ITL Lab Manual

Useful Computers Applications

ethereal (gui protocol analyzer)

A "packet sniffer" application like ethereal can be abused. Just because it is possible to observe packets on the network doesn't mean that it is right to do so. Anyone using the lab is expected to use this application in an appropriate manner.

For a detailed description of all the features of ethereal examine the ethereal man pages:

     [Linux prompt]# man ethereal

To launch ethereal issue the command (it is usually convenient to run it in the background):

     [Linux prompt]# ethereal &

ethereal displays a window with three panels. The top panel lists packets that have been captured, the middle panel shows the logical structure of a packet, and the bottom panel shows the contents of a packet. In the top panel if you click in a column header the packets will be displayed in sorted order according to that column. The packet shown in the last two panels is the one selected in the top panel. In the middle panel, if a component of the packet has further structure clicking the "+" will expand the component. If one of the components in the second panel is selected the corresponding bytes in the packet content are highlighted in the bottom panel.

To capture packets choose Capture->Start from the Capture menu. A dialog box will be displayed with several options:

• You must choose which interface you wish to observe. Only packets from that interface will be considered for capture. Only interfaces that are "up" can be used. If an interface does not appear in the drop-down menu it is not up. You cannot simply type the interface identifier into the box and have it work. You can choose to observe all active interfaces at once. If you want to watch two or more interfaces simultaneously but separately you can launch additional copies of ethereal.

• The "Filter" field is for specifying a capture filter. Capture filters are discussed below.

• If you select "Capture packets in promiscuous mode" every packet on the network segment to which the interface is attached will be considered for capture. This is usually the mode you want to use and it is selected by default. If this option is not selected the only packets that will be considered for capture are those that are addressed to this interface, those that are addressed to a multicast group ito which this interface belongs, or those that are addressed to a broadcast address.

  When this option is used, even though the interface is in promiscuous mode, the output from the "ifconfig" command will not show the entry "PROMISC" for the interface.

• You should select "Update list of packets in real time". This causes the packets to be displayed in the top panel as they arrive. If you don't select this option the packets will not be displayed in the top pane until you choose to stop capturing.

• If you select "Automatic scrolling in live capture" then the top pane will automatically scroll to show the last packet captured even after the number of packets captured is too large to fit within the panel. If you don't select this option only the first packets captured will be displayed even as additional packets arrive. Selecting this option allows you to watch for particular packets as they arrive, but it makes it difficult to read the packets in detail as the panel may be scrolling quickly.

• If you select one of the "Enable ... name resolution" boxes, ethereal will attempt to convert addresses into the corresponding names (e.g. 192.168.200.1 will be resolved to "itlserver"). In order to resolve names ethereal must probably communicate with a DNS server, and this will introduce additional packets and delays. Name resolution may even be impossible if there is no active network connection to a DNS server. Consider leaving this option unselected.

Several factors determine which packets are displayed by ethereal.

• Only packets that propagate on the network segment that contains the selected interface are eligible for capture.
• If the interface is not in promiscuous mode, only packets directly or indirectly addressed to the interface will be eligible for capture.
• If a capture filter is in effect, only packets that pass the filter are captured.
• If a display filter is in effect, only packets that pass the filter are displayed.

     eth.type==0x0806

An example of a filter string for a capture filter to capture only ARP packets is:

     ether proto 0x0806

Display filters and capture filters have different syntax, but both rely on a string containing an expression. A filter can be entered for use once only, or it can be given a name and saved in a file. The locations within the window where the strings for capture filters and display filters are entered are different and the files in which the strings are saved are different. When a filter string is saved it is given a name so that it can be retrieved later. When saved filters are retrieved you must be careful to use capture filter strings only where capture filters are appropriate, and display filter strings only where display filters are appropriate. It might be helpful to include the word "capture" or "display" as part of the name of any saved filter string.

