A previously captured packet trace “simpletrace.cap” is provided for this assignment. This trace was collected on a hostel network. Several applications were running in the machine.
asbidyarthy@asbidyarthy-Studio-1555:~/Desktop/network_lab$
capinfos simpletrace.cap
File name:
simpletrace.cap
File type:
Wireshark/tcpdump/... - libpcap
File
encapsulation: Ethernet
Packet size
limit: file hdr: 65535 bytes
Number of
packets: 7311
File size:
3442734 bytes
Data size:
3325734 bytes
Capture duration:
233 seconds
Start time:
Fri Jan 13 12:16:09 2012
End time:
Fri Jan 13 12:20:02 2012
Data byte rate:
14247.44 bytes/sec
Data bit rate:
113979.55 bits/sec
Average packet
size: 454.89 bytes
Average packet
rate: 31.32 packets/sec
SHA1:
8c046b9b9b5feb8d13464460a29b7384bfb8eda0
RIPEMD160:
882143877eb6d1232448a1dfa8afb0e33e22316a
MD5:
20e8e8908e35ebfda4d93cc686e5b434
Strict time
order: True
Using
Ethereal/Wireshark, analyze this trace and answer the following
questions:
1. How many
packets are in the trace?
Ans:
The number of
captured packets in the trace = 7311
The number of
displayed packets in the trace = 7311
The number of
marked packets in the trace = 0
The numbe rof
dropped packets in the trace = 0
The numbe rof
Ignored packets in the trace = 0
2. What is the
average size of packets in the trace?
Ans:
Average packet
size: 454.89 bytes
3. List all
MAC addresses seen in the trace.
Ans:
Endpoints: Total
MAC addresses is 92, for detail please see the file results.ods->MAC
address
4. How many IP
addresses do you see in the trace?
Ans:
Endpoints: total IP addresses is 67, for detail
please see the file results.ods->IP address (IPv4)
5. Some of the observed MAC addresses map to
IP addresses. Provide this mapping.
Ans:
asbidyarthy@asbidyarthy-Studio-1555:~/Desktop/network_lab$
arp -a
? (10.11.0.254)
at 00:01:f4:38:95:19 [ether] on eth0
Some of the
sender MAC and IP addresses are:-
Sender MAC
address: HewlettP_37:f5:42 (9c:8e:99:37:f5:42)
Sender IP
address: 10.12.2.31 (10.12.2.31)
Sender MAC
address: Dell_ea:cc:e6 (00:22:19:ea:cc:e6)
Sender IP
address: 10.12.3.59 (10.12.3.59)
“arp -a”
shows the IP-to-MAC address mapping of our machine has. It is not
necessary that a mapping between MAC and IP will always occur. To do
that we can do the following if given its MAC addresss:-
- we have to ask the network administrator that what IP address assigned to the router with an interface with a given MAC address
- we should send out reverse ARP packet and ask that what the IP address is for the given MAC address, and if somebody response then it might me interesting
- hopfully if some file on our machine has that mapping or that some network service offers that mapping
6. What
fraction of packets uses IP at the network layer?
Ans:
out of 100 %,
90.81% of packets uses IP at the networks layer (IPv4)
7. What
fraction of packets uses TCP at the transport layer?
Ans:
out of 90.81%,
69.80% of packets uses TCP (Transmission Control Protocol) at the
transport layer
8. List all
application layer protocols that Ethereal identifies as using TCP.
Ans:
HTTP –
Hypertext Transfer Protocol
FTP – File
Transfer Protocol
SMTP – Simple
Mail Transfer Protocol
ANCP – Access
Node Control Protocol
TLSv1 –
Transport Layer Security v1
DPLAY – Direct
Play Protocol
RELOAD F –
Reload File Protocol
9. List all
application layer protocols that Ethereal identifies as using UDP.
Ans:
DNS – Domain
Name System
RIP – Routing
information Protocol
SNMP – Simple
Network Management Protocol
DHCP – Dynamic
Host Configuration Protocol
TFTP – Trivial
File Transfer Protocol
DHCPv6 - Dynamic
Host Configuration Protocol v6
SSDP – Simple
Service Discovery Protocol
LLMNR –
Link-local Multicast Name Resolution
NBNS – NetBIOS
Naming Service
ICMP – Internet
Contol Message Protocol
MDNS – Multicas
DNS
10. List all
network layer protocols seen in the trace.
Ans:
Network Layer:-
IP - Internet
Protocol (version 4): transfer IP packets from one host to another.
One of the most common protocols today. This is what the Internet is
built around.
IPv6 - Internet
Protocol (version 6): transfer IP packets from one host to another
ICMP - Internet
Control Message Protocol (version 4): This is a protocol to report
common errors and events in the IP, TCP and UDP protocols.
ICMPv6 - Internet
Control Message Protocol (version 6): This is a protocol to report
common errors and events in the IPv6, TCP, and UDP protocols.
IGMP - IP
multicasting
Network Layer
Routing:-
none
Network Layer
(IPsec: internet protocol Security)
none
11. List all
data link layer protocols seen in the trace.
Ans:
Link layer:
ARP - Address
Resolution Protocol: Map IP to hardware (e.g. Ethernet) addresses
Link layer
(serial line): -
none
12. How many
DNS lookup’s are there in the trace?
Ans:
Total 802 DNS lookup's are there
13. How many IP packets have a Time-To-Live
(TTL) greater than 200? How many IP packets have a TTL of 128? How
many IP packets have a TTL of 48? Speculate on the difference in the
observed TTL.
