using netcat to interact with simple diagnostic application protocols
and Wireshark to see what happened
The instructor will indicate a server machine that runs all of the
following. If you are working with provided VirtualBox virtual machines, do this
exercise in the CLIENT and SERVER virtual machines that are produced when you
run the scripts that set up the "sniffing" exercise. (I assume you
have done that.)
application protocol | transport protocol | port number |
echo | udp | 7 |
discard | udp | 9 |
chargen | udp | 19 |
echo | tcp | 7 |
discard | tcp | 9 |
chargen | tcp | 19 |
Note that udp and tcp keep separate sets of ports; udp port 7 and tcp port 7 for example are different from and independent of one another.
The example screenshot below refers to the server machine as 66.159.240.70 but the one that's actually available may differ. Replace "66.159.240.70" with the actual IP address or domain name the instructor indicates.
The exercise to perform
Start both the CLIENT and SERVER machines. Log in to each as root. Their
addresses assigned when you set up the "sniffing" experiment are
CLIENT 192.168.1.2
SERVER 192.168.1.1
You will capture network traffic on SERVER while, from CLIENT, you exercise each of SERVER's 3 udp diagnostic protocols.
First, run tcpdump or Wireshark on SERVER in order to capture a packet trace of the activity to a file called "netcat-simple-udp.cap". If you use tcpdump a suitable command invocation might be:
cd
tcpdump -s 10000 -i enp0s3 -w
netcat-simple-udp.cap udp and not arp
( "-s 10000" assures non-truncated capture
"eth0" is the name of the interface whose traffic you are
capturing.
If the name of your interface is different, substitute it for
"eth0".
The name of the interface in the "sniffing" exercise is enp0s3
"-w" will cause tcpdump to put its output into file
netcat-simple-udp.cap
"udp and not arp" is a filter expression limiting the capture
to what interests us )
Then, on CLIENT, run nc (netcat) against the server program that's running on the server machine's udp port 7. Interactively send it the word "hello", by typing "hello" at nc's (invisible) prompt then pressing enter. Next, terminate nc by pressing ctrl-C.
Then, do exactly the same thing twice more but changing the udp port number first to 9, then to 19, to also interact with those two other server programs also running on the server machine. Send them "hello" too. Your activity on CLIENT, and its screen, should look like the following screenshot.
[root@localhost ~]# nc -u 66.159.240.70 7 hello hello ^C [root@localhost ~]# nc -u 66.159.240.70 9 hello ^C [root@localhost ~]# nc -u 66.159.240.70 19 hello CDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}!"#$%&'()*+,- DEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}!"#$%&'()*+,-. EFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}!"#$%&'()*+,-./ FGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}!"#$%&'()*+,-./0 GHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}!"#$%&'()*+,-./01 HIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}!"#$%&'()*+,-./012 IJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}!"#$%&'()*+,-./0123 JKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}!"#$%&'()*+,-./01234 KLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}!"#$%&'()*+,-./012345 LMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}!"#$%&'()*+,-./0123456 MNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}!"#$%&'()*+,-./01234567 NOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}!"#$%&'()*+,-./012345678 OPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}!"#$%&'()*+,-./0123456789 PQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}!"#$%&'()*+,-. ^C [root@localhost ~]#Now on server terminate the ongoing catpure being performed by tcpdump or wireshark. If tcpdump, ctrl-C keystroke terminates it.:
You now have netcat-simple-udp.cap file as a record of what happened. You could play it back in tcpdump or wireshark. If tcpdump:
tcpdump -nntxXr netcat-simple-udp.cap | less
You can scroll up and down. When finished, use the "q" keystroke to exit from the less program. You may also wish to view it in wireshark. But wireshark being graphical, you will first have to run a graphical desktop, in order to run wireshark. Possibly you could transfer the file to a different computer where wireshark is installed and do your viewing there. On SERVER I would suggest doing it by running the graphical desktop as student, not root. But if you run as student you will lack permission to view the file. Make the file student-accessible before exiting:
chown student.student
netcat-simple-udp.cap
mv netcat-simple-udp.cap /home/student
exit
Now log in afresh as student. Once logged in, from the prompt run the graphical desktop:
startx
Then you will find an icon for wireshark under the "Activities" menu. Run it on netcat-simple-udp.cap. Ask yourself the following questions. There are 2 frames each for the echo and chargen protocols, but only one for the discard protocol. Why? And look at the frame sizes (lengths). Why is one of them very much larger than the others? Spend time in wireshark scrutinizing the frames, expanding and contracting their individual protocol components and recognizing or researching what you see. Find out what you don't understand, and understand as much of what's there that you can. Study it.
What to turn in
Please turn in a screenshot of
your capture file as displayed in wireshark. Name your file diagnostic-protocols.jpg
(or .png).