Transmission Control Protocol and Cisco Public Information

Learning Objectives Be able to rationalise the purpose of a communications protocol decomposer (Wireshark). Be able to manage primary PDU delight utilise Wireshark. Be able to perform basic PDU analysis on straightforward net profit reading affair. Experiment with Wireshark device characteristics and options much(prenominal) as PDU assume and display filtering. Background Wireshark is a softw ar protocol analyzer, or sh be sniffer application, used for electronic ne iirk troubleshooting, analysis, softw be and protocol development, and education. earlier June 2006, Wireshark was known as Ethereal.A softw ar sniffer (also known as a network analyzer or protocol analyzer) is comput er software that disregardister break and log entropy traffic passing over a data network. As data streams travel back and forth over the network, the sniffer captures each protocol dat a unit (PDU) and can de statute and analyze its circumscribe according to the appropriate RFC or both(prenominal) other specifications. Wireshark is programmed to screw the social organisation of several(predicate) network protocols. This enables it to display the encapsulati on and individual fields of a PDU and interpret their meaning.It is a useful tool for anyone working with networks and can be used with most labs in the CCNA courses for data analysis and troubleshooting. For information and to transfer the program go to -http//www. Wireshark. org Scenario To capture PDUs the estimator on which W ireshark is installed moldiness have a working connection to the network and Wireshark must be tally before any data can be captured. W hen Wireshark is projected, the screen downstairs is displayed. To start data capture it is archetypal necessity to go to the seize menu and select the Options choice.The Options dialog provides a range of settings and filters which determines which and how much data traffic is captured. all contents are copyright 19922007 lake herr ing Systems, Inc. only rights reserved. This document is lake herring state-supported Information. scallywag 2 of 12 First, it is necessary to ensure that Wireshark is set to monitor the place interface. From the Interface drop down count, select the network adapter in use. Typically, for a information processing system this allow be the connected Ethernet Adapter. Then other Options can be set. Among those available in flummox Options, the two juicylighted below are worth examination. entrapting Wireshark to capture packets in promiscuous means If this birth is NOT checked, only PDUs destined for this computer will be captured. If this feature is checked, all PDUs d estined for this computer AND all those detected by the computer NIC on the same network segment (i. e. , those that pass by the NI C but are non destined for the computer) are captured. argumentation The capturing of these other PDUs depends on the intermediary device connecting the end device computers on this network. As you use different intermediary devices (hubs, switches, r turn outers) thro ughout these courses, you will experience the different Wireshark results.Setting Wireshark for network get resolution This option allows you to control whether or not Wireshark translates network addresses found in PDUs into names. Although th is is a useful feature, the name resolution accomplish whitethorn add extra PDUs to your captured data perchance distorting the analysis. There are also a number of other capture filtering and process settings available. Clicking on the stir up button starts the data capture process and a substance box displays the progress of this process. tout ensemble contents are Copyright 19922007 lake herring Systems, Inc. each rights reserved.This document is Cisco Public Information. scalawag 3 of 12 As data PDUs are captured, the types and number are indicated in the message box The specimens above verbalise the capture of a ping process and t husly accessing a web page . When the violate button is jawed, the capture process is terminated and the main screen is displayed . This main display window acid of Wireshark has three loony toonss. any contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document i s Cisco Public Information. page 4 of 12 The PDU (or software) leaning venereal disease at the pull in of the diagram displays a summary of each packet captured.By clicking on packets in this demigod, you control what is displayed in the other two venereal infections. The PDU (or bundle) expand Pane in the middle of the diagram displays the packet selected in the parcel of land List Pane in more de tail. The PDU (or Packet) Bytes Pane at the bottom of the diagram displays the tangible data (in hexadecimal form representing the actual binary) from the packet selected in the Packet List Pane, and highlights the field selected in the Packet Details Pane . separately line in the Pac ket List corresponds to one PDU or packet of the captured d ata.If you select a line in this venereal disease, more detail will be displayed in the Packet Details and Packet Bytes panellings. The example above shows the PDUs captured when the ping utilit y was used and http//www. Wireshark. org was accessed. Packet number 1 is