School of Engineering Technology and Applied Science (SETAS)

Information and Communication Technology (ICET)

CNET124

Network Technologies

Lab #4: Packet Sniffing

Version 1 – February 2012

Introduction

One part of being a network administrator is to gain a familiarity with the quantity and types of

traffic found on the various network segments. By understanding what is ‘normal’ one can

easily spot ‘abnormal’ traffic types or patterns. Once detected, the sources of these

abnormalities can be investigated and where possible, any necessary remedial actions

necessary to maintain the integrity and performance of the network can be taken.

Many different tools exist to facilitate the analysis of network traffic types and patterns. Some

of these tools offer advanced automated capabilities and others are very simplistic in their

approach. Wireshark is an open source solution that allows the collection and profiling of

network traffic to assist in the management and troubleshooting of production networks.

Lab Overview

The purpose of this lab is to introduce the filtering capabilities of Wireshark and to use a packet

sniffing tool (Wireshark) to examine the quantity and type of traffic found on an Ethernet hub

and switch based network.

In this lab the learner will:

• Use the filter feature of Wireshark

• Capture traffic from a hub and switch based network

• Compare the traffic volume and types between a hub an switch based network

• Locate and examine an ARP exchange from a live network.

Pre-lab Preparation

Before attempting this lab review the material covered in labs #1 and #3 . Also review the OSI

model and answer the following questions.

1. Outline the ARP process with emphasis on the communication types (unicast, multicast

or broadcast) of all packets involved in the information exchange.

2. Differentiate between a collision domain and a broadcast domain. What types of

network devices bound each?

3. On an Ethernet network composed of a single 24 port hub, how many collision domains

and how many broadcast domains exist?

4. On an Ethernet network composed of a single 24 port switch in its default

configuration, how many collision and how many broadcast domains exist?

Lab Procedure

Note: Be certain to save all captures to be able to answer th

and also for future study.

Part A: Introduction to Filters

On a network with large volumes of traffic it becomes difficult to isolate the packets of specific interest.

Wireshark provides the capability to filter traffic either during or after data capture. The data filtering

capabilities provided by Wireshark are

Filters will be revisited in a future lab

1. Connect your PC to a network and capture about 100 packets.

captures to be able to answer the questions presented in Part E of this lab

On a network with large volumes of traffic it becomes difficult to isolate the packets of specific interest.

Wireshark provides the capability to filter traffic either during or after data capture. The data filtering

capabilities provided by Wireshark are great and this portion of the lab only introduces this capability.

Filters will be revisited in a future lab.

Connect your PC to a network and capture about 100 packets.

e questions presented in Part E of this lab

On a network with large volumes of traffic it becomes difficult to isolate the packets of specific interest.

Wireshark provides the capability to filter traffic either during or after data capture. The data filtering

great and this portion of the lab only introduces this capability.

2. Select an ARP request packet and expand all fields until you can see the

the frame type field.

3. Select Analyze | Apply as Filter | Selected

to show only frame types corresponding to the one selected. Notice at the top of the capture

window there is now a filter type displayed. This same

will appear if you right-click on the desired filter field.

Select an ARP request packet and expand all fields until you can see the frame type

Analyze | Apply as Filter | Selected from the menu bar. This should change the display

to show only frame types corresponding to the one selected. Notice at the top of the capture

window there is now a filter type displayed. This same filter can be created using the menu that

click on the desired filter field.

frame type. Highlight

from the menu bar. This should change the display

to show only frame types corresponding to the one selected. Notice at the top of the capture

filter can be created using the menu that

4. Now that you have a filter created you can use this filter to

only the desired packets are displayed. Wireshark will keep track of any filters you have recently

created and these may be selected from the drop

valid filter is selected (the filter expression field will be green) and then start a new capture. If

prompted, select ‘Continue

captured.

