Lab 2

In this lab we will be introduced to the virtual networks we will use for the next 3 labs. We will also be introduced to the tcpdump and wireshark tools used for analyzing network traffic.

Virtual machines and networks

For this and the following to labs we will be using virtual machines and networks running on two servers called cgs4285-a.cs.fiu.edu and cgs4285-b.cs.fiu.edu. There will be 18 groups of 2 students each, and each group will use a different virtual machine set for their virtual machines.

Each server has 5 virtual machines. In each lab you will be using 3 of the 5 virtual machines. The "cgs4285-mon" (or monitor/router) virtual machine will be used in all labs. The cgs4285-lab2-lab4-linux and the cgs4285-lab2-lab4-windows will be used for lab 2 and lab 4. The cgs4285-lab3-linux and cgs4285-lab3-windows will be used in lab 3. The virtual machines are connected via virtual switches. The windows system is on network 1 and the linux machine is on network 2. The monitor/router machine is connected to both net1 and net2, as well as connected to the outside world.

Here is a combined physical and logical diagram for the networks.
Network diagram in JPG format
Network diagram in PDF format

From a client workstations (such as workstations in the JCCL or ECS141) you use the tightvnc program to connect. The connection is to cgs4285-a.cs.fiu.edu:GX or cgs4285-b.cs.fiu.edu:GX where G is the group number on the machine(-a or -b) and X is a virtual machine number (1-5).

X=

1 - monitor - used in all labs

2 - lab2-lab4-windows - used in lab2 and lab4

3 - lab2-lab4-linux - used in lab2 and lab4

4 - lab3-windows - used in lab3

5 - lab3-linux - used in lab3

Example if your group is on cgs4285-a.cs.fiu.edu and is group 1 and you want to start up the 3 virtual machines for lab 2 you would use tightvnc to connect to remote host cgs4285-a.cs.fiu.edu:5911 to connect to the monitor machine. You would user cgs4285-a.cs.fiu.edu:5912 to connect to the windows machine and cgs4285-a.cs.fiu.edu:5913 to connect to the linux machine. The instructor will give you the password.

On the monitor and linux systems you will be at a text command prompt. For the Windows system you will want to start a "shell" window by right clicking the lower left windows icon then choosing "Command Prompt (Admin)" from the menu.

Using tcpdump and Wireshark

We are going to use 'tcpdump' on the monitor station to collect frames from one or more of the two networks. 'Tcpdump' is a sniffing program which will capture all packets/frames that it sees on an interface (IE: eth0, eth1) and either print them out or store them in a file using a format known as "pcap". For the purpose of this Lab, we will save our packets/frames in 'pcap' format.

The frames will be generated by the end workstations (linux or XP) using the ping command. They will be collected using the tcpdump command on the monitor station. The pcap files will be stored in the /tmp folder on the monitor station and we will use the 'scp' command to copy the files over to JCCL (ECS-241) workstations for further analysis with wireshark.

About Wireshark

When you open a .pcap file with Wireshark you will see 3 main display areas. You can adjust the size of each area with the mouse. The top area shows you each packet/frame that is in the pcap file on a separate line. Each line has the sequence number, time stamp, source, destination, protocol and other information. You can click on a packet/frame in the top area and more details will be shown in the middle and bottom display areas. The middle display area will show you a breakdown of the frame/packet at each layer of the protocol stack. The top line is details about the frame. The second line is Layer 2 (MAC/Ethernet) information. The third line is Layer 3 (Network/IP) information. You can click on the + signs to see even more details about each "layer". The bottom display area of wireshark is a hexadecimal dump of the entire packet/frame. As you click on details in the middle display area, the corresponding bytes in the frame are highlighted.

To save details of a packet/frame or set of packets you will use the Edit->Mark menu and the File->Print menu option of wireshark. First select the frame you wish to "mark". Then Use edit->mark menu option (or 'ctrl-m' keyboard shortcut) to mark the frame. Repeat for all frames you wish to print details on. Then go to file->print menu. Choose Format plain text, Print to file, marked packets only, print detail, all expanded. Then enter a filename and hit ok. Now you have saved the packet details in an ascii file. You can then include this ascii file into your report.

The command 

	man wireshark
on the JCCL linux workstation or the web page 
	http://www.wireshark.org/docs
will give you much more information about the capabilities of the Wireshark program. There are also man pages available for the 'scp' and 'tcpdump' commands.