Display Filters

A display filter is used to restrict which of the already captured packets are shown in the top panel. When a display filter is applied the original list of captured packets is not lost. Clicking the "Reset" button at the bottom of the window displays the full list again. The syntax of display filters is described on the ethereal man page. An example of a display filter string is:

     eth.type==0x0806 && eth.dst==ff:ff:ff:ff:ff:ff

A display filter is entered into the area at the bottom of the window labeled "Filter". You can simply type the filter string and press Enter to apply the filter. You can apply different filters in succession. Each filter is applied to the list of packets displayed, not to the original list.

The simplest way to create a display filter when you are unfamiliar with the syntax is to select a field from one of the packets and to tell ethereal that you want to display only packets with the same value for that field. The steps are as follows:

• Select one packet in the top pane.
• Select one field from the middle pane.
• Choose Display->Match Selected from the menu. You can see the display filter at the bottom of the window in the region labeled "Filter". This is an excellent way to learn the syntax of simple display filters.
• Clicking "Reset" at the bottom of the window removes the display filter and again shows all the captured packets.

• Click "Filter" at the bottom of the page.
• Choose "Add Expression" to bring up the dialog box that will help you build a filter.
• Choose a field identifier from the list shown. Once you do so a list showing available relational operators (e.g. ==, !=) will appear.
• Choose a relational operator from the list. Once you do so a list showing possible values for the chosen field will appear.
• Choose a value from the list shown.
• Click the button that accepts these terms. The subexpression you have chosen will be appended to the filter string.
• If you want additional terms in the filter string, type a relational operator such as && or || and choose "Add Expression", repeating the steps above.
• Once the filter string is complete, click the "Apply" button to apply it to the currently displayed packets. Filters that have been applied during the current ethereal session can be retrieved by using the pop-up arrow to the right of the filter area at the bottom of the window. These filters will not be available if you quit and restart ethereal. If you want to save the filter for later use, enter a name for the filter and click the "New" button. This adds the name of the filter to the list of filters. By itself clicking "New" does not save the filter. Unless it is saved it will not appear in the list of filters when ethereal is terminated and launched again. Click "Save" to write the list of filters to a file. By default the file that contains the display filters is .ethereal/dfilters in your home directory. If you are running ethereal as root, since root's home directory is /root, the file containing the display filters is /root/.ethereal/dfilters. This is a text file and you can examine (and modify) it with a text editor.

When ethereal is launched it reads the file containing the named, saved filters. These named filters are shown in the filter dialog box. A named, saved filter can be recalled as follows:

• Click "Filter" at the bottom of the page.
• Select the desired filter by name from the list shown.
• Click "Apply"

Capture Filters

     [Linux prompt]# man tcpdump

An example of a capture filter string is:

     ether proto 0x0806 and host 192.168.200.1

Capture filters are applied in the dialog that is displayed when you first choose to start a capture. When that dialog box is opened you can type a capture filter string into the field labelled "Filter", or you can recall a named, saved filter by clicking the "Filter" button.

To use a named, saved filter you must create a capture filter string, name the filter, and save it. The filter can then be selected in the dialog box that is displayed when you choose to start capturing packets. There is no tool to help you build a capture filter string. You have to compose it yourself. If the syntax is incorrect ethereal will not start capturing packets. By default the file that contains the capture filters is .ethereal/cfilters in your home directory.

gated (router)

Documentation for gated is available on the computers in the lab in html format in the file /usr/share/doc/gated-3.6/doc/main.html:

An alternate site for gated documentation is http://www.ifm.liu.se/~peter/doc/gated/node1.html

ifconfig

• whether the interface is up or down
• whether ARP is enabled on this interface
• whether the interface is in promiscuous mode
• whether the interface is in all-multicast mode (i.e. receives multicast packets)
• the metric
• the Maximum Transfer Unit (MTU)
• the IP address, netmask, and broadcast address
• the IPv6 address
• the transfer queue length
• the destination address for point-to-point protocol
• the hardware (i.e. Ethernet) address
• statistics on packet errors

     [Linux prompt]# man ifconfig

minicom (terminal emulator)

For a description of all the options for minicom refer to the man page:

     [Linux prompt]# man minicom

To start minicom with a connection to serial port S0 type

     [Linux prompt]# minicom s0

To start minicom with a connection to serial port S1 type

     [Linux prompt]# minicom s1

netstat

For a description of all the options for netstat refer to the man page:

