Difference between revisions of "NAD710 Lab 3 Answers"

From CDOT Wiki
Jump to: navigation, search
(New page: Category:NAD)
 
 
(8 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 +
'''Questions:'''
  
 +
'''Answer the following questions based on the packet file "lab3-pkts" you created for this lab.'''
  
  
 +
'''1- Write a tcpdump command to display all the packets your system sent to matrix. Do not do any name resolution for any fields in the packet but do display the physical addresses contained in the packets.'''
  
 +
[root@localhost ~]# tcpdump -nn -e -r /tmp/lab3-pkts dst host 142.204.140.90
  
 +
Output:
 +
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 +
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
 +
17:57:55.444652 00:16:76:1b:40:d2 (oui Unknown) > 00:0e:0c:4b:31:5c (oui Unknown), ethertype IPv4 (0x0800), length 114: 142.204.141.177.55212 >142.204.140.90.ssh: P 1362020055:1362020103(48) ack 2398231338 win 161 <nop,nop,timestamp 15530872 12456689>
 +
17:57:55.445693 00:16:76:1b:40:d2 (oui Unknown) > 00:0e:0c:4b:31:5c (oui Unknown), ethertype IPv4 (0x0800), length 66: 142.204.141.177.55212 >  142.204.140.90.ssh: . ack 49 win 161 <nop,nop,timestamp 15530873 12471613>
 +
(...additional output removed...)
  
  
 +
'''2- Write a tcpdump command to display all the packets sent to your system from matrix. Do not do any name resolution for any fields in the packet but do display the physical addresses contained in the packets.'''
  
 +
[root@localhost ~]# tcpdump -nn -e -r /tmp/lab3-pkts src host 142.204.140.90
  
 +
Output:
 +
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 +
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
 +
17:58:56.585343 00:0e:0c:4b:31:5c (oui Unknown) > 00:16:76:1b:40:d2 (oui Unknown), ethertype IPv4 (0x0800), length 66: 142.204.140.90.ssh >  142.204.141.177.55212: . ack 1362020247 win 83 <nop,nop,timestamp 12486897 15592012>
 +
(...additional output removed...)
  
  
 +
'''3- Write a tcpdump command to display all the ARP packets captured in the packet file. Include the output in your answer.'''
  
 +
[root@localhost ~]# tcpdump -r /tmp/lab3-pkts arp
  
 +
Output:
 +
reading from file /tmp/lab3-pkts, link-type EN10MB (Ethernet)
 +
20:31:39.142311 arp who-has 142.204.141.188 tell 142.204.141.129
 +
20:31:39.142336 arp reply 142.204.141.188 is-at 00:16:76:1b:40:d2 (oui Unknown)
 +
20:32:34.928721 arp who-has 142.204.141.188 tell 142.204.141.129
 +
20:32:34.928737 arp reply 142.204.141.188 is-at 00:16:76:1b:40:d2 (oui Unknown)
  
  
 +
'''4- Write a tcpdump command to display all the ICMP "echo-request" packets in the packet file. Include the output in your answer.'''
  
 +
[root@localhost ~]# tcpdump -r /tmp/lab3-pkts icmp
  
 +
Output:
 +
reading from file /tmp/lab3-pkts, link-type EN10MB (Ethernet)
 +
20:31:34.141754 IP 142.204.141.188 > 142.204.140.90: ICMP echo request, id 46859, seq 1, length 64
 +
20:31:34.142754 IP 142.204.140.90 > 142.204.141.188: ICMP echo reply, id 46859, seq 1, length 64
 +
20:31:35.141701 IP 142.204.141.188 > 142.204.140.90: ICMP echo request, id 46859, seq 2, length 64
 +
20:31:35.142683 IP 142.204.140.90 > 142.204.141.188: ICMP echo reply, id 46859, seq 2, length 64
  
  
 +
'''5- Write a pipe line command, using tcpdump as part of the pipe line, to display the total number of packets belonging to the TELNET session between your system and matrix.'''
  
