Академический Документы
Профессиональный Документы
Культура Документы
128.143.255.255
&&frame.number<30
number 23.
Ip.addr=10.0.1.12 && tcp.port==23
10.
Ethereal -f host 10.0.1.12 and tcp port 23
PART 1: Using Filters in TCPDUMP
Exercice1- Writing filter expressions for tcpdump
Set the filter so that only ICMP messages are captured. The
command is:
Tcpdump n l host 10.0.1.12 and \icmp| tee > /labdata/ex1p3
packets that contain the IP address of PC2 are recorded. The filter
Repeat the same procedure as above, but use the display filter
new terminal we ping PC2 and at the same time we start a telnet
root then exit. Finally, we stop the capture of ethereal and apply
display filter:
c) Limit the displayed packets to the ones using port 23. The
all the entries using the command arp d. Note that when we displayed
the content of the ARP cache we did not observe any entry since the ARP
Run ethereal on PC1 with a capture filter set to the IP address of PC2,
and issue as ping command from PC1 to PC2 using the command: ping
c 2 10.0.1.12.
address of the ARP Request packets as well as the Type field in the
Please note that in the lab we issued 5 ping requests because we used
Now we view the ARP cache again with the command arp a.
0000 a1 3b e8 45 d2 ea 06 00 08 09 0a 0b 0c 0d 0e 0f .;.E............
0010 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f ................
0020 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f !"#$%&'()*+,-./
0030 30 31 32 33 34 35 36 37 01234567
0000 a1 3b e8 45 d2 ea 06 00 08 09 0a 0b 0c 0d 0e 0f .;.E............
0010 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f ................
0020 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f !"#$%&'()*+,-./
0030 30 31 32 33 34 35 36 37 01234567
0000 a3 3b e8 45 ea 3c 07 00 08 09 0a 0b 0c 0d 0e 0f .;.E.<..........
0010 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f ................
0020 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f !"#$%&'()*+,-./
0030 30 31 32 33 34 35 36 37 01234567
0000 a3 3b e8 45 ea 3c 07 00 08 09 0a 0b 0c 0d 0e 0f .;.E.<..........
0010 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f ................
0020 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f !"#$%&'()*+,-./
0030 30 31 32 33 34 35 36 37 01234567
0000 a4 3b e8 45 00 40 07 00 08 09 0a 0b 0c 0d 0e 0f .;.E.@..........
0010 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f ................
0020 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f !"#$%&'()*+,-./
0030 30 31 32 33 34 35 36 37 01234567
0000 a4 3b e8 45 00 40 07 00 08 09 0a 0b 0c 0d 0e 0f .;.E.@..........
0010 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f ................
0020 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f !"#$%&'()*+,-./
0030 30 31 32 33 34 35 36 37 01234567
No. Time Source Destination Protocol Info
11 4.021105 10.0.1.11 10.0.1.12 ICMP Echo
(ping) request
0000 a5 3b e8 45 5c 3d 07 00 08 09 0a 0b 0c 0d 0e 0f .;.E\=..........
0010 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f ................
0020 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f !"#$%&'()*+,-./
0030 30 31 32 33 34 35 36 37 01234567
No. Time Source Destination Protocol Info
12 4.021494 10.0.1.12 10.0.1.11 ICMP Echo
(ping) reply
0000 a5 3b e8 45 5c 3d 07 00 08 09 0a 0b 0c 0d 0e 0f .;.E\=..........
0010 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f ................
0020 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f !"#$%&'()*+,-./
0030 30 31 32 33 34 35 36 37 01234567
packet?
Because the ARP Request packet is broadcasted the destination MAC
address is ff:ff:ff:ff:ff:ff
What are the different values of the Type field in the Ethernet
0x0800 respectively.
having the requested IP knows it has to reply to the source with its MAC
address.
Note that the reply containing the required MAC address is of type
ARP as shown in the red square.
Exercise 3B- Matching IP addresses and MAC addresses
In this part, we collect the MAC addresses of all interfaces connected
The IP and MAC addresses of all the machines on the eth0 interface
answer.
The purpose of this part is to explore how to use the netstat command
of a host.
Exercise 4
On PC1 we first try the different variations of the netstat command
and save their output to a file. The first command is netstat in which
displays information on the network interfaces. The output is:
Ip:
38738 total packets received
0 forwarded
0 incoming packets discarded
37038 incoming packets delivered
38771 requests sent out
Icmp:
1795 ICMP messages received
2 input ICMP message failed.