     [Linux prompt]# man netstat

ping

     [Linux prompt]# ping 192.168.200.1

This causes a packet to be sent to the other computer. The other computer should respond. ping will display whether a reply was returned and information about the round-trip time. For computers on the Internet with hostnames the command can be issued in the form "ping hostname". For example:

     [Linux prompt]# ping linux.cs.sonoma.edu

For a description of all the options for ping refer to the man page:

     [Linux prompt]# man ping

A complete understanding of this utility depends on an understanding of the IP addressing scheme.

route (display forwarding table)

For a description of all the options for route refer to the man page:

     [Linux prompt]# man route

When used without any options route attempts to resolve names by issuing DNS queries over the network. This can delay the completion of the output and produce unwanted packets. This option can be suppressed with the "-n" option.

     [Linux prompt]# route -n

The program does not alter the baud rates of the serial ports, so they must be set to the speed of the arriving data before sereal is started. The serial ports probably default to 9600 baud. To change the speed of the serial ports use the command "stty -F device ispeed rate ospeed rate" where "device" is /dev/ttyS0 or /dev/ttyS1, and rate is the baud rate. For example, to set the speed of both serial ports to 1200 baud:

     [Linux prompt]# stty -F /dev/ttyS0 ispeed 1200 ospeed 1200
     [Linux prompt]# stty -F /dev/ttyS1 ispeed 1200 ospeed 1200

The source file for the program sereal.c and its makefile can be downloaded.

snmpxxxx (snmp management)

• snmpbulkget - communicates with a network entity using SNMP GETBULK requests.
• snmpbulkwalk - communicates with a network entity using SNMP BULK requests.
• snmpcheck - ???
• snmpconf - ???
• snmpdelta - Monitor deltas of integer valued SNMP variables.
• snmpdf- gets a listing of disk space usage on a remote machine via SNMP.
• snmpget - communicates with a network entity using SNMP GET Requests.
• snmpgetnext - communicates with a network entity using SNMP GET NEXT requests.
• snmpinform - sends an SNMP trap to a manager.
• snmpnetstat - show network status using SNMP.
• snmpset - communicates with a network entity using SNMP SET requests.
• snmpstatus - Retrieves important information from a network entity.
• snmptable - obtain and print an SNMP table.
• snmptest - communicates with a network entity using SNMP requests.
• snmptranslate - translate SNMP OID values into more useful information.
• snmptrap - sends an SNMP trap to a manager.
• snmpusm - creates and maintains SNMPv3 users on a remote entity.
• snmpvacm - ???
• snmpwalk - communicates with a network entity using SNMP GETNEXT requests.

For a description of all the options for snmpxxxx type:

     [Linux prompt]# man snmpxxxx

sock (test TCP and UDP)

For a description of all the options for sock run the program without any arguments:

     [Linux prompt]# ./sock

tcpdump (command line protocol analyzer)

For a description of all the options for tcpdump refer to the man page:

     [Linux prompt]# man tcpdump

Tera Term (Windows terminal emulator)

• On the computer you plan to use as a terminal boot Windows.
• Choose Start->Programs->Internet Applications->Tera Term Pro->Tera Term Pro
• In the New Connection dialog box, choose Serial and set the port to COM 1 or COM2 as appropriate and then click OK.
• Choose the menu Setup->Window. Increase the size of the scrollbuffer (e.g. to 2000 lines) and then click OK.
• Choose the menu Setup->Keyboard. Check the box that causes the BACKSPACE key to send a delete.
• Choose the menu Setup->Terminal. Check the box that makes the terminal size equal to the window size.
• The settings for the serial port can be viewed (and changed if necessary) using the menu Setup->Serial port... The settings that will be used in the lab for console ports are:

       Baudrate: 9600
       Data: 8 bit
       Parity: none
       Stop: 1 bit
       Flow control: none
       Transmit delay 0 msec/char 0 msec/line
  

     [Linux prompt]# traceroute 192.168.200.1

traceroute will display the nodes the packet passes through. For computers on the Internet with hostnames the command can be issued in the form "traceroute hostname" where hostname is the Internet name of the computer. For example:

     [Linux prompt]# traceroute valinux.cs.sonoma.edu

For a description of all the options for traceroute refer to the man page:

     [Linux prompt]# man traceroute

A complete understanding of this utility depends on an understanding of the IP addressing scheme.

