TCP/IP in action: sniffing lab

Le but de ces TP (oups! Sorry I forgot for a second to speak english), the goal of this lab practice is to observe Ethernet and TCP/IP in action as it exists here in the university. You can also do most of this at home with your PC changing some commands.

It would be good if you had a correct configuration of Unix (namely of your shell) to be able to edit commands easily and to access to the network commands. We will use commands which are in the /usr/sbin/ and tcpdump which up to now is in /export/home/f9999/tcpdump/sbin/. You can get full description of these commands using man. There is a small glossary at the end of this document.

Ethernet

1. Discover the ether address and the IP addresses of the SunLab. You can use netstat -pn to get the correspondance between the IP addresses and the ether addresses (ARP cache) or arp -a and netstat -p to have the correspondance between symbolic names and ethernet address. Use also ifconfig -a that gives you the configuration of your interfaces.
   
2. What is the MTU of each interface?
   
3. Discover the ether address and the IP address of your X-terminal (if you are using an X-terminal in the Sun Lab). For that you have to find what is your display (your X-Server). It should be store in your DISPLAY environment variable: echo $DISPLAY. If it is not look in any variable for the location of your display: setenv.
   
4. Look at the connection between your X-terminal and the Sun. On which ether-card is your X-terminal connected? Try to get some ether packets using: tcpdump -i qfe0 -x -X -e host 192.168.128.18 if your X-Terminal is connected on qfe0 and has IP address 192.168.128.18.
   

ARP

1. Try to generate an ARP request. For example by connecting to a non-existing host. In an xterm run: tcpdump -i qfe0 -e -x -X arp and in another one run: telnet 192.168.128.5 (there is no such host as 192.168.128.5 but the routing table says that this is a local host on network 192.168.128 connected on qfe0). How many ARP request are sent and with which frequence?
   
2. If you have the root privileges you can also delete a line of the ARP cache by: arp -d hostname, then listening from another xterm you will see both the ARP request and response.
   
3. To generate a RARP packet you need to reboot one of the X-Terminal (cutting electricity or using reboot somewhere in the menus). Does this RARP request receives a response?
   

Other Datalink

1. What are the other datalink protocols protocols that you can see on hme0: tcpdump -i hme0 -x -X -e not ip? Well, okay, the sun is only connected to ethernet networks, so the only data-link protocol is Ethernet, but you will find inside ethernet frames, packets which are used by the DataLink Layer.

IP

1. What is the default TTL for packets going out of Sun? tcpdump -i hme0 -v -e -c 5
   
2. Is there any packet going through the sun which are not directed or sent by it (is the Sun acting as a routeur)? tcpdump -i hme0 -v -e -c 5 not host 62.90.24.132 and ip
   
3. Is the DF flag on or off?
   
4. What is the default routeur from the Sun?
   
5. Using netstat -rnv: What are the network masks used by the Sun? Are they matching the regular domain classes?
   What are the MTU known by the Sun?

ICMP

1. Use ping host to generate ICMP echo request.
2. Send a packet to unknown hosts do you always get ICMP errors?
   
3. Same question with unknown ports?
   
4. traceroute is a program to explore the path between two computers which rely on ICMP. Launch traceroute godel.logique.jussieu.fr and sniff all packets going to this computer. What are the TTL? Try know to also catch all ICMP messages coming back. Are they always generated?

TCP

1. Open a TCP connection and draw the time diagram for the connection.
   
2. Using your browser with address http://www.yahoo.com/oups and tcpdump answer the following questions:
   1. how many packets are exchanged by HTTP?
   2. who is doing the active closing?
   3. is the scenario always the same?
3. While sniffing try telnet 134.157.19.17. How often and how many times does TCP send a SYN packet before delivering an error to the user? (Did you get any ICMP error?)
   
4. What happen if you get an ICMP error (host unreachable) while opening a TCP connection? Try an unexisting host: telnet 212.150.38.101
   
5. Use netstat to have the state of all the current TCP connections.

First of all you need an account on the Sun. If you do not have one you can use the accounts test or test2. You can connect from home using telnet sunlab.science.alquds.edu if you cannot make it to the university. Another solution is to install windump on your PC at home and to adapt the lab work to your own PC. You can download windump freely.

Your Unix configuration must allow a quick and easy editing of commands (use for example tcsh shell with a good .tcshrc configuration file. You can copy mine /export/home/f9999/.tcshrc). Then you can auto-complete commands, use the history mechanism easily and so on. You also need to configure your PATH variable to use commands easily: setenv PATH /usr/sbin:/export/home/f9999/tcpdump/sbin:$PATH is required.

Moreover you need to be familiar with the X environment: opening Xterms, going from one window to another and so on.

tcpdump

/export/home/f9999/tcpdump/sbin/tcpdump

usage: tcpdump [options] expression

A program to sniff your ether interface. Here is the manual page for tcpdump. Recall also that I wrote an example of tcpdump use. Here are the main features we use.

options

-i interface	to choose the interface you sniff
-e	to display frame informations
-v	verbose mode: to display more informations. You can also try -vv and even -vvv
-x -X	to display the beginning (first 64 bytes) of each packet in hexadecimal and their ASCII equivalent.
-c count	to display only the first count packets.
-s snaplen	to display snaplen bytes of each packets (with -x or -X options) instead of the default 64.

expression
There is a very powerful mechanism of filtering packets to only display those that you are interested in. Here are some examples.

arp	consider only ARP packets.
ip	consider only IP packets.
tcp	consider only TCP segments.
host ipAddress	display only IP packets from or to this host.
dst host ipAddress	display only IP packets with this destination host.
src host ipAddress	display only IP packets with this source host.

You can combine these expressions using and, or. You can also use not and parenthesis.

telnet

usage: telnet host port

Telnet is a very powerful application protocol to connect to a remote host. It exists under windows and under Unix. You can use it to connect from your PC to the sunlab.

When used with a different port than 23 (the telnet port), this command only open a TCP connection and redirect the standard input and output to this connection. You can use this feature to make some tests about TCP connections.

traceroute

usage: traceroute [options] host [packet length]

This is a program to discover the route between you and a remote host. It uses the TTL of the IP packets and the ICMP error messages to discover the routers on the route.

There are a lot of possible options, look in the manual (man traceroute).