20
© L T O B © 2013 Cisco and Lab - Us Topology Objectives Part 1: (O Part 2: Ca Start Locat Part 3: Ca Start Locat Expla Backgroun Wireshark analysis, s network, t according Wireshark courses fo Wireshark packet IP d/or its affiliates. sing Wir Optional) Dow apture and A and stop data te the IP and apture and A and stop data te the IP and ain why MAC nd / Scenar k is a software software and the sniffer "ca g to the appro k is a useful to or data analys k, although it addresses a All rights reserve eshark t wnload and I Analyze Loca a capture of p MAC address Analyze Rem a capture of p MAC address addresses fo rio e protocol ana protocol deve aptures" each priate RFC o ool for anyone sis and troubl may already nd Ethernet fr ed. This docume to View Install Wires al ICMP Data ping traffic to l s information ote ICMP Da ping traffic to r s information r remote host alyzer, or "pa elopment, an protocol data r other specif e working wit leshooting. Th be installed. I rame MAC ad ent is Cisco Publi Network hark in Wireshar ocal hosts. in captured P ata in Wiresh remote hosts in captured P ts are differen acket sniffer" a d education. A a unit (PDU) a ications. h networks a his lab provid In this lab, yo ddresses. ic. k Traffic rk PDUs. hark . PDUs. nt than the MA application, u As data strea and can deco nd can be us des instruction ou will use Wir c AC addresses sed for netwo ams travel ba ode and analy ed with most ns for downloa reshark to ca P s of local hos ork troublesho ck and forth o yze its conten labs in the C ading and ins pture ICMP d Page 1 of 20 sts. ooting, over the nt CNA stalling data

Lab - Using Wireshark to View Networkk Trafficccna.mpei.ac.ru/NetworkBasics/course/files/3.3.3.4... · Wireshark analysis, s network, t according Wireshark courses fo Wireshark packet

  • Upload
    others

  • View
    112

  • Download
    6

Embed Size (px)

Citation preview

©

L

T

O

B

© 2013 Cisco and

Lab - Us

Topology

Objectives

Part 1: (O

Part 2: Ca

Start

Locat

Part 3: Ca

Start

Locat

Expla

Backgroun

Wiresharkanalysis, snetwork, taccording

Wiresharkcourses foWiresharkpacket IP

d/or its affiliates.

sing Wir

Optional) Dow

apture and A

and stop data

te the IP and

apture and A

and stop data

te the IP and

ain why MAC

nd / Scenar

k is a softwaresoftware and the sniffer "cag to the appro

k is a useful toor data analysk, although it addresses a

All rights reserve

eshark t

wnload and I

Analyze Loca

a capture of p

MAC address

Analyze Rem

a capture of p

MAC address

addresses fo

rio

e protocol anaprotocol deve

aptures" eachpriate RFC o

ool for anyonesis and troublmay already nd Ethernet fr

ed. This docume

to View

Install Wires

al ICMP Data

ping traffic to l

s information

ote ICMP Da

ping traffic to r

s information

r remote host

alyzer, or "paelopment, an protocol datar other specif

e working witleshooting. Thbe installed. Irame MAC ad

ent is Cisco Publi

Network

hark

in Wireshar

ocal hosts.

in captured P

ata in Wiresh

remote hosts

in captured P

ts are differen

acket sniffer" ad education. Aa unit (PDU) afications.

h networks ahis lab providIn this lab, yoddresses.

ic.

k Traffic

rk

PDUs.

hark

.

PDUs.

nt than the MA

application, uAs data streaand can deco

nd can be usdes instructionou will use Wir

c

AC addresses

sed for netwoams travel baode and analy

ed with most ns for downloareshark to ca

P

s of local hos

ork troubleshock and forth oyze its conten

labs in the Cading and inspture ICMP d

Page 1 of 20

sts.

ooting, over the nt

CNA stalling data

L

©

R

P

S

Lab - Using W

© 2013 Cisco and

Required R

1 PC

Additi

Part 1: (

Wiresharksource so1 of this la

Note: If Wis not inst

Step 1: Do

a. Wires

b. Click

c. Chooinstan

Wireshark to

d/or its affiliates.