Wireshark is available on the JCCL linux and Windows workstations. You can also download it and run it on your home machines.

Lab 2 Procedures

First you will want to collect and make note of each of the Ethernet addresses (MAC addresses) and all the IP addresses on all interfaces of your monitor, linux and Windows workstations. The monitor box has 3 interfaces (eth0, eth1, eth2) and the Windows and linux workstations have one interface (eth0 for linux and "Ethernet adapter local area connection" for Windows).

On the Linux workstations you use the 

	ifconfig
command from a shell. The Ethernet address is prefixed by the term HWaddr and is in the format 'xx:xx:xx:xx:xx:xx', the IP address is prefixed with the term 'inet addr:' and is of the form XX.XX.XX.XX

On the windows workstations you use the 

	ipconfig /all
The Ethernet address is labeled "Physical Address" and the IP address is labeled "IP Address".

Save the IP and Ethernet addresses of each workstation for use in later analysis of the data in all labs, and to turn in. Include the server (cgs4285.cs.fiu.edu-a or cgs4285.cs.fiu.edu-b) and the group number you used. Use this format: cgs4285-X.cs.fiu.edu group Y (X is a or b, Y is your group number) 


Machine name	interface name		Ethernet address	IP address

Monitor		eth0			xx:xx:xx:xx:xx:xx	XX.XX.XX.XX
Monitor		eth1			xx:xx:xx:xx:xx:xx	XX.XX.XX.XX
Monitor		eth2			xx:xx:xx:xx:xx:xx	XX.XX.XX.XX
Windows lab2/4	eth0			xx:xx:xx:xx:xx:xx	XX.XX.XX.XX
Linux lab2/4	eth0			xx:xx:xx:xx:xx:xx	XX.XX.XX.XX

Step 1 Run 'tcpdump' on the monitor virtual workstation to monitor network 1. 

	tcpdump -i eth1 -s 0 -w /tmp/net1.pcap

What the options to the tcpdump command mean: 
	-i eth1      	       -> specifies which interface to monitor, in this case eth1 
	-s 0		       -> capture all octets in the packet 
	-w /tmp/net1.pcap  -> save the data to file /tmp/net1.pcap
Step 2 Ping from the Windows workstation to the Linux workstation.

These steps are taken on the cgs4285-lab2-lab4-windows workstation. First open a command shell. Next we will clear the ARP cache on the Windows station. (Don't worry if it says the entry was not found). Then use the ping command to generate and receive ICMP echo request and response packets. This will create network traffic between the Windows and the Linux virtual workstations. 

	
	arp -d 10.100.1.254

	ping 10.100.2.5
This will send four ICMP echo request packets to 10.100.2.5 and each echo request will cause a ICMP echo reply from that host back to the Windows virtual workstation.

After the ping has completed abort 'tcpdump' on the monitor by hitting 'ctrl-c'.

Copy the .pcap file (using 'scp') to your account on ocelot.aul.fiu.edu 

	scp /tmp/net1.pcap username@ocelot.aul.fiu.edu:
Obviously replace 'username' with your username.

(!! don't forget the colon at the end of the above line !!)

(Please note that you may have to confirm ocelot's identity by answering 'yes' to the unknown host question. You *will* have to enter your JCCL Unix password. If the system does not prompt you for a password then you probably forgot the colon at the end of the hostname)

You are now done collecting your data. Power off all virtual machines.

Now you will review data with wireshark on Linux workstation in JCCL. You will need to log in, start a shell, and if your are on a JCCL linux station type... 

	wireshark -n net1.pcap
If you are on a JCCL Windows workstation choose wireshark from the applications menu and File/Open menu within wireshark to load the file.

Questions to answer in the Lab report

Identify an Ethernet broadcast packet in the net1.pcap file. Save it to a separate file and include it with your report. Make a note of source Ethernet address. Highlight it or in some way show me where you found it in the wireshark output. Use your table of data collected above to identify the workstation and interface that transmitted the broadcast frame.

Identify a packet that came from the linux virtual workstation. Save an example to be included with your report. Highlight it or in some way show me how you identified it in the wireshark output. Make a note of the source Ethernet address. Use your table of data collected above to identify the workstation and interface that transmitted this frame. Do the same with the destination Ethernet address.

Grading

Format of report will be the same as for Lab1.

20 possible points. 5 points for the collection of the Ethernet and IP addresses of each interface on each virtual machine. 5 points each for the two questions. 5 points for correct lab format and presentation.