(Due: 29th January 2003)
Download: example.cap [last updated 01/22/03]
The aim of this exercise is to analyze the network trace provided and to familiarize self with the network protocol analyzer called Ethereal, with its variety of display options and filtering capabilities. In this exercise, you are provided with a trace of network activity that was captured with Ethereal. You should download the file and open it with Ethereal. Ethereal is available free for download and it’s also installed in the machines in Upson 315.
For this assignment, if you do not know how to easily answer a question, feel free to give an educated guess. I am *not* asking you to research the answers (many of these topics we will be covering over the course of the semester). I want you to experiment with Ethereal and hopefully enjoy looking at a trace of actual network activity. It will also help me get a feeling for what you already know!
Ethereal is a network protocol analyzer available for free download at http://www.ethereal.com/. Ethereal helps you to interactively capture data from a live network or/and analyze data from a capture file with summary and detail information about each network packet. Ethereal has several powerful features such as filtering capabilities and the ability to view the reconstructed stream of TCP sessions.
We strongly suggest that you capture traces of your own network activity and analyze them in a similar manner (please know about the academic integrity violations about sniffing other people’s network traffic). Answer the following questions and submit a html file containing your answers through the course management system. If you do not know the answer for any question, please feel free to give an educated guess.
Good Luck! Any questions, contact cs519@cs.cornell.edu
Q1: After starting the trace capture, the first thing I did was to issue an ipconfig /renew command. Which packets do you think are direct results of this command? (Hint: Try ipconfig renew yourself at a Windows command prompt if you are not familiar with this command.) Can you say specifically what these packets accomplish?
Q2: The second thing I did was to open a browser window and go to the URL http://www.oreilly.com. What is the purpose of the DNS A query for www.oreilly.com in packet 25? Does this imply anything about how long it has been since traffic was exchanged with www.oreilly.com?
Q3. What are the IP address of the machine that was being used to capture this trace? What is the IP address of the DNS server?
Q4: Packets 27-29 show the three way handshake that establishes the TCP connection between the local machine and www.oreilly.com. What is the value in the sequence number field and the ack field for each of packets 27-29? Can you explain the purpose of these numbers?
Q5: What port numbers are used for each end of the TCP connection to www.oreilly.com?
Q6: Once the TCP connection to www.oreilly.com is open, packet 30 contains the HTTP GET request? Is packet 30 an HTTP packet? a TCP packet or both?
Q7: Packet 30 takes up 383 bytes? What accounts for the bulk of this space? Look in the detailed view of the packet and describe some of the information sent with the GET request.
Q8: There are actually two TCP connections established to www.oreilly.com. Which packets show the opening of the second connection? Why might a web browser establish 2 connections?
Q9: How many distinct objects are fetched from www.oreilly.com? How do you know? How many objects go over each of the two TCP connections?
Q10: What is the significance of the HTTP Continuation packets?
Q11. How many bytes total are transferred from www.oreilly.com to the local machine? How many bytes total are transferred in the other direction? How do you know? (Hint: Try the Follow TCP Stream option under the Tools menu. Hint 2: Use the beginning and ending sequence numbers.)
Q12: After visiting Oreilly, I opened my browser to www.gnu.org. How many distinct objects and or bytes are fetched from www.gnu.org? Compare this to www.oreilly.com. (Open both www.gnu.org and www.oreilly.com yourself and see if you can see why.)
Q13: I have a google toolbar in my browser that displays the "page rank" for each page I visit. What evidence can you find for this in the trace? How is the "page rank" information obtained? (Note: Page rank is typically a value from 1-10. www.oreilly.com had rank 9).
Q14: The browser reset the connection to www.oreilly.com after the connection to gnu.org is established. Which packets show this happening? Why do you think the connection is reset when it is?
Q15: What is the difference between DNS A requests and DNS PTR requests?
Q16: In packet 3, there is DNS PTR request for 1.1.168.192.in-addr.arpa? Does this mean the query is for IP address 1.1.168.192 or 192.168.1.1?
Q17: What application do you suspect is the source of the DNS PTR requests? Hint: It isn't the web browser.
Q18: The local machine I was using was sitting behind a combination firewall, and network address translation (NAT) server? Can you see evidence of this in the trace?
Q19: Packets 5-8, 9-12 and 13-16 are three tries of NBNS and ICMP to the firewalls internal interface. What is the purpose of these messages?
Q20. Do you know any method by which you can detect a packet sniffer in the network? If yes, how and if no, why? [One possible method is linked to question 17.]
Q21. What is an Ethernet MAC address? What is the IP address and MAC address of the computer that you are using now? Can the MAC address be changed?
Q22. Is it possible to sniff a switched network? If yes, how and if no, why?
Q23: Please give me your general reaction to this exercise. Did you find it interesting? What percentage of the answers was obvious to you? Had you done something like this before in a class or on your own?
Q24: If you noticed anything else cool in this trace or in other traces you examined. I would love to hear about it.