Resources

(Windows 7,

onal PC(s) on

(Optional

k has becomeoftware is avaab, you will do

Wireshark is aalled on your

ownload Wir

shark can be d

Download W

se the softwance, if you hav

View Netwo

All rights reserve

Vista, or XP w

n a local-area

l) Downlo

e the industryilable for manownload and

lready installePC, check w

reshark.

downloaded f

Wireshark.

are version yove a 64-bit PC

ork Traffic

ed. This docume

with Internet a

a network (LA

oad and I

standard pacny different opinstall the Wi

ed on your PCwith your instru

from www.wir

ou need basedC running Win

ent is Cisco Publi

access)

AN) will be use

nstall Wi

cket-sniffer prperating systereshark softw

C, you can skuctor about yo

reshark.org.

d on your PCndows, choos

ic.

ed to reply to

reshark

rogram used ems, includingware program

kip Part 1 andour academy

C’s architecturse Windows

ping request

by network eg Windows, M on your PC.

d go directly to’s software do

re and operatiInstaller (64-

P

ts.

ngineers. ThiMac, and Linu

o Part 2. If Wiownload polic

ing system. F-bit).

Page 2 of 20

is open ux. In Part

ireshark cy.

For

L

©

S

Lab - Using W

© 2013 Cisco and

After browsfolder

Step 2: Ins

a. The dDoub

b. RespoWiresIt is reYes to

c. If this navig

Wireshark to

d/or its affiliates.

making a seleser and operar.

stall Wiresh

downloaded file-click the file

ond to any seshark on your ecommendedo uninstall the

is the first timate to the Wir

View Netwo

All rights reserve

ection, the doating system t

ark.

le is named We to start the

ecurity messaPC, you will that you rem

e previous ve

me to install Wreshark Setup

ork Traffic

ed. This docume

ownload shouthat you use.

Wireshark-wiinstallation pr

ages that maybe prompted

move the old vrsion of Wires

Wireshark, or ap wizard. Clic

ent is Cisco Publi

ld start. The lFor Windows

in64-x.x.x.exrocess.

y display on yoto uninstall th

version of Wirshark.

after you havk Next.

ic.

location of thes users, the d

xe, where x re

our screen. Ifhe old versionreshark prior t

ve completed

e downloadedefault location

epresents the

f you already n before instato installing a

the uninstall

P

d file dependsn is the Down

e version num

have a copy alling the new nother versio

process, you

Page 3 of 20

s on the nloads

mber.

of version.

on. Click

will

L

©

Lab - Using W

© 2013 Cisco and

d. Contindispla

e. Keep

Wireshark to

d/or its affiliates.

nue advancinays.

the default se

View Netwo

All rights reserve

ng through the

ettings on the

ork Traffic

ed. This docume

e installation p

e Choose Com

ent is Cisco Publi

process. Click

mponents win

ic.

k I Agree whe

ndow and clic

en the Licens

ck Next.

P

se Agreement

Page 4 of 20

t window

L

©

Lab - Using W

© 2013 Cisco and

f. Choo

g. You crecom

Wireshark to

d/or its affiliates.

se your desir

can change thmmended that

View Netwo

All rights reserve

ed shortcut o

he installationt you keep the

ork Traffic

ed. This docume

ptions and cli

location of We default loca

ent is Cisco Publi

ick Next.

Wireshark, butation.

ic.

t unless you hhave limited d

P

disk space, it

Page 5 of 20

is

L

©

Lab - Using W

© 2013 Cisco and

h. To cayour Pversioclickin

i. Finish

j. WiresNext

Wireshark to

d/or its affiliates.

apture live netPC, the Instalon that comesng the Install

h the WinPcap

shark starts inwhen the inst

View Netwo

All rights reserve

twork data, Wl check box w

s with WireshaWinPcap x.x

p Setup Wiza

nstalling its filetallation is co

ork Traffic

ed. This docume

WinPcap mustwill be unchecark, it is recomx.x (version n

ard if installing

es and a sepamplete.

ent is Cisco Publi

be installed ocked. If your inmmend that y

number) chec

g WinPcap.

arate window

ic.

on your PC. Installed versiyou allow the ck box.

displays with

f WinPcap is ion of WinPcanewer versio

h the status of

P

already instaap is older thaon to be instal

f the installati

Page 6 of 20

alled on an the lled by

ion. Click

L

©

P

S

Lab - Using W

© 2013 Cisco and

k. Click

Part 2: C

In Part 2 oWiresharkclarify how

Step 1: Re

For this laaddress, a

Wireshark to

d/or its affiliates.

