&feature=related Address resolution

 

http://www.youtube.com/watch?v=9z8i9SQr_s8 ARP poisoning

 

http://www.hackinthebox.org/modules.php?op=modload&name=News&file=article&si

d=12868&mode=thread&order=0&thold=0 Guide to ARP Spoofing

 

https://tools.ietf.org/html/rfc826 ARP rfc

 

 

 

 

 

 

 

 

 

 

 

 

Wireshark ARP Report

Note: This is an individual lab assignment. Each student needs work on and submit his/her report independently.

 

Clearly state your results of this project. You are expected to hand in a report in the following format:

          A cover page (including Lab title) with your name and Penn State email address.

          A table of contents with page numbers.

          Number pages. Font size 12, single column.

          Save the Microsoft Word document with your name in the title. Upload the document into the appropriate Canvas dropbox.

 

The report should have the following sections. Each section should cover all the topics described below. Take screenshots if it is necessary.

 

Section I (40 pts): Question Set 1

You should have the following parts:

1.       Include a screenshot of the HTTP GET message and the first HTTP response message.

2.       Answer questions 1 -6. Annotate the screenshots to explain your answers.

 

Section II (60 pts): Question Set 2

1.       Include a screenshot of the ARP request message and the ARP reply message.

2.       Answer questions 7 -11. Annotate the screenshots to explain your answers.