Lab 03: Setting Up Virtual Machines, Practicing With Wireshark

Goals

1. Directory and file set-ups

2. Set up virtual machines in Bucknell's computing environment

This set of instructions guides you through the steps needed to set up a virtual machine in Bucknell's labs. For a general description or discussion of virtual machines, please see other documents, for example, articles from Wikipedia or PC Magazine.

3. Capture Network Traffic Using Wireshark

Background

This set of instructions describes how to use the existing (and popular) software Wireshark to capture network traffic. We assume that students have proper access to the Wireshark software. At the end of the exercise, students should be able to generate a packet capture file of their own that contains the network traffic of a few tens of packets.

Steps to generate a packet capture file

  1. Log into the virtual machine you just created. You can do it in multiple ways.
  2. At the VM terminal window, type wireshark, the wireshark program will start. You should see an initial screen similar to the following.

    Wireshark start screen

  3. Now we want to set some options for the software so the data can be used in our analysis program. Click the menu bar Capture and choose Options under the Capture menu. You will see an interface similar to the following.

    Wireshark initial option screen

  4. In the Options menu, click em1 as the capture interface near the top of the screen; uncheck the Use pcap-ng format in the middle of the screen; set a reasonable count of packet (e.g., 30) for the option of Stop Capture Automatically After ... at the lower left corner of the screen.
  5. After these option settings, the Option screen looks similar to the following. At this point, leave the Capture Files option blank. That is, do not specify any capture file through this interface.

    Wireshark option screen after setting

  6. At this point, click the Close button, which should bring you back to the start screen. Click the green Start button in the middle of the Wireshark initial screen, the software now is ready to collect network packets.

    Wireshark start screen

  7. Start any network application from within the VM, for example, a browser to visit any of your favorite websites until the packet count reaches the specified value when the capture will stop.
  8. In the Wireshark main screen, click the File menu bar and choose Save or Save as to save the captured packet file. Give a reasonable file name, e.g., march14-2014-xm to indicate the date of the capture. The software should add an extension of .pcap itself.
  9. Now transfer the file from the VM to your main Linux computer account by using the sftp program.

    sftp your-user-name@linuxremote
    cd your-csci363-lab03-directory
    put march14-2014-xm.pcap

  10. You can now run your packet analysis program using the newly acquired data.

4. Examine the content of captured frames

Problem 4.1 Wireshark exercises from the textbook authors

While we will write our own programs to analyze the captured frames, for now we can use the GUI provided by Wireshark to examine the content of these frames. Follow this link to the next part of the lab. Write your answers in answers.txt as Problem 4.1

Problem 4.2 Additional Wireshark exercises

Problem 4.2a

Copy your simple webserver/client program pair to your virtual host machine (e.g., mynode-720-123 using sftp or any other your favorite program. Then do the following exercises.

  1. Start the Wireshark program.
  2. Run the webserver on your local Linux machine using your assigned port number.
  3. Start the capture function within Wireshark.
  4. Run the webcilent program on your virtual machine to retrieve any page from the server you just started, e.g., default.html.
  5. Run the webcilent program on your virtual machine to retrieve the Wireshark lab page /wireshark-labs/HTTP-wireshark-file1.html from the host gaia.cs.umass.edu.
  6. Set the filter in Wireshark for HTTP only.
  7. Answer the following questions by examining proper values in the Wireshark output. Write your answers in answers.txt as Problem 4.2a
    1. Can you find the HTTP packets information such as HTTP commands or the path to the requested file from within Wireshark for both requests, one to UMass, on to your own server?
    2. Explain briefly what you observed. Discuss it with your neighbors or with your instructor your answers.

Problem 4.2b

  1. Clear the current window in Wireshark by restarting the capture without saving.
  2. Start an application that would require DNS service, for example, by going to the web site http://www.example.org or running sftp to linuxremote. Make sure you use your own user name in ftp, e.g., sftp abc123@linuxremote
  3. In the Wireshark window, set the filter to be "DNS" and explain what you see. Write the answers in your answers.txt as Problem 4.2b
    1. What is the IP address of the DNS server for your node?
    2. Explain what the range of this IP address is used for. You can search the Internet for answers.
    3. Print the content of the frame to a file by using File->Print, choose Selected packet only, choose Packet summary line. Include the content of this file in the answers.txt

Add, commit, and push the answers.txt which should contain all the answers to the questions in the exercises.