Finish to com

Capture a

of this lab, yok. You will alsw packet head

etrieve your

ab, you will nealso called th

View Netwo

All rights reserve

mplete the Wi

and Analy

u will ping anso look inside ders are used

PC’s interf

eed to retrievee MAC addre

ork Traffic

ed. This docume

reshark insta

yze Local

other PC on tthe frames c

d to transport

face addres

e your PC’s IPess.

ent is Cisco Publi

all process.

ICMP Da

the LAN and aptured for spdata to their

ses.

P address and

ic.

ata in Wir

capture ICMPpecific informdestination.

d its network

reshark

P requests anmation. This an

interface card

P

nd replies in nalysis should

d (NIC) physi

Page 7 of 20

d help to

ical

L

©

S

Lab - Using W

© 2013 Cisco and

a. Open

b. Note y

c. Ask athem

Step 2: Sta

a. On yomenu

b. After W

Note:

Wireshark to

d/or its affiliates.

a command

your PC inter

a team membewith your MA

art Wiresha

our PC, click t. Double-click

Wireshark sta

Clicking the

View Netwo

All rights reserve

window, type

rface’s IP add

er for their PCAC address at

rk and begi

the Windows k Wireshark.

arts, click Inte

first interface

ork Traffic

ed. This docume

e ipconfig /al

dress and MA

C’s IP addresst this time.

in capturing

Start button

erface List.

e icon in the ro

ent is Cisco Publi

l, and then pr

AC (physical) a

s and provide

g data.

to see Wiresh

ow of icons al

ic.

ress Enter.

address.

e your PC’s IP

hark listed as

lso opens the

P address to t

s one of the pr

e Interface Lis

P

them. Do not

rograms on th

st.

Page 8 of 20

provide

he pop-up

L

©

Lab - Using W

© 2013 Cisco and

c. On thLAN.

Note:buttonStep

d. After y

Wireshark to

d/or its affiliates.

e Wireshark:

If multiple intn, and then cl1b. Close the

you have che

View Netwo

All rights reserve

Capture Inte

terfaces are lick the 802.3

e Interface De

ecked the corr

ork Traffic

ed. This docume

rfaces window

isted and you (Ethernet) ta

etails window

rect interface

ent is Cisco Publi

w, click the ch

u are unsure wab. Verify thaafter verifying

, click Start to

ic.

heck box nex

which interfacat the MAC adg the correct i

o start the da

xt to the interfa

ce to check, cddress matcheinterface.

ta capture.

P

ace connecte

click the Detaes what you n

Page 9 of 20

ed to your

ails noted in

L

©

Lab - Using W

© 2013 Cisco and

Informcolors

e. This iyour Pcaptuthe Fi(ping)

Wireshark to

d/or its affiliates.

mation will stas based on pr

nformation caPC and the LAred by Wireshlter box at the) PDUs.

View Netwo

All rights reserve

art scrolling dorotocol.

an scroll by veAN. We can ahark. For thise top of Wires

ork Traffic

ed. This docume

own the top s

ery quickly deapply a filter t lab, we are oshark and pre

ent is Cisco Publi

ection in Wire

epending on wto make it easonly interestedess Enter or c

ic.

eshark. The d

what communsier to view and in displayin

click on the Ap

data lines will

nication is taknd work with

ng ICMP (pingpply button to

Pa

appear in diff

king place betthe data that

g) PDUs. Typeo view only IC

age 10 of 20

fferent

tween is being e icmp in CMP

L

©

Lab - Using W

© 2013 Cisco and

f. This finterfareceivWires

Note:blockion ho

g. Stop c

Wireshark to

d/or its affiliates.

filter causes aace. Bring up ved from yourshark again.