ICMP input histogram:
destination unreachable: 1725
echo replies: 70
1725 ICMP messages sent
0 ICMP messages failed
ICMP output histogram:
destination unreachable: 1725
Tcp:
791 active connections openings
787 passive connection openings
2 failed connection attempts
0 connection resets received
0 connections established
35212 segments received
35245 segments send out
2 segments retransmited
0 bad segments received.
0 resets sent
Udp:
10 packets received
1721 packets to unknown port received.
0 packet receive errors
1731 packets sent
TcpExt:
ArpFilter: 0
775 TCP sockets finished time wait in fast timer
3 delayed acks sent
3542 packets directly queued to recvmsg prequeue.
122622 packets directly received from backlog
86454 packets directly received from prequeue
6824 packets header predicted
4376 packets header predicted and directly queued to user
TCPPureAcks: 3009
TCPHPAcks: 13799
TCPRenoRecovery: 0
TCPSackRecovery: 0
TCPSACKReneging: 0
TCPFACKReorder: 0
TCPSACKReorder: 0
TCPRenoReorder: 0
TCPTSReorder: 0
TCPFullUndo: 0
TCPPartialUndo: 0
TCPDSACKUndo: 0
TCPLossUndo: 0
TCPLoss: 0
TCPLostRetransmit: 0
TCPRenoFailures: 0
TCPSackFailures: 0
TCPLossFailures: 0
TCPFastRetrans: 0
TCPForwardRetrans: 0
TCPSlowStartRetrans: 0
TCPTimeouts: 2
TCPRenoRecoveryFail: 0
TCPSackRecoveryFail: 0
TCPSchedulerFailed: 0
TCPRcvCollapsed: 0
TCPDSACKOldSent: 0
TCPDSACKOfoSent: 0
TCPDSACKRecv: 0
TCPDSACKOfoRecv: 0
TCPAbortOnSyn: 0
TCPAbortOnData: 0
TCPAbortOnClose: 0
TCPAbortOnMemory: 0
TCPAbortOnTimeout: 0
TCPAbortOnLinger: 0
TCPAbortFailed: 0
TCPMemoryPressures: 0
What are the network interfaces of PC1 and what are the MTU
(maximum transmission unit) values of the interfaces?
By observing the output of the command netsat -in, we can see that the
network interfaces of PC1 are eth0 and lo, and their MTU values are
1500 and 16436 respectively.
when you send to your own machine you are definitely receiving what
you sent. Therefore, the transmitted and received packets are equal. As
for eth0 since the sender and receiver are not the same it is not
necessary that the packets you transmit and receive are equal. For
Exercise 6
Then we made sure that the ARP cache was empty on all PCs by
displaying its content using the command arp a. Note that the cache
was already empty because the entries are automatically deleted after
On PC3 we run ethereal and set a filter to capture packets to and from
10.0.1.11.
Then on a new terminal we start a telnet session to the duplicate
root user and issue the command arp a in order to determine the
Therefore, we can see that we have logged in to PC1 since the MAC
following:
10.0.1.14.
Explain why telnet session was established to one of the hosts
with the duplicate address and not the other? Explain why the
telnet session was established at all and did not result in an error
message.
PC3 issued and ARP request Who has 10.0.1.11 tell 10.0.1.13. Since
both PC1 and PC4 have 10.0.1.11 as their IP both replied. In our case,
PC1 replied earlier than PC4, so directly a telnet session was established
by PC3 to PC1. The second reply was not taken into consideration. PC3
PC1.
PART 7: Changing Netmasks
In this part, we test the effects of changing the netmask of a network
hosts noting that now PC2 and PC4 have been assigned different network
prefixes.
Exercise 7
The interfaces of the hosts are configured to the IP addresses and
Now we run ethereal on PC1 and capture the packets for the following
ping commands:
c) From PC1 to PC4 using the command ping c 1 10.0.1.121 the output
Use your output data and ping results to explain what happened
successful because they were on the same network. However, the third
request no reply was returned as shown in ethereal below. The last three
gedit using the command. Then on PC1 we issue a ping command on PC2
using ping 10.0.1.12. We repeat this step but this time we try to use the
at this point. On PC1 we edit the content of the hosts file and add entries
for PC2 PC3 and PC4 and associating the hosts with their corresponding
IP. Now we use the ping PC2 command and notice that it executes. The
same is true for pinging the other hosts using their hostnames.
