LAB 6 - CS164

In lab Assignment 6 - Introduction to Ethereal

In this lab we are going to learn about the "thermonuclear" network packet capture and analysis tool, popularly known as Ethereal. Ethereal is used by network professionals around the world for troubleshooting, analysis, software and protocol development, and education. It has all of the standard features you would expect in a protocol analyzer, and several features not seen in any other product. Its open source license allows talented experts in the networking community to add enhancements. It runs on all popular computing platforms, including Unix, Linux, and Windows. The official documentation for this wonderful piece of open source software is found at http://www.ethereal.com/docs/ along with FAQ's at http://www.ethereal.com/faq.html .

Ethereal Presentation

During this portion of the lab your TA will demonstrate to you the GUI based version of ethereal. The demonstration will include reading in an off-line trace file in libpcap format and converting that to a text version for easy visual analysis. You will be able to see the basic information that ethereal can mine from all captured packets. A screenshot from Ethereal is displayed below.

You can observe the various fields: No. (the seq number of packet), Time (the time stamp), Source (Source IP), Destination (IP), Protocol, Information. All these describe the packet that has been captured from the ethernet card. There are two other panes in Ethereal, Protocol Tree pane, and Data Pane. The Protocol Tree pane displays the hierarchical structure of the encapsulated packet. We can conceptualize a packet as a tree of fields and subtrees. For each protocol there is a tree node summarizing the protocol, which can be expanded to provide the values in that protocol’s fields. Within some protocols there may be tree nodes summarizing more complicated data structures in the protocol. These tree nodes can be expanded to show those data structures. For any given node that has a subtree, we can expand it’s subtree to reveal more information, or collapse it
to only show the summary. The Protocol Tree Window allows you to examine the tree created by Ethereal from decoding a packet.

In the data Pane, each row begins with a four-digit number representing the number of bytes the first octet (an octet is eight bits or one byte or two hexadecimal – also known as hex - digits) in that row is offset from the beginning of the packet. This offset is then followed by sixteen two-character hexadecimal bytes. The last item in each row is a series of sixteen ASCII (American Standard Code for Information Interchange, a common character encoding) characters representing the same 16 bytes from the packet. Not all bytes are conveniently displayable in ASCII. For those bytes a period (.) is substituted as a placeholder.

Deliverables

You will need to use tethereal, the command line version of ethereal to perform the various operations. The Man pages for this tool is located at http://www.ethereal.com/docs/man-pages/tethereal.1.html Please spend a few moments going through the basic options available to you via the flags. Once you have done this please proceed to the following steps.

First, download the trace-home trace file and save it in your account.
Invoke tethreal by typing it on the command line.
Read in the trace file by $user@eon> tethereal -r trace-home.
Find out what is the libpcap format. Describe it in your report.
How many distinct IPs are contacted.
How many types of protocol do you see in the trace.
Plot the no. of IPs contacted every 0.01,0.5,1 sec
Define MAC name resolution, network name resolution, transport name resolution.
Pick out a flow from the trace file, {Choose a number from 1 to 20, add 5 to it, multiply by 2, Say it comes to 30, pick out the flow in line 30}follow it to find out how many packets are exchanged every .01,0.5,1 sec. Display this on a graph.
Calculate the number of packets exchanged for each type of protocol over the complete duration of the trace. Plot it with the same time scale(s).

EXTRA CREDIT: Here is the chance you have been waiting for, the quick and easy path to fame, fortune and whatever your heart has ever desired. Solve this problem and you shall be toasted as a {novice} guru of packet security.

One of the coolest features of Ethereal is its ability to reassemble all of the packets in a TCP conversation and display the ASCII in a very easy-to-read format. {HINT use the follow TCP stream functionality} This makes it easy to pick out usernames and passwords from insecure protocols such as Telnet and FTP. The data can also be viewed in EBCDIC, hex dump, and C arrays. This data can then be saved or printed. A good use for this can be to reconstruct a web page.

If you can write code to automatically re-construct a web page that the user has been browsing while the trace was collected..you can expect xtra credit! {HINT write a script to identify and put-together HTML specific portions, such as <head> </body> etc in the data window you see when you use Follow TCP stream}

HAVE FUN