15-441 Networks - Spring 2006 - Lab GURUs: Joshua Hailpern and David Murray Due: Friday, May 3 Welcome to the Networks Lab. What is a lab? Well it is more hands on then a homework, but unlike a project, there is very little coding. The purpose is to show you how to use “real world” tools to tackle “real world” networking issues. You should not expect to spend more than 2-3 hours on this assignment. Please read through this lab before starting it. Lab Overview Most of this lab can be done on “your own schedule.” Do some today, some tomorrow, some next week. However, for QUESTION 4 and 5, you must sign up for a 1 hour block of time to use the netclass machines 9 and 10. When you log in, please run either the w or who command to make sure you are alone on the machines; if you are not alone, please contact us. The sign up sheet will be on the door of the course secretary’s office. Hand-in Please do electronic submission like we have done for previous homework assignments. Setting Up Fish Machines 1. Create a directory in your Andrew home directory called 15-441. 2. Now you need to give access to campusnet so type the following: a. %fs sa /afs/andrew.cmu.edu/usr/<username> system:campusnet all b. %fs sa /afs/andrew.cmu.edu/usr/<username>/15-441 system:campusnet all 3. Create a file called .klogin inside the 15-441 folder which contains: a. [email protected]. b. Make sure the domain suffix is capitalized. 4. Create a another file called .login inside the 15-441 folder which contains: a. aklog andrew.cmu.edu 5. You cannot use unsecure telnet to connect to netclass machines. We will only support using SSH to connect to the netclass machines. On UNIX, the full command that you can use to login is: a. ssh -1 –l [email protected] netclass-<Y>.intro.cs.cmu.edu b. (<Y> ranges from 1-8; note: the first flag is “one” and the second is “ell”). 6. The password is your CMU Andrew password. 7. When you are done with the lab, please make sure to perform step 2 again, but either remove all permissions or set to “l”.Question 1: Determining Important Hardware Addresses aka *69 The hardware addresses on our LAN are 6 byte Ethernet addresses. We want to know two hardware addresses on the LAN: the address of the machine on which you are running the Analyzer (ethereal) and a target machine (“netclass-11” or “netclass-12”), which is emitting packets to the other machines on the LAN and from which you will be sniffing the network traffic. 1. SSH to one of the netclass machines (1-8). Use the ping command to contact “netclass-12.intro.cs.cmu.edu” (you may substitute “netclass-12” for this, as you are on a machine which shares the same domain, intro.cs.cmu.edu). ping will cause your local host to create an entry in its ARP cache for the hardware address of the corresponding interface on the machine named “netclass-12”. Find the IP and Hardware addresses of “netclass-12”. Write the addresses in the spaces provided below: IP address:______________________ HW address: ____:____:____:____:____:____ 2. Now we want to get the Ethernet hardware address and the IP (inet) address for both Ethernet interfaces on netclass-8. netclass-8 eth0 IP address:____________________ HW address: ____:____:____:____:____:____ netclass-8 eth1 IP address:____________________ HW address: ____:____:____:____:____:____ 3. Determine which Ethernet interface is used for the default route on netclass-8 (use the man pages as a guide to find the command to use) __________________.Question 2: Capturing and Viewing Packets aka the dump Open up a terminal window. Since you don’t have write access to the directories other than the local temporary directory, cd to “/tmp”. Create a subdirectory with your username. You will create your dumpfile (the file that will contain the captured packets) in that subdirectory. Note: you can also save to your Andrew space, assuming that you have given the correct permissioned to Campusnet (see setup instructions). You will capture the packets using tethereal which is in /usr/bin. First run tethereal –help to see the command line options. We want to capture 500 packets from the external traffic (hint: there are 2 Ethernet cards on each PC: eth0 and eth1). You need to determine which one is dealing with the LAN traffic and which one is connected outside (which would mean you will see telnet packets when you look at the dump). Save the packets you sniff to a file (so that we can look at them with a graphical interface next). Now start up /usr/bin/ethereal (make sure your X-Server is running; see XWindows documentation for details). Ethereal will ask for the root password—just choose “Run unprivileged”. When ethereal is started up it will have three empty panes. Go to File -> Open and open up the capture file. Select the “+” sign in front of each of the protocol layers to get more details about each protocol header. (a) View the captured broadcast packet data. Select the “Source” column to sort the packets by the source address. What is the most common source address? Why? (b) List all of the protocols (ncp, sap, tcp, icmp, arp, udp, etc.) in your capture. (c) Which protocol is most common? Why? (d) Select a packet in the top frame that is labeled as a TCP packet. Determine the following values for this packet: Ethernet destination address: ___:___:___:___:___:___ IP source address ___.___.___.___ IPTTL _______ TCP source port ________ (e) Select the “header length” field of the IP header. This should cause a byte in the raw data pane to be highlighted. What value does this byte have and what does it mean?Question 3: TCP Forensics aka CSI Networks Note: this question does not require you to use the 441 lab netclass machines. You are the TCP specialist at the FBI. One day an FBI agent gives you a packet trace of a TCP connection between two machines on the Internet. The trace is believed to contain important information pertaining to national security. This packet trace contains 113 packets, most of them IP packets. Each line in the trace is one packet, identified by its packet number (from 0 to 112). The rest of the line is a sequence of bytes, represented as hex numbers. For example, consider the first line of the trace: 0 45 00 00 2c f2 7b 00 00 40 06 da 71 80 02 dc 8a 80 02 d1 4f 6a b0 00 17 43 97 0e d6 00 00 00 00 60 02 02 00 2b 13 00 00 02 04 05 b4 00 00
View Full Document
Unlocking...