Finally we reset the hosts file to its original state and save the file.
host file in every machine that has this entry. Besides that, it is time
When using multiple IP addresses with the same host name the first IP
encountered in the hosts files will be used for the name resolution.
between PC1 and PC2 using the command: Ethereal f host 10.0.1.11
and 10.0.1.12.
Then we initiate an ftp session on PC1 to PC2 using the command ftp
packets with FTP payload that are sent from PC1 to PC2.
The following was obtained using follow tcp stream in the tools menu
Exercise 9B:
and 10.0.1.12. Then we run a telnet session with PC2 using the
following:
No. Time Source Destination Protocol Info
1 0.000000 10.0.1.11 10.0.1.12 TCP 34143 >
telnet [SYN] Seq=0 Len=0 MSS=1460 TSV=686917 TSER=0 WS=0
2 0.000357 10.0.1.12 10.0.1.11 TCP telnet
> 34143 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=665994 TSER=686917 WS=0
3 0.000386 10.0.1.11 10.0.1.12 TCP 34143 >
telnet [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=686917 TSER=665994
4 0.002912 10.0.1.11 10.0.1.12 TELNET Telnet
Data ...
5 0.002981 10.0.1.12 10.0.1.11 TELNET Telnet
Data ...
6 0.003005 10.0.1.11 10.0.1.12 TCP 34143 >
telnet [ACK] Seq=34 Ack=13 Win=5840 Len=0 TSV=686918 TSER=665995
7 0.003851 10.0.1.12 10.0.1.11 TCP telnet
> 34143 [ACK] Seq=13 Ack=34 Win=5792 Len=0 TSV=665995 TSER=686918
8 0.003976 10.0.1.12 10.0.1.11 TELNET Telnet
Data ...
9 0.003981 10.0.1.11 10.0.1.12 TCP 34143 >
telnet [ACK] Seq=34 Ack=58 Win=5840 Len=0 TSV=686918 TSER=665995
10 0.006747 10.0.1.11 10.0.1.12 TELNET Telnet
Data ...
11 0.009972 10.0.1.12 10.0.1.11 TELNET Telnet
Data ...
12 0.010009 10.0.1.11 10.0.1.12 TELNET Telnet
Data ...
13 0.010471 10.0.1.12 10.0.1.11 TELNET Telnet
Data ...
14 0.010515 10.0.1.11 10.0.1.12 TELNET Telnet
Data ...
15 0.010973 10.0.1.12 10.0.1.11 TELNET Telnet
Data ...
16 0.050806 10.0.1.11 10.0.1.12 TCP 34143 >
telnet [ACK] Seq=112 Ack=136 Win=5840 Len=0 TSV=686923 TSER=665995
17 1.147570 10.0.1.11 10.0.1.12 TELNET Telnet
Data ...
18 1.147979 10.0.1.12 10.0.1.11 TELNET Telnet
Data ...
19 1.148000 10.0.1.11 10.0.1.12 TCP 34143 >
telnet [ACK] Seq=113 Ack=137 Win=5840 Len=0 TSV=687032 TSER=666109
20 1.487669 10.0.1.11 10.0.1.12 TELNET Telnet
Data ...
21 1.488092 10.0.1.12 10.0.1.11 TELNET Telnet
Data ...
22 1.488113 10.0.1.11 10.0.1.12 TCP 34143 >
telnet [ACK] Seq=114 Ack=138 Win=5840 Len=0 TSV=687066 TSER=666143
23 1.647708 10.0.1.11 10.0.1.12 TELNET Telnet
Data ...
24 1.648096 10.0.1.12 10.0.1.11 TELNET Telnet
Data ...
25 1.648121 10.0.1.11 10.0.1.12 TCP 34143 >
telnet [ACK] Seq=115 Ack=139 Win=5840 Len=0 TSV=687082 TSER=666159
26 1.863008 10.0.1.11 10.0.1.12 TELNET Telnet
Data ...
27 1.863432 10.0.1.12 10.0.1.11 TELNET Telnet
Data ...
28 1.863453 10.0.1.11 10.0.1.12 TCP 34143 >
telnet [ACK] Seq=116 Ack=140 Win=5840 Len=0 TSV=687104 TSER=666181
29 2.338000 10.0.1.11 10.0.1.12 TELNET Telnet
Data ...