Exercises

1. Examine the man page for ifconfig. Determine the parameters of this command that set the IP address, the netmask, the broadcast address, and the network for the interface. Construct a command that sets the following values for eth2:
   • IP address = 192.168.12.200
   • Netmask = 255.255.0.0
   • Broadcast address = 192.168.255.255
   • Network = 192.168.0.0
   Verify that the interface has these new parameters by using "ifconfig -a" to examine all the interfaces.

2. If you use the command from the exercise above, then you disable and reenable eth2, will the values associated with that interface be those from ifcfg-eth2 or those from the ifconfig command?

3. Examine the man page for ifconfig. Determine the parameters of this command that set the ethernet address of the interface. Write down the current ethernet address of eth2, then use the ifconfig command to change it to 11.22.33.44.55.66. Does the original ethernet address return if you disable and reenable the interface? If not, does it return if you reboot the computer?

4. Use ethereal to capture several dozen packets from interface eth0. Locate a packet whose protocol is ARP. What filter string will display only ARP packets? Using Display->Match Selected create a display filter that restricts the displayed packets to only ARP packets. Observe the filter string that was created.

5. Use ethereal to capture several dozen packets from interface eth0. Locate a packet whose source IP address is in the Computer Science Department subnet (130.157.166.*). What filter string will display only packets from that source IP address? Try using Display->Match Selected to create a display filter that restricts the displayed packets to only packets from that source IP address. Observe the filter string that was created. Then try to create the desired filter using the filter dialog. Are they different?

6. Use ethereal to capture several dozen packets from interface eth0. Use the display filter dialog box to create a display filter that only shows packets whose ethernet destination address is the broadcast address ff:ff:ff:ff:ff:ff. Is it evident from the "Destination" column in the first ethereal pane which packets have this ethernet destination address?

7. Use ethereal to capture several dozen packets from interface eth0. Use the display filter dialog box to create a display filter that only shows packets whose ethernet destination address is not the broadcast address ff:ff:ff:ff:ff:ff. If there are any, why were they delivered to your computer?

8. Use ethereal to capture several dozen packets from interface eth0. Use the display filter dialog box to create a display filter that only shows packets whose protocol is ARP and whose ethernet destination address is the broadcast address ff:ff:ff:ff:ff:ff.

9. Use ethereal to capture several dozen packets from interface eth0. Examine the list of packets and identify the ethernet address of one of the Computer Science Department servers. Construct a display filter that only shows packets whose ethernet source address is the address of that computer or whose ethernet destination address is the address of that computer.

10. Create the display filter from one of the previous exercises, name it and save it. Demonstrate that the filter can be retrieved at a later time.

11. Start ethereal on interface eth0 on two adjacent computers. On one computer create the capture filter whose filter string is "ip proto udp". Capture packets simultaneously on both computers or until the one with the capture filter has captured several packets. Then on the computer that had no capture filter apply a display filter to show only UDP packets and compare the results on the two computers.

12. Create a capture filter which shows only ARP packets. Verify that the filter works.

13. Create a capture filter which shows only packets from IP source linux.cs.sonoma.edu. Verify that the filter works.

14. Use ping to verify that there is a connection to each of the following servers:
    • linux.cs.sonoma.edu
    • solaris.cs.sonoma.edu
    • vax.sonoma.edu
    • itlserver

15. Identify the internet address of a computer that is very distant (you might discover such an address by examining the URLs of web pages). Use traceroute to show the route from your computer to the distant computer. Try several such targets to be sure you get one that has many intervening nodes. Record this route every day (or every day you are in the lab) for several weeks or months to see whether the route ever changes.

    This exercise can be automated. You can write a script that appends the results of the traceroute command to a file every time it is run, and you can use the cron utility to run that script every day.