 +
[root@localhost ~]# tcpdump -r /tmp/lab3-pkts tcp port 23 | wc -l
  
 +
Output:
 +
reading from file /tmp/lab3-pkts, link-type EN10MB (Ethernet)
 +
198
 +
 +
 +
'''6- Do the same for the SSH session.'''
 +
 +
[root@localhost ~]# tcpdump -r /tmp/lab3-pkts tcp port 22 | wc -l
 +
 +
Output:
 +
reading from file /tmp/lab3-pkts, link-type EN10MB (Ethernet)
 +
76
 +
 +
 +
'''7- Write a pipe line command, using tcpdump as part of the pipe line, to display the total number of TCP packets in the packet file.'''
 +
 +
[root@localhost ~]# tcpdump -r /tmp/lab3-pkts tcp | wc -l
 +
 +
Output:
 +
reading from file /tmp/lab3-pkts, link-type EN10MB (Ethernet)
 +
314
 +
 +
 +
'''8- Do the same for UDP packets.'''
 +
 +
[root@localhost ~]# tcpdump -r /tmp/lab3-pkts udp | wc -l
 +
 +
Output:
 +
reading from file /tmp/lab3-pkts, link-type EN10MB (Ethernet)
 +
30
 +
 +
 +
'''9- Describe the steps you could use to find out all MAC addresses captured in the packet file. Include all the MAC addresses found in your answer.'''
 +
 +
  tcpdump -n -e -r lab3-pkts > lab3-pkts.txt
 +
  export MAC_RE="[0-9A-F][0-9A-F]:[0-9A-F][0-9A-F]:[0-9A-F][0-9A-F]:[0-9A-F][0-9A-F]:[0-9A-F][0-9A-F]:[0-9A-F][0-9A-F]"
 +
  grep -io $MAC_RE lab3-pkts.txt | sort | uniq
 +
 +
  Found only two MAC addresses.
 +
 +
  00:0e:0c:4b:31:5c
 +
  00:16:76:69:74:5c
 +
 +
 +
'''10- Describe the steps you could use to find out the total number of bytes your system received from matrix.'''
 +
 +
[root@localhost ~]# tcpdump -r /tmp/lab3-pkts src 142.204.140.90 | wc -c
 +
 +
Output:
 +
reading from file /tmp/lab3-pkts, link-type EN10MB (Ethernet)
 +
14639
  
 
[[Category:NAD]]
 
[[Category:NAD]]
 +
 +
'''11-Write a tcpdump command to capture all your traffic on port 80 and then open the website google.ca make a search about “arcade” and then verify your captured data.'''
 +
 +
tcpdump -i eth1 tcp port 80

Latest revision as of 19:42, 24 September 2008

Questions:

Answer the following questions based on the packet file "lab3-pkts" you created for this lab.


1- Write a tcpdump command to display all the packets your system sent to matrix. Do not do any name resolution for any fields in the packet but do display the physical addresses contained in the packets.

[root@localhost ~]# tcpdump -nn -e -r /tmp/lab3-pkts dst host 142.204.140.90
Output:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
17:57:55.444652 00:16:76:1b:40:d2 (oui Unknown) > 00:0e:0c:4b:31:5c (oui Unknown), ethertype IPv4 (0x0800), length 114: 142.204.141.177.55212 >142.204.140.90.ssh: P 1362020055:1362020103(48) ack 2398231338 win 161 <nop,nop,timestamp 15530872 12456689>
17:57:55.445693 00:16:76:1b:40:d2 (oui Unknown) > 00:0e:0c:4b:31:5c (oui Unknown), ethertype IPv4 (0x0800), length 66: 142.204.141.177.55212 >  142.204.140.90.ssh: . ack 49 win 161 <nop,nop,timestamp 15530873 12471613>
(...additional output removed...)


2- Write a tcpdump command to display all the packets sent to your system from matrix. Do not do any name resolution for any fields in the packet but do display the physical addresses contained in the packets.

