Yu Cheng (Jade) ICS 351 Lab Report 1 September 14 [Exercise 1] We ran tcpdump on PC1. We pinged PC2 in another terminal window. We saved the output of the command `tcpdump -n -l host 10.0.1.12 | tee ex1-1.txt` into ex1-1.txt. We ran tcpdump again, and pinged PC2 at the same time in another terminal window. We saved the output of the command `tcpdump -n -l icmp host 10.0.1.12 | tee ex1-2.txt` into ex1-2.txt file. [Exercise 2A] We turned on wireshark and set the display filter as "ip.addr == 10.0.1.12". We saved the output of the captured wireshark traffic into ex2-1.txt file. Later, I realized that for this exercise we needed to use the capture filter, so instead of display filter "ip.addr == 10.0.1.12" in the traffic-displaying window, I think we should've done "ip host 10.0.1.12" in the "Capture Options" window. The output of these two should be the same, I think. [Exercise 2B] We entered a display filter "ip.src == 10.0.1.12" based on Exercise 2A's output. We saved it as ex2b-1.txt by selecting file/print. We entered another display filter "ip.dst == 10.0.1.12" based on Exercise 2A's output. We saved it as ex2b-2.txt by selecting file/print. I noticed later that the print window of wireshark has two options "capture" and "display". We used the default, which is "capture", so the output of ex2a.txt, ex2b-1.txt, and ex2b-2.txt are all the same. According to the book, ethereal's print command saves only packets that are currently being displayed. I think this might be a difference between wireshark and ethereal. [Exercise 2C] We issued ping and telnet from PC1 to PC2 at the same time and captured the network traffic on PC1 without any capture or display filters. We set a display filter as "ip.addr == 10.0.1.12 and icmp". We saved the output as ex2c-5a using print/print plain text file. We set a display filter as "ip.addr == 10.0.1.12 and tcp". We saved the output as ex2c-5b using print/print plain text file. We set a display filter as "ip.addr == 10.0.1.12 and tcp.port == 23". We saved the output as ex2c-5c using print/print plain text file. These output files have the same problem as Exercise 2B. We didn't select "display" in the print window. All three files are identical. [Exercise 3A] We deleted the ARP cache entries with command `arp -d`. We captured the network traffic while issuing a command `ping -c 2 10.0.1.12` from PC1. We saved the output as ex3a.txt. Question 1: The destination MAC address of the ARP request packet is "ff:ff:ff:ff:ff:ff". This is a broadcast MAC address. PC1 broadcasted a request to everyone in the network asking who this certain IP address is. Question 2: There are two different values of the Type field in the Ethernet headers. We did part 1 in exercise 3, so etcfile_1 is already included with this report. It was "ARP (0*0806)" for all of the ARP packets. It was "IP (0*0800)" for all of the ICMP packets. Question 3: The typical lifetime of an ARP entry is very short. After a while without any communication between PC1 and PC2, the MAC address of PC2 is deleted in PC1's ARP table. When a new communication is issued from PC1 to PC2, the first thing needing to be done is an ARP request from PC1 to build its ARP table. PC1 issues a broadcast request to everyone on the network asking who this particular IP address is. Then PC2 responded with PC2's MAC address. PC1 associates this MAC address with the IP address in its ARP table. [Exercise 3B] Table 2.2 IP and MAC address. Linux PC IP Address of Ethernet Interface eth0 MAC address of eth0 PC1 10.0.1.11/24 00:02:85:00:B8:87 PC2 10.0.1.12/24 00:02:85:57:1B:8A PC3 10.0.1.13/24 00:02:85:17:5D:75 PC4 10.0.1.14/24 00:02:A5:02:29:D0 [Exercise 3C] We set a capture filter "ip host 10.0.1.12" and captured the network traffic while trying to establish a telnet session from PC1 to a non-existing IP address. We saved the file in ex3c.txt. Question 1: The time interval between each ARP request issued by PC1 is 1 second. It looks like the time interval is determined by measuring the time between the previous captured frame and the displayed frame. Question 2: IP packets all have their specified destinations. ARP request packets could be sent to a specified MAC address, but not necessarily. ARP request packets could also be sent to a broadcast address "ff:ff:ff:ff:ff:ff". Therefore, ARP request packets are not encapsulated. [Exercise 4] We saved the output of the command `netstat -in` as ex4-1.txt. We saved the output of the command `netstat -rn` as ex4-2.txt. We saved the output of the command `netstat -a` as ex4-3.txt. We saved the output of the command `netstat -s` as ex4-4.txt. Question 1: There are two network interfaces of PC1. They are eth0 and eth1. Both of them have MTU values of 1500. Question 2: There are 3749 IP packets received and delivered. There are 3691 