If your team ing these req

ow to allow IC

capturing dat

View Netwo

All rights reserve

all data in the the comman

r team membe

member’s PCuests. PleaseMP traffic thro

a by clicking t

ork Traffic

ed. This docume

top window tod prompt winer. Notice tha

C does not ree see Appendough the firew

the Stop Cap

ent is Cisco Publi

o disappear, dow that you

at you start se

eply to your pidix A: Allowingwall using Win

pture icon.

ic.

but you are sopened earli

eeing data ap

ngs, this mayg ICMP Traffindows 7.

still capturing ier and ping thpear in the to

y be because c Through a F

Pa

the traffic on he IP address

op window of

their PC firewFirewall for in

age 11 of 20

the s that you

wall is nformation

L

©

S

Lab - Using W

© 2013 Cisco and

Step 3: Ex

In Step 3,data is dissummary in the top section di

a. Click has y

Wireshark to

d/or its affiliates.

amine the c

examine thesplayed in throf the IP pacpart of the scsplays the raw

the first ICMPour PC’s IP a

View Netwo

All rights reserve

captured da

e data that waee sections: 1

cket informatiocreen and sepw data of eac

P request PDUaddress, and t

ork Traffic

ed. This docume

ata.

as generated b1) The top seon listed, 2) thparates a capch layer. The

U frames in ththe Destinatio

ent is Cisco Publi

by the ping reection displayshe middle secptured PDU fraraw data is d

he top sectionon contains th

ic.

equests of yous the list of PDction lists PDUame by its prisplayed in bo

n of Wiresharhe IP address

ur team memDU frames caU informationrotocol layers,oth hexadecim

rk. Notice thats of the teamm

Pa

mber’s PC. Wiaptured with an for the frame, and 3) the bmal and decim

t the Source cmate’s PC yo

age 12 of 20

reshark a e selected bottom mal form.

column u pinged.

L

©

P

S

Lab - Using W

© 2013 Cisco and

b. With tthe le

Does

Does

How i

Note:packefor tra

Part 3: C

In Part 3, pings. Yo

Step 1: Sta

a. Click

Wireshark to

d/or its affiliates.

this PDU framft of the Ethe

the Source M

the Destinati

s the MAC ad

In the precedet PDU (IPv4 ansmission on

Capture a

you will ping u will then de

art capturin

the Interface

View Netwo

All rights reserve

me still selecternet II row to

MAC address

on MAC addr

ddress of the

ding exampleheader) whic

n the LAN.

and Analy

remote hoststermine what

g data on in

e List icon to

ork Traffic

ed. This docume

ed in the top sview the Des

match your P

ress in Wiresh

pinged PC o

e of a capturedch is then enc

yze Remo

s (hosts not ot is different a

nterface.

bring up the l

ent is Cisco Publi

section, navigstination and S

PC’s interface

hark match th

btained by yo

d ICMP requecapsulated in a

ote ICMP

n the LAN) anabout this data

ist PC interfa

ic.

gate to the miSource MAC

e?

he MAC addre

our PC?

est, ICMP datan Ethernet I

Data in W

nd examine tha from the da

aces again.

iddle section. addresses.

ess that of yo

ta is encapsuI frame PDU

Wireshark

he generatedta examined

Pa

Click the plu

our team mem

ulated inside a(Ethernet II h

k

d data from thin Part 2.

age 13 of 20

s sign to

mber’s?

an IPv4 header)

ose

L

©

Lab - Using W

© 2013 Cisco and

b. Make

c. A winneces

Wireshark to

d/or its affiliates.

sure the che

dow promptsssary to save

View Netwo

All rights reserve

eck box next to

to save the pthis data. Clic

ork Traffic

ed. This docume

o the LAN int

previously capck Continue

ent is Cisco Publi

terface is chec

ptured data bwithout Sav

ic.

cked, and the

before startingving.

en click Start

g another cap

Pa

.

pture. It is not

age 14 of 20

L

©

S

Lab - Using W

© 2013 Cisco and

d. With t

1) w

2) w

3) w

Note:an IP

e. You c

Step 2: Ex

a. Revieyou p

1st Lo

2nd Lo

3rd Lo

Wireshark to

d/or its affiliates.

the capture a

www.yahoo.co

www.cisco.com

www.google.co

When you paddress. Not

can stop captu

amining an

ew the captureinged. List th

cation: IP

ocation: IP

ocation: IP

View Netwo

All rights reserve

ctive, ping the

om

m

om

ing the URLste the IP addr

uring data by

d analyzing

ed data in Wie destination

:

:

:

ork Traffic

ed. This docume

e following th

listed, noticeress received

clicking the S

g the data fr

reshark, examIP and MAC

ent is Cisco Publi

ree website U

e that the Dom for each URL

Stop Capture

rom the rem

mine the IP anaddresses fo

MAC:

MAC:

MAC:

ic.

