Capturing arp and ping traffic
Below are three different versions of instructions for doing the same exercise, depending on the setting in which you do it. Do only one of them, depending on the setting in which the instructor asks you to perform the exercise.
VirtualBox version:
Use provided scripts to bring up the CLIENT and SERVER machines from the wireshark "sniffing" exercise you previously performed.
In CLIENT, log in as student, bring up the gui, open a terminal window. In the terminal window execute this command:
arp -n
which prints the arp table, showing mappings between IP and ethernet addresses for known machines. It should print nothing, meaning in particular that CLIENT doesn't know SERVER's ethernet address. SERVER's IP address is 192.168.1.1. If CLIENT tries to interact with SERVER using IP, determining SERVER's ethernet address will be a prerequisite (because ethernet is resident in the data link layer and is what IP relies on for carriage of its data between the machines).
Launch wireshark from its icon in the "Activities" menu, telling it to capture the traffic on the enp0s3 interface and specifying the capture filter "arp or icmp".
In the terminal window:
ping -c 1 192.168.1.1
It provokes activity in wireshark. Stop the wireshark capture. Again in CLIENT:
arp -n
This time the arp table is populated with a record that contains SERVER's IP address and SERVER's ethernet address to go with it. That is a result of your activity. Take a moment to study the arp request and reply in the packet details pane. Correspond the arp message content you see there to the arp header structure you have studied.
You were ping-aware because the initiator of ping is you. However because arp was initiated implicitly you were not arp-aware. But thanks to wireshark now you are. If you were to run ping a second or third or fourth time, those ping's would not provoke further arps to learn SERVER's ethernet address because now it is already known. (Sometimes you might see in wireshark some spontaneous, pop-up arp request/replies unrelated to any particular command you run but performed autonomously by the stack.)
What to turn in: arrange your screen so that Wireshark is full-screen and your terminal window appears over wireshark as an inset. The terminal window should show the three commands, above, that you executed. They are the pre-ping arp, the ping, and the post-ping arp. I want to be able to see the captured frames in wireshark's frame list panel, and the commands you executed in the terminal window. Take a full-screen screenshot of that and upload it. Then you can poweroff the machines,
In-class version:
Open 2 terminal windows in your GUI. In the first window type the following command but don't hit the enter key yet:
ping -c 1 <IP address of a nearby machine that's up and running>
(The target machine should be one with which you have had no recent contact. We want to make sure it's unrepresented in your arp cache, in order to force arp message discovery so that we can examine the discovery mechanism.)
In the second window launch the command:
tcpdump -nnti eth0 arp or icmp and host <your IP address> -w mycapturefile
Return to the first window and hit the enter key to run the ping. It should receive a single reply then exit. (The filter expression limits what tcpdump will capture to arp traffic and ping/icmp traffic and, moreover, yours only).
Go back to the second window and terminate the tcpdump with the ctrl-C key.
Now, in tcpdump or preferably wireshark open/read the resultant "mycapturefile".
Scrutinize it to understand the activities that took place. Distinguish between
the ping activity itself, and the preceding arp activity. If you do it in
tcpdump, use the -r option to read back what you captured:
tcpdump -nnt -r mycapturefile
Remote version on sputnik:
Use the sputnik remote server, where you have a login account.
Open two login windows to it (i.e., telnet to it and login twice).
In the first window type
the following command but don't hit the enter key yet:
ping -c 1 <IP address of a nearby
machine that's up and running>
Sputnik's address is 207.151.69.250. I found another IP
addresses "nearby" on sputnik's net when I explored it, suitable for
use here as a ping target. It was 207.151.69.253. So use that for ping's target
address. But in order to evoke arp message discovery so that we can examine it in Wireshark, that machine must be one with which
sputnik has had no
recent contact.
Switch to the second window (i.e., select it). There you can check the arp cache with the following command:
sudo /sbin/arp -n
and when asked for a password, supply your own. Make sure
207.151.69.253 doesn't show up in the resulting table with a matching ethernet address. If it
does, wait a while till that information expires from the cache and disappears.
That is, re-run the above command again a couple minutes later till 207.151.69.253 is absent from the
cache. The cache will probably look like this:
[david@sputnik david]$ sudo /sbin/arp -n Address HWtype HWaddress Flags Mask Iface 207.151.69.254 ether 00:23:04:ED:D4:8E C eth0
Note the non-appearance of 207.151.69.253. Still in the second window launch the command:
sudo /usr/sbin/tcpdump -nnti eth0 arp or icmp and host 207.151.69.250
-w mycapturefile
Return to the first window and hit the enter key to run the
ping. It should
receive a single reply then exit.
Go back to the second window and terminate the tcpdump with the
ctrl-C key.
Now we want to open/read the resultant "mycapturefile"
in Wireshark. But you can't run Wireshark on sputnik. However, you can use an
ftp client to connect to your sputnik account and transfer mycapturefile
to another computer where Wireshark is installed. There, you can open it in
Wireshark. Make sure you conduct the ftp transfer in ftp's "binary"
mode not "ascii" mode or else ftp will alter the file. (Warning:
Microsoft's built-in character-mode ftp client uses ascii mode by default-- the
"binary" command at its prompt switches modes for you.)
Do the transfer and open the file in Wireshark. Scrutinize what
you see to understand the activities that took place. Distinguish between
the ping activity itself, and the preceding arp activity. Print a screenshot
copy of Wireshark's main 3-panel screen, showing the (probably) 4 packets you
captured. Write your name on it and turn it in.
Notes about the remote version - you are using the "sudo"
command to enable you to run certain commands otherwise reserved for the root
user only. sudo will only let you run the commands as shown. Be aware you have
to type them exactly. The "arp or icmp and host 207.151.69.250" clause
specifies a filter. It causes tcpdump tocapture only packets addressed to or
from sputnik (host 207.151.69.250), and then only those that are arp or ping (icmp).
That confines the capture to what interests us. You might be doing this
concurrently with other students. The arp table is machine-global. So if another
student just did the exercise, the target machine will be in the arp cache in
the wake of his activity. Though it will "expire away" in a short
period if you just wait, maybe several students are active and your wait will
become extended. In that case, come back later. How can you find out if you are
the only user logged in to sputnik or not? Use the command "who" and
it will list everybody who is logged in.