30 2.338442 10.0.1.12 10.0.1.11 TELNET Telnet
Data ...
31 2.338464 10.0.1.11 10.0.1.12 TCP 34143 >
telnet [ACK] Seq=118 Ack=142 Win=5840 Len=0 TSV=687151 TSER=666228
32 2.341314 10.0.1.12 10.0.1.11 TELNET Telnet
Data ...
33 2.341323 10.0.1.11 10.0.1.12 TCP 34143 >
telnet [ACK] Seq=118 Ack=152 Win=5840 Len=0 TSV=687152 TSER=666228
34 3.330966 10.0.1.11 10.0.1.12 TELNET Telnet
Data ...
35 3.362036 10.0.1.12 10.0.1.11 TCP telnet
> 34143 [ACK] Seq=152 Ack=119 Win=5792 Len=0 TSV=666331 TSER=687251
36 3.716086 10.0.1.11 10.0.1.12 TELNET Telnet
Data ...
37 3.716514 10.0.1.12 10.0.1.11 TCP telnet
> 34143 [ACK] Seq=152 Ack=120 Win=5792 Len=0 TSV=666366 TSER=687289
38 3.886085 10.0.1.11 10.0.1.12 TELNET Telnet
Data ...
39 3.886508 10.0.1.12 10.0.1.11 TCP telnet
> 34143 [ACK] Seq=152 Ack=121 Win=5792 Len=0 TSV=666383 TSER=687306
40 4.153559 10.0.1.11 10.0.1.12 TELNET Telnet
Data ...
41 4.153928 10.0.1.12 10.0.1.11 TCP telnet
> 34143 [ACK] Seq=152 Ack=122 Win=5792 Len=0 TSV=666410 TSER=687333
42 4.711285 10.0.1.11 10.0.1.12 TELNET Telnet
Data ...
43 4.711627 10.0.1.12 10.0.1.11 TCP telnet
> 34143 [ACK] Seq=152 Ack=123 Win=5792 Len=0 TSV=666465 TSER=687389
44 4.948867 10.0.1.11 10.0.1.12 TELNET Telnet
Data ...
45 4.949196 10.0.1.12 10.0.1.11 TCP telnet
> 34143 [ACK] Seq=152 Ack=124 Win=5792 Len=0 TSV=666489 TSER=687412
46 5.231225 10.0.1.11 10.0.1.12 TELNET Telnet
Data ...
47 5.231604 10.0.1.12 10.0.1.11 TCP telnet
> 34143 [ACK] Seq=152 Ack=126 Win=5792 Len=0 TSV=666517 TSER=687441
48 5.231605 10.0.1.12 10.0.1.11 TELNET Telnet
Data ...
49 5.231626 10.0.1.11 10.0.1.12 TCP 34143 >
telnet [ACK] Seq=126 Ack=154 Win=5840 Len=0 TSV=687441 TSER=666517
50 5.233851 10.0.1.12 10.0.1.11 TELNET Telnet
Data ...
51 5.233857 10.0.1.11 10.0.1.12 TCP 34143 >
telnet [ACK] Seq=126 Ack=202 Win=5840 Len=0 TSV=687441 TSER=666518
52 5.299180 10.0.1.12 10.0.1.11 TELNET Telnet
Data ...
53 5.299211 10.0.1.11 10.0.1.12 TCP 34143 >
telnet [ACK] Seq=126 Ack=217 Win=5840 Len=0 TSV=687447 TSER=666524
54 5.302800 10.0.1.12 10.0.1.11 TELNET Telnet
Data ...
55 5.302809 10.0.1.11 10.0.1.12 TCP 34143 >
telnet [ACK] Seq=126 Ack=234 Win=5840 Len=0 TSV=687448 TSER=666525
Does telnet have the same security flaws as ftp? Support your
Yes in both cases we were able to get the user name and the password
since they transferred as text and they are not encrypted. The only
difference is that with telnet the username and password are chunked
and sent character by character whereas in ft they are sent as they are.
Exercise 9C- Observing traffic from a Telnet Session
notice that for each key typed, three packets are transmitted as shown in
packets. In fact, PC1 first sends to PC2 the character. PC2 sends back to
PC1 the received character. PC1 then acknowledges that PC2 has