Capturing arp and ping traffic
Open 2 terminal windows in your GUI. In the first window type the following command but don't hit the enter key yet:
ping -c 1 <IP address of a nearby machine that's up and running>
(The target machine should be one with which you have had no recent contact. We want to make sure it's unrepresented in your arp cache, in order to force arp message discovery so that we can examine the discovery mechanism.)
In the second window launch the command:
tcpdump -nnti eth0 arp or icmp and host <your IP address> -w mycapturefile
Return to the first window and hit the enter key to run the ping. It should receive a single reply then exit. (The filter expression limits what tcpdump will capture to arp traffic and ping/icmp traffic and, moreover, yours only).
Go back to the second window and terminate the tcpdump with the ctrl-C key.
Now, in tcpdump or preferably wireshark open/read the resultant "mycapturefile". Scrutinize it to understand the activities that took place. Distinguish between the ping activity itself, and the preceding arp activity. If you do it in tcpdump, use the -r option to read back what you captured:
tcpdump -nnt -r mycapturefile
Remote version: Use the sputnik remote server, where you have a login account.
Open two login windows to it (i.e., telnet to it and login twice). In the first window type
the following command but don't hit the enter key yet: ping -c 1 <IP address of a nearby
machine that's up and running> Sputnik's address is 126.96.36.199. I found another IP
addresses "nearby" on sputnik's net when I explored it, suitable for
use here as a ping target. It was 188.8.131.52. So use that for ping's target
address. But in order to evoke arp message discovery so that we can examine it in Wireshark, that machine must be one with which
sputnik has had no
Switch to the second window (i.e., select it). There you can check the arp cache with the following command:
sudo /sbin/arp -n and when asked for a password, supply your own. Make sure
184.108.40.206 doesn't show up in the resulting table with a matching ethernet address. If it
does, wait a while till that information expires from the cache and disappears.
That is, re-run the above command again a couple minutes later till 220.127.116.11 is absent from the
cache. The cache will probably look like this:
[david@sputnik david]$ sudo /sbin/arp -n Address HWtype HWaddress Flags Mask Iface 18.104.22.168 ether 00:23:04:ED:D4:8E C eth0 Note the non-appearance of 22.214.171.124. Still in the second window launch the command: sudo /usr/sbin/tcpdump -nnti eth0 arp or icmp and host 126.96.36.199
-w mycapturefile Return to the first window and hit the enter key to run the
ping. It should
receive a single reply then exit. Go back to the second window and terminate the tcpdump with the
ctrl-C key. Now we want to open/read the resultant "mycapturefile"
in Wireshark. But you can't run Wireshark on sputnik. However, you can use an
ftp client to connect to your sputnik account and transfer mycapturefile
to another computer where Wireshark is installed. There, you can open it in
Wireshark. Make sure you conduct the ftp transfer in ftp's "binary"
mode not "ascii" mode or else ftp will alter the file. (Warning:
Microsoft's built-in character-mode ftp client uses ascii mode by default-- the
"binary" command at its prompt switches modes for you.) Do the transfer and open the file in Wireshark. Scrutinize what
you see to understand the activities that took place. Distinguish between
the ping activity itself, and the preceding arp activity. Print a screenshot
copy of Wireshark's main 3-panel screen, showing the (probably) 4 packets you
captured. Write your name on it and turn it in. Notes about the remote version - you are using the "sudo"
command to enable you to run certain commands otherwise reserved for the root
user only. sudo will only let you run the commands as shown. Be aware you have
to type them exactly. The "arp or icmp and host 188.8.131.52" clause
specifies a filter. It causes tcpdump tocapture only packets addressed to or
from sputnik (host 184.108.40.206), and then only those that are arp or ping (icmp).
That confines the capture to what interests us. You might be doing this
concurrently with other students. The arp table is machine-global. So if another
student just did the exercise, the target machine will be in the arp cache in
the wake of his activity. Though it will "expire away" in a short
period if you just wait, maybe several students are active and your wait will
become extended. In that case, come back later. How can you find out if you are
the only user logged in to sputnik or not? Use the command "who" and
it will list everybody who is logged in.