Ans:
IP packets have a Time-To-Live (TTL) greater
than 200 = 117
IP packets have a TTL of 128 = 553
How many IP packets have a TTL of 48 = 0
TTL with 128
using NBNS – NetBIOS Naming Service protocol
TTL with greater
than 200 used UDP, DHCP, MDNS and SSDP protocols
14. With
reference to line 16 of the trace, answer the following:
Total Frame
length is 86 bytes
a)
What is the size of the Ethernet header?
Ans:
14
bytes
b)
What is the size of the IP header?
Ans:
40
bytes since IPv6 is used
c)
What is the size of the IP datagram?
Ans:
72
bytes since IPv6 is used
d)
What is the size of the TCP header?
Ans:
0
bytes
e)
What is the size of the TCP segment?
Ans:
0 bytes
15. Plot a frequency histogram (PDF) of the
IP datagram lengths seen in the trace. What conclusions can you draw
from this plot?
Ans:
Clearly
most of the IP datagrame packate lengths falls in 0 to 100 and then
1400-1500 and then 1000-1100
16.
Between which IP address pair is the most bytes exchanged. Plot a
frequency histogram (PDF) of the IP datagram lengths seen between
this IP address pair. Comment on your plot.
Ans:
245 10.738191 172.16.27.190 10.12.0.24 TCP 2346 8089
> 54529 [PSH, ACK] Seq=141861 Ack=2322 Win=11584 Len=2280
TSval=1003206035 TSecr=41292384
2426 92.333878 202.141.80.21
10.12.0.24 TLSv1 1834 Alert (Level: Warning,
Description: Unrecognized Name), Server Hello, Certificate, Server
Key Exchange, Server Hello Done
Most of the IP datagram packet length between
these IP addresses is used is between 1500-1600 and then above
17. Determine what activities were taking
place during the duration of the trace capture. This is an open-ended
question. So be creative and extract as much information as you can
from the traces. Points allocated will be proportionate to the amount
of “useful” and “interesting” information provided by you.
Ans:
This Trace was
captured in one of the hostel in day time. As per as the rule about
net connectivity in day time in the hostle is that there do not
exists net connectivity of from or to outside networks. Therefore not
much packet has been captured during this long period of time. Total
time of this captured trace is 233 seconds and total number of packet
captured is 7311 which is very less. Since I have done a sample
experiment on the same is that I captured some packet on night time
in the hostel when net connectivity to and from the outside networks
is active and I came to know that in 71 seconds a total of 14896
packet was captured.
Hence the packet
simpletrace.cap is provided to us do not have any serious activity
from and to any outside networks but still there is some serious
activity I can see in insider network.
Some of the
Following information can be given:-
(serial
no)539 (Time)18.154385 (source)10.12.0.24 (Destination)172.16.27.190 (protocol)TCP
(Length)66 (Detail Info.)54539 > 8089 [RST, ACK] Seq=191 Ack=1543
Win=18752 Len=0 TSval=41299803 TSecr=1003207888
1701 40.784378 10.12.0.24 172.16.27.190 TCP 66 54556
> 8089 [RST, ACK] Seq=191 Ack=1025 Win=16704 Len=0 TSval=41322433
TSecr=1003213546
1703 40.784783 10.12.0.24 172.16.27.190 TCP 54 54556
> 8089 [RST] Seq=191 Win=0 Len=0
1957 44.037520 10.12.0.24 172.16.27.190 TCP 54 54551
> 8089 [RST] Seq=1121 Win=0 Len=0
1959 44.037939 10.12.0.24 172.16.27.190 TCP 54 54551
> 8089 [RST] Seq=1122 Win=0 Len=0
1966 44.241095 172.16.27.190 10.12.0.24 TCP 839 [TCP
Retransmission] 8089 > 54528 [FIN, PSH, ACK] Seq=4361 Ack=1658
Win=160 Len=773 TSval=1003214411 TSecr=41325685
1967 44.241140 10.12.0.24 172.16.27.190 TCP 54 54528
> 8089 [RST] Seq=1658 Win=0 Len=0
2362 90.683657 10.12.0.24 202.141.80.80 UDP 74 Source
port: 57601 Destination port: traceroute
2375 90.684788 10.12.0.254 10.12.0.24 ICMP 70 Time-to-live
exceeded (Time to live exceeded in transit)
2442 92.389185 10.12.0.24 202.141.80.21 TCP 66 36665
> https [RST, ACK] Seq=1117 Ack=8019 Win=34880 Len=0
TSval=41374037 TSecr=604673014
5817 187.595086 10.12.11.60 224.0.0.251 MDNS 120 Standard
query response A, cache flush 10.12.11.60 PTR, cache flush
New-PC.local
et all all kind
of serious activity is done through TCP, ICMP, UDP and MDNS protocols
18. a)
Was an SSH session active? If yes, list the end hosts for this
session.
Ans:
No [ssh protocol]
b)
Was there any Web browsing going on? If yes, what can you say
about the Web browser? Was the browser Internet Explorer or
Firefox?
Ans:
yes firefox
c)
Was any media streaming activity present? If yes, was the
media player from RealNetworks? Can you identify the media
file?
Ans:
NO : rtsp – Real Time
Streaming protocol
d)
Was there any Peer-to-Peer file sharing activity? If yes, can
you provide some details regarding this activity?
Ans:
NO [hint – mtp2, smpp or p2p none is used]
********************** END
*********************
No comments:
Post a Comment
Thank you