CST8217 - Lab Exercise 8

Wireshark and ICMP

Boot up all three of your virtual machines. Select one of them to use Wireshark on, and start it up there (it has a wonderful GUI). When it starts, it will prompt you for your root password (it also allows you to run in unprivileged - normal user - mode). You can ignore the warning: "Running as user "root" and group "root". This could be dangerous.". While true, we shouldn't be doing anything very dangerous (after all, we're on a virtual network in a virtual host).

You should also create a directory in this virtual machine's filesystem (in your non-root user's /home/userid directory - mine is called wireshark) to store capture files in. Open a terminal window as well (you can even create your directory from there!).

Start a capture by selecting the Capture menu and then Interface. In the dialog that comes up (Capture Interface), the first interface will be your eth0 (or eth1) and will have your machine's IP address already present.

Click on the Options button. Most of the preselected options are OK, but you need to choose a file for storing your capture data: see Capture File(s) on the middle left. You can also set a limit in the Stop Capture area just below; I tend to limit this to 1 megabyte(s) even though this capture file only ought to be about 2K.

As soon as you click on the Start button, the capture will begin. Luckily, there is no traffic just now. Create some by entering the ping command for one of your other machines. Interrupt it (use Ctrl-C) after two or three responses. You will see the traffic being recorded in the Wireshark window. Now ping your other machine, again stopping it after a few responses (three is good). You can now stop your capture (Capture, then Stop).

It's easiest to copy your capture file to the host machine now, start Wireshark there, and Open your capture file. You will have about 15 to 25 entries visible in the top window, one line per packet.




In the middle window, as you select each of the lines, is an expansion of the data in that packet:




You can click on the triangle to the left of items to expand each to provide more detail. The section of the packet being described will also be highlighted in the bottom portion of the window, where the whole packet is displayed in hex.


This hex display is in canonical form. (to look at a file from a terminal in canonical form, use hexdump -C). On the left is the address in hex. The middle area is the data bytes in hex, divided by a double-blank into two groups of 8 characters each (for 16 per line, or 0x0010, which keeps the addresses easy). And on the right, the same data bytes are shown as printable characters except that those without a glyph are shown as a dot.

Walk through these packets, making note of the two complete sequences of the pings and comparing them. You will likely have to read some of the hex as decimal data as well. Be prepared to answer a question from your lab instructor about some of the packet contents.