IP packets sent out. There are 1495 ICMP messages received and sent. There are 668 TCP segments received. There are 679 TCP segments sent out. There are 122 UDP packets received. There are 1512 UDP packets sent out. Question 3: The loopback interface (lo) is a virtual network interface implemented in software only and is not connected to any hardware. It is fully integrated into the computer system's internal network infrastructure. Any traffic that a computer program sends to the loopback interface is immediately received on the same interface. Therefore, the RX-OK and TX-OK are the same for interface lo. For eth0, RX-OK and TX-OK are measuring completely different things. One is the packets that are received. The other one is the packets that are sent. [Exercise 5] We saved the output of the command `ifconfig -a` on PC4 as ex5-1.txt. We ran the command `ifconfig eth0 10.0.1.11/24` on PC4. We ran the command `ifconfig -a` again on PC4 and saved the output as ex5-3.txt. Question 1: `ifconfig -a` displays the information regarding all of the network devices. For each device, for example eth0, it describes the link type, the hardware address (MAC address), IP address, net mask and the packets sending and receiving information. [Exercise 6] It appears that the telnet session was established between PC3 and the first computer to respond between PC1 and PC4. Once the first connection was made, PC3 rejected the second connection because the second connection's MAC address did not match the MAC address sent with the first response. The ARP cache was updated on PC3 once the first connection was made, and that's how it later determined the second connection was from an invalidly responding PC. [Exercise 7] We set up the interfaces of the hosts as shown in the table. We issued a series of ping commands. We saved the output as ex7abc.txt. The commands are: `ping -c 1 10.0.1.120` from PC1 to PC3 `ping -c 1 10.0.1.101` from PC1 to PC2 `ping -c 1 10.0.1.121` from PC1 to PC4 We also issued ping commands: `ping -c 1 10.0.1.100` from PC4 to PC1 `ping -c 1 10.0.1.121` from PC2 to PC4 `ping -c 1 10.0.1.120` from PC2 to PC3 The output of these three commands are the same. They are "network is not reachable". We didn't save these error messages, which we probably should've done. Question 1: Of the six total ping commands, the only two that worked were from PC1 to PC2 and PC1 to PC3. Only four bits are reserved for the computer on PC2 and PC4 since their netmasks are 255.255.255.240, and that is inadequate for representing the values 120 and 121. Therefore, PC2 and PC4 believe IP addresses at 10.0.1.16 and greater belong to a different network. Their routing tables do not provide information to reach that network, and so they determine the network is not reachable. [Exercise 8] We edited the file /etc/hosts and associated host names with the IP addresses. We were then be able to ping directly using the names instead of the IP addresses. Question 1: The static mapping of names and IP addresses needs to be done manually. Therefore, it's impractical when the number of the hosts is large. Question 2: When multiple IP addresses are associated with the same host name in the /etc/hosts file, we observed that only the first IP address in the file responded to the ping. I think, under this circumstance, the response must be random between the two IP addresses. [Exercise 9A] We start the FTP server on PC2 first. Then we initiated an FTP session to PC2 from PC1. We captured the traffic with a capture filter "host 10.0.1.11 and host 10.0.1.12". The FTP traffic session was saved as ex9a.txt. Question 1: The port number of the FTP client is port 21. The FTP server is "vsFTPd 2.0.6" as it shows after the first successful response 220. Question 2: We can also identify the password and username in the traffic captured. They are "USER x" and "PASS y". [Exercise 9B] We failed to do the previous exercise in class with a telnet command instead of ftp, but I did it at home. Question 1: Telnet does have the same security flaws as FTP. The user name and password were sent with no encryption. If I go over and highlight the packets with "telnet data...", the username and password are displayed gradually in the telnet data section of the middle window. They end with a "\r\n". [Exercise 9C] We captured the network traffic with another terminal window running telnet from PC1 to PC2. We typed several letters after logging in. The wireshark output was saved as ex9c.txt. The first packet is sent from PC1 to PC2 with the first letter. It's a telnet packet. The second packet is a TCP packet from PC2 to PC1. It contains a message: [This is an ACK to the segment in frame: #]. The third packet is a telnet packet from PC2 to PC1. It repeats the letter sent from PC1 in the first packet.