Now that you have a filter created you can use this filter to filter traffic during capture so that

only the desired packets are displayed. Wireshark will keep track of any filters you have recently

d and these may be selected from the drop-down list in the filter menu. Make sure that a

valid filter is selected (the filter expression field will be green) and then start a new capture. If

prompted, select ‘Continue without Saving’. Only packets that match the applied filter should be

filter traffic during capture so that

only the desired packets are displayed. Wireshark will keep track of any filters you have recently

down list in the filter menu. Make sure that a

valid filter is selected (the filter expression field will be green) and then start a new capture. If

ch the applied filter should be

Experiment with Wireshark filtering capabilities until you are comfortable with applying simple filters to

analyze previously captured files and to filter during capture. In future labs we will build more complex

filters to analyze for specific traffic. To demonstrate you ability to apply filters create a series of screen

captures that show unfiltered and filtered traffic that matches a filter other than the ARP used in this

exercise.

Part B: Two Computer Peer-to-Peer Network

1. Using the crossover cable you constructed in lab #1 connect two PCs together.

(a) Is the link light on the PC NIC on? What does this tell you?

2. Set the IP addressing information on both PCs so that they are both on the same subnet.

(a) What three pieces of information would you normally have to supply to do this?

What is the purpose of each?

(b) For this particular lab experiment only two pieces of information is required. Explain

why only two pieces are needed versus three in a typical IP network?

3. Ping from each machine to the other. If this does not work check your connections and

addressing information. Troubleshoot as necessary. You must be able to ping between the two

machines before proceeding further.

(a) What protocol does ping use?

(b) If a ping is successful which layers of the OSI model are working?

4. Set up a shared directory on one of the PCs and place a large file into this directory. This will be

PC_A. On the other PC map a drive to the shared directory. This will be PC_B.

5. Start Wireshark on PC_A. Collect approximately 100 packets from the network.

(a) How long did it take you to capture 100 packets?

(b) What type(s) of traffic did you capture?

(c) Approximately what percentage of the total captured traffic did each type account

for?

6. Start a new capture and while capturing traffic copy the file from step 4 above from the shared

directory to a local directory on PC_B.

(a) What type(s) of traffic did you capture?

(b) Approximately what percentage of the total captured traffic did each type account

for?

Part C: Hub Based Network

1. Connect your PC to the common classroom hub using the cable you constructed I lab #1.

(a) What type of cable did you use? Why?

2. Set the addressing information on your PC as indicated by your instructor. It is important that

all PCs connected to the common hub are on the same network. Ping between machines to

ensure that all are able to connect to each other. Note the number of PCs connected to the hub

as this information will be required for part D.

3. Once multiple machines are connected to the hub start a capture and collect approximately 100

packets.

(a) How long did it take you to capture 100 packets?

(b) What type(s) of traffic did you capture?

(c) Approximately what percentage of the total captured traffic did each type account

for?

Part D: Switch Based Network

4. Connect your PC to the common classroom switch using the cable you constructed I lab #1.

(b) What type of cable did you use? Why?

5. Set the addressing information on your PC as indicated by your instructor. It is important that

all PCs connected to the common switch are on the same network. Ping between machines to

ensure that all are able to connect to each other. Make sure to have the same number of

machines connected to the hub in part C as you had connected to the switch in part D.

6. Once multiple machines are connected to the switch start a capture and collect approximately

100 packets.

(d) How long did it take you to capture 100 packets?

(e) What type(s) of traffic did you capture?

(f) Approximately what percentage of the total captured traffic did each type account

for?

Part E: Questions

Use the data collected in parts B, C and D to answer the following questions.

1. Was there any difference in the types of traffic observed on the three different networks?

2. Was there any difference in the proportion of each type of traffic observed on the three

different networks?

3. Was there any difference in the volume of traffic captured per unit time between the hub based

and the switch based network? How can you explain this difference?

4. Locate an ARP request for a machine other than your own in the captures from both the

switched and the hubbed network. Can you see the ARP reply to the request in both captures?

Why or why not?