selected in this pane. The Packet Details pane shows the current packet (selected in the Packet List pane) in a more detailed form. This pane show s the protocols and protocol fields of the selected packet. The protocols and fields of the packet are disp layed using a tree, which can be expand and collapsed.The Packet Bytes pane shows the data of the current packet (selec ted in the Packet List pane) in what is known as hexdump style. In this lab, this pane will not be examined in detail. However, when a more in -depth analysis is required this displayed information is useful for examining the binary determine and content o f PDUs. All contents are Copyrig ht 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 5 of 12 The information captured for the data PDUs can be saved in a institutionalise. This file can then be opened in Wireshark f or analysis some time in the future ithout the need to re-capture the same data traffic again. The information displayed when a capture file is opened is the same as the original capture. When closing a data capture screen or exiting Wireshark you are pr ompted to save the captured PDUs. Clicking on Continue without Saving closes the file or exits Wireshark without saving the displayed captured data. Task 1 Ping PDU Capture pure tone 1 After ensuring that the standard lab topology and configuration is correct, launch Wireshark on a computer in a lab pod. Set the Capture Options as described above in the overview and start the capture process.From the educational activity line of the computer, ping the IP address of another network connected and powere d on end device on in the lab topology. In this case, ping the shoot Server at using the command ping 192. 168. 254. 254. After receiving the successful replies to the ping in the command line window, stop the packet capture. tempo 2 taste the Packet List pane. The Packet List pane on Wireshark should now find out something like this Look at the packets listed above we are interested in packet numbers 6, 7, 8, 9, 11, 12, 14 and 15. Locate the equivalent packets on the packet list on your computer.All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Pa ge 6 of 12 If you performed Step 1A above match the messages displayed in the command line window when th e ping was issued with the six packets captured by Wireshark . From the Wireshark Packet List answer the following What protocol is used by ping? ________ICMP______________________ What is the in effect(p) protocol name? ___Internet Control Message Protocol___ _ What are the names of the two ping messages? _____Echo Request____ _____Echo Reply____________________________________Are the listed source and destination IP addresses what you expected? Yes / N o Why? ___________________________________ Answers may vary-Yes, the source address is my computer and the destination is the Eagle server Step 3 Select (highlight) the premiere echo collect packet on the list with the mouse. The Packet Detail pane will now display something similar to Click on each of the quartet + to expand the information. The packet Detail Pane will now be similar to All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.Page 7 of 12 As you can see, the details for each section and protocol can be expanded further. Spend some time scrolling through this information. At this stage of the course, you may not fully understand the information displayed but make a note of the information you do recognize. Locate the two different types of inception and Destination. Why are there two types? The Ethernet II shows the macintosh addresses and the Internet Protocol shows the IP addresses What protocols are in the Ethernet frame? ___ ethipicmpdata ___________________________________As you select a line in the Packets Detail pane all or part of the information in the Packet Bytes pane als o becomes highlighted. For example, if the entropy line (+ Ethernet II) is highlighted in the Details pane the Bytes pane no w highlights the corresponding values. This shows the particular binary values that represent that information in the PDU. At this stage of the course, it is not necessary to understand this information in detail. Step 4 Go to the buck menu and select Close. Click on Continue without Saving when this message box appears. Task 2 transfer PDU Capture Step 1 Start packet capture.Assuming Wireshark is still speed from the previous move, start packet capture by clicking on the St art option on the Capture menu of Wireshark. At the command line on your computer running Wireshark, enter file transfer protocol 192. 168. 254. 254 When the connection is established, enter anonymous as the substance abuser without a password. substance abuserid anonymous All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 8 of 12 Password You may alternatively use login with userid cisco and with password cisco. When successfully logged in enter get /pub/eagle_labs/eagle1/chapter1/gaim-1. . 0. exe and press the enter constitute . This will start downloading the file from the ftp server. The output wil l wager similar to CDocuments and Settingsccna1ftp eagle-server. example. com Connected to eagle-server. example. com. 220 Welcome to the eagle-server transfer service. user (eagle-server. example. com(none)) anonymous 331 Please specify the password. Password 230 Login successful. ftp get /pub/eagle_labs /eagle1/chapter1/gaim-1. 