URLs:

main Name SeL.

e icon.

mote hosts.

nd MAC addror all three loc

erver (DNS) t

resses of the cations in the

Pa

translates the

three locationspace provid

age 15 of 20

e URL to

ns that ded.

L

©

R

A

S

Lab - Using W

© 2013 Cisco and

b. What

c. How d

Reflection

Why doesremote ho

Appendix A

If the memappendix the new IC

Step 1: Cre

a. From

b. From

Wireshark to

d/or its affiliates.

is significant

does this info

s Wireshark sosts?

A: Allowing

mbers of yourdescribes hoCMP rule afte

eate a new

the Control P

the System a

View Netwo

All rights reserve

about this inf

rmation differ

how the actu

g ICMP Tra

r team are unaow to create aer you have co

inbound ru

Panel, click th

and Security w

ork Traffic

ed. This docume

formation?

r from the loca

al MAC addre

affic Throu

able to ping y rule in the firompleted the

le allowing

e System an

window, click

ent is Cisco Publi

al ping inform

ess of the loc

ugh a Firew

your PC, the frewall to allowlab.

ICMP traffi

nd Security o

Windows Fi

ic.

mation you rec

cal hosts, but

wall

firewall may bw ping reques

c through t

option.

irewall.

ceived in Part

not the actua

be blocking thsts. It also des

the firewall.

Pa

t 2?

al MAC addres

hose requestsscribes how t

age 16 of 20

ss for the

s. This o disable

L

©

Lab - Using W

© 2013 Cisco and

c. In the

d. On thNew R

Wireshark to

d/or its affiliates.

e left pane of t

e Advanced SRule… on the

View Netwo

All rights reserve

the Windows

Security winde right sideba

ork Traffic

ed. This docume

Firewall wind

ow, choose tar.

ent is Cisco Publi

dow, click Adv

he Inbound R

ic.

vanced setti

Rules option

ngs.

on the left sid

Pa

debar and the

age 17 of 20

en click

L

©

Lab - Using W

© 2013 Cisco and

e. This land c

f. In theICMP

Wireshark to

d/or its affiliates.

aunches the click Next

e left pane, cliPv4, and then

View Netwo

All rights reserve

New Inbound

ck the Protocclick Next.

ork Traffic

ed. This docume

d Rule wizard

col and Ports

ent is Cisco Publi

. On the Rule

s option and u

ic.

e Type screen

using the Pro

n, click the Cu

otocol type dro

Pa

ustom radio b

op-down men

age 18 of 20

button

nu, select

L

©

S

Lab - Using W

© 2013 Cisco and

g. In the

This n

Step 2: Dis

After the lthe Disabdeletes it

a. On thcreate

Wireshark to

d/or its affiliates.

e left pane, cli

new rule shou

sabling or d

ab is completble Rule optiofrom the list o

e Advanced Sed in Step 1.

View Netwo

All rights reserve

ck the Name

uld allow your

deleting the

te, you may won allows you of Inbound Ru

Security wind

ork Traffic

ed. This docume

option and in

r team membe

new ICMP

want to disablto enable the

ules.

ow, in the left

ent is Cisco Publi

n the Name fie

ers to receive

rule.

e or even dele rule again a

t pane, click I

ic.

eld, type Allo

e ping replies

lete the new rat a later date

Inbound Rule

ow ICMP Req

from your PC

rule you creat. Deleting the

es and then l

Pa

quests. Click

C.

ted in Step 1.e rule perman

ocate the rule

age 19 of 20

Finish.

. Using ently

e you

L

©

Lab - Using W

© 2013 Cisco and

b. To dischangstatus

c. To peagain

Wireshark to

d/or its affiliates.

sable the rulege to Enable s of the rule a

ermanently de to allow ICM

View Netwo

All rights reserve

e, click the DisRule. You ca

also shows in

elete the ICMPP replies.

ork Traffic

ed. This docume

sable Rule opan toggle backthe Enabled

P rule, click D

ent is Cisco Publi

ption. When yk and forth becolumn of the

Delete. If you

ic.

you choose thetween Disabe Inbound Ru

choose this o

his option, yoble Rule and Eles list.

option, you m

Pa

u will see thisEnable Rule;

ust re-create

age 20 of 20

s option the

the rule