Capturing arp and ping traffic

 

In-class version:

Open 2 terminal windows in your GUI. In the first window type the following command but don't hit the enter key yet:

  ping -c 1 <IP address of a nearby machine that's up and running>

(The target machine should be one with which you have had no recent contact. We want to make sure it's unrepresented in your arp cache, in order to force arp message discovery so that we can examine the discovery mechanism.)

In the second window launch the command:

  tcpdump -nnti eth0 arp or icmp and host <your IP address> -w mycapturefile

Return to the first window and hit the enter key to run the ping. It should receive a single reply then exit. (The filter expression limits what tcpdump will capture to arp traffic and ping/icmp traffic and, moreover, yours only).

Go back to the second window and terminate the tcpdump with the ctrl-C key.


Now, in tcpdump or preferably wireshark open/read the resultant "mycapturefile". Scrutinize it to understand the activities that took place. Distinguish between the ping activity itself, and the preceding arp activity. If you do it in tcpdump, use the -r option to read back what you captured:

  tcpdump -nnt -r mycapturefile

 


Remote version:

Use the sputnik remote server, where you have a login account. Open two login windows to it (i.e., telnet to it and login twice).

In the first window type the following command but don't hit the enter key yet:

  ping -c 1 <IP address of a nearby machine that's up and running>

Sputnik's address is 207.151.69.250. I found another IP addresses "nearby" on sputnik's net when I explored it, suitable for use here as a ping target. It was 207.151.69.253. So use that for ping's target address. But in order to evoke arp message discovery so that we can examine it in Wireshark, that machine must be one with which sputnik has had no recent contact.

Switch to the second window (i.e., select it). There you can check the arp cache with the following command:

  sudo /sbin/arp -n

and when asked for a password, supply your own. Make sure 207.151.69.253 doesn't show up in the resulting table with a matching ethernet address. If it does, wait a while till that information expires from the cache and disappears. That is, re-run the above command again a couple minutes later till 207.151.69.253 is absent from the cache. The cache will probably look like this:

[david@sputnik david]$ sudo /sbin/arp -n
Address                 HWtype  HWaddress           Flags Mask            Iface
207.151.69.254          ether   00:23:04:ED:D4:8E   C                     eth0

Note the non-appearance of 207.151.69.253. Still in the second window launch the command:

  sudo /usr/sbin/tcpdump -nnti eth0 arp or icmp and host 207.151.69.250 -w mycapturefile

Return to the first window and hit the enter key to run the ping. It should receive a single reply then exit.

Go back to the second window and terminate the tcpdump with the ctrl-C key.

Now we want to open/read the resultant "mycapturefile" in Wireshark. But you can't run Wireshark on sputnik. However, you can use an ftp client  to connect to your sputnik account and transfer mycapturefile to another computer where Wireshark is installed. There, you can open it in Wireshark. Make sure you conduct the ftp transfer in ftp's "binary" mode not "ascii" mode or else ftp will alter the file. (Warning: Microsoft's built-in character-mode ftp client uses ascii mode by default-- the "binary" command at its prompt switches modes for you.)

Do the transfer and open the file in Wireshark. Scrutinize what you see to understand the activities that took place. Distinguish between the ping activity itself, and the preceding arp activity. Print a screenshot copy of Wireshark's main 3-panel screen, showing the (probably) 4 packets you captured. Write your name on it and turn it in.

Notes about the remote version - you are using the "sudo" command to enable you to run certain commands otherwise reserved for the root user only. sudo will only let you run the commands as shown. Be aware you have to type them exactly. The "arp or icmp and host 207.151.69.250" clause specifies a filter. It causes tcpdump tocapture only packets addressed to or from sputnik (host 207.151.69.250), and then only those that are arp or ping (icmp). That confines the capture to what interests us. You might be doing this concurrently with other students. The arp table is machine-global. So if another student just did the exercise, the target machine will be in the arp cache in the wake of his activity. Though it will "expire away" in a short period if you just wait, maybe several students are active and your wait will become extended. In that case, come back later. How can you find out if you are the only user logged in to sputnik or not? Use the command "who" and it will list everybody who is logged in.