5. 0. exe 200 port wine command successful. Consider using PASV. 150 Opening BINARY mode data connection for pub/eagle_labs/eagle1/chapter1/gaim-1. 5. 0. xe (6967072 bytes). 226 File send OK. ftp 6967072 bytes received in 0. 59Seconds 11729. 08Kbytes/sec. When the file download is complete enter vary ftp quit 221 Goodbye. CDocuments and Settingsccna1 When the file has successfully downloaded, stop the PDU capture in Wireshark. Step 2 Increase the size of the Wireshark Packet List pane and scroll through the PDUs listed. Locate and note those PDUs associated with the file download. These will be the PDUs from the Layer 4 protocol transmission control protocol and the Layer 7 protocol FTP. Identify the three groups of PDUs associated with the file transfer.If you performed the step above, match the packets with the messages and prompts in the FTP command line window. The first group is associated with the connection phase and put down into the server . List examples of messages exchanged in this phase. Answers will vary- 1292 ftp SYN, FTP 1292 SYN, ACK, solvent 220 Welcome to the eagle -server FTP service, 1292 ftp ACK, Request User anonymous, Response 331 Please specify the password, Request Pass Locate and list examples of messages exchanged in the second phase that is the actual download prayer and the data transfer.Answers will vary- FTP Data 1448 bytes, 1294 ftp-data ACK, All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 9 of 12 The third group of PDUs relate to logging out and breaking the connection. List examples of messages exchanged during this process. Answers will vary- RequestQUIT, Response 221 Goodbye, 1292 ftp FIN, ACK, ftp 1292 FIN, ACK Locate recurring TCP exchanges throughout the FTP process. What feature of TCP does this indicate? __Send and receipt of data____________________________________________ Step 3 Examine Packet Details. Sele ct (highlight) a packet on the list associated with the first phase of the FTP process. View the packet details in the Details pane. What are the protocols encapsulated in the frame? ____ Ethiptcpftp-data ______________________________________ Highlight the packets containing the user name and password. Examine the highlighted portion in the Packet Byte pane. What does this say more or less the security of this FTP login process ? _____ Security isnt very high because the name and password are in sight. ___________ Highlight a packet associated with the second phase. From any pane, locate the packet containing the f ile name. The filename is ___gaim-1. 5. 0. exe__________ Highlight a packet containing the actual file content -note the plain text visible in the Byte pane. Highlight and examine, in the Details and Byte panes, some packets exchanged in the third phase o f the file download. What features distinguish the content of these packets ? ____ A FIN, ACK is issued to close th e connection. __________________ When spotless, close the Wireshark file and continue without savingTask 3 HTTP PDU Capture Step 1 Start packet capture. Assuming Wireshark is still running from the previous steps, start packet capture by clicking on the Start option on the Capture menu of Wireshark. Note Capture Options do not have to be set if continuing from previous steps of thi s lab. Launch a web browser on the computer that is running Wireshark. All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 10 of 12 submit the URL of the Eagle Server of example. com or enter the IP address-192. 168. 54. 254. When the webpage has fully downloaded, stop the Wireshark packet capture. Step 2 Increase the size of the Wireshark Packet List pane and scroll through the PDUs listed. Locate and identify the TCP and HTTP packets associated with the webpage download. Note the similarity between this message exchange and the FTP exchange. Step 3 In the Packet List pane, highlight an HTTP packet that has the note of hand (text/html) in the Info column. In the Packet Detail pane click on the + next to Line-based text data html When this information expands what is displayed? ____HTML code for the web page__________________________ Examine the highlighted portion of the Byte Panel. This shows the HTML data carried by the packet. When finished close the Wireshark file and continue without saving Task 4 mirror image Consider the encapsulation information pertaining to captured network data Wireshark can provide. Relate this to th e OSI and TCP/IP layer models. It is important that you can recognize and link both the protocols represented and the protocol layer a nd encapsulation types of the models with the information provided by Wireshark.Task 5 Challenge Discuss how you could use a protocol analyzer such as Wireshark to (1) Troubleshoot the failure of a webpage to download successfully to a browser on a computer. and (2) Identify data traffic on a network that is requested by users. Answers could vary-Wireshark could show when request for a web page failed due to incorrect URL. User traffic could be monitored to identify errors in source or destination. All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 11 of 12