[root@localhost ~]# tcpdump -nn -e -r /tmp/lab3-pkts src host 142.204.140.90
Output:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
17:58:56.585343 00:0e:0c:4b:31:5c (oui Unknown) > 00:16:76:1b:40:d2 (oui Unknown), ethertype IPv4 (0x0800), length 66: 142.204.140.90.ssh >  142.204.141.177.55212: . ack 1362020247 win 83 <nop,nop,timestamp 12486897 15592012>
(...additional output removed...)


3- Write a tcpdump command to display all the ARP packets captured in the packet file. Include the output in your answer.

[root@localhost ~]# tcpdump -r /tmp/lab3-pkts arp
Output:
reading from file /tmp/lab3-pkts, link-type EN10MB (Ethernet)
20:31:39.142311 arp who-has 142.204.141.188 tell 142.204.141.129
20:31:39.142336 arp reply 142.204.141.188 is-at 00:16:76:1b:40:d2 (oui Unknown)
20:32:34.928721 arp who-has 142.204.141.188 tell 142.204.141.129
20:32:34.928737 arp reply 142.204.141.188 is-at 00:16:76:1b:40:d2 (oui Unknown)


4- Write a tcpdump command to display all the ICMP "echo-request" packets in the packet file. Include the output in your answer.

[root@localhost ~]# tcpdump -r /tmp/lab3-pkts icmp
Output:
reading from file /tmp/lab3-pkts, link-type EN10MB (Ethernet)
20:31:34.141754 IP 142.204.141.188 > 142.204.140.90: ICMP echo request, id 46859, seq 1, length 64
20:31:34.142754 IP 142.204.140.90 > 142.204.141.188: ICMP echo reply, id 46859, seq 1, length 64
20:31:35.141701 IP 142.204.141.188 > 142.204.140.90: ICMP echo request, id 46859, seq 2, length 64
20:31:35.142683 IP 142.204.140.90 > 142.204.141.188: ICMP echo reply, id 46859, seq 2, length 64


5- Write a pipe line command, using tcpdump as part of the pipe line, to display the total number of packets belonging to the TELNET session between your system and matrix.

[root@localhost ~]# tcpdump -r /tmp/lab3-pkts tcp port 23 | wc -l
Output:
reading from file /tmp/lab3-pkts, link-type EN10MB (Ethernet)
198


6- Do the same for the SSH session.

[root@localhost ~]# tcpdump -r /tmp/lab3-pkts tcp port 22 | wc -l
Output:
reading from file /tmp/lab3-pkts, link-type EN10MB (Ethernet)
76


7- Write a pipe line command, using tcpdump as part of the pipe line, to display the total number of TCP packets in the packet file.

[root@localhost ~]# tcpdump -r /tmp/lab3-pkts tcp | wc -l
Output:
reading from file /tmp/lab3-pkts, link-type EN10MB (Ethernet)
314


8- Do the same for UDP packets.

[root@localhost ~]# tcpdump -r /tmp/lab3-pkts udp | wc -l
Output:
reading from file /tmp/lab3-pkts, link-type EN10MB (Ethernet)
30


9- Describe the steps you could use to find out all MAC addresses captured in the packet file. Include all the MAC addresses found in your answer.

 tcpdump -n -e -r lab3-pkts > lab3-pkts.txt
 export MAC_RE="[0-9A-F][0-9A-F]:[0-9A-F][0-9A-F]:[0-9A-F][0-9A-F]:[0-9A-F][0-9A-F]:[0-9A-F][0-9A-F]:[0-9A-F][0-9A-F]"
 grep -io $MAC_RE lab3-pkts.txt | sort | uniq
 Found only two MAC addresses.
 00:0e:0c:4b:31:5c
 00:16:76:69:74:5c


10- Describe the steps you could use to find out the total number of bytes your system received from matrix.

[root@localhost ~]# tcpdump -r /tmp/lab3-pkts src 142.204.140.90 | wc -c
Output:
reading from file /tmp/lab3-pkts, link-type EN10MB (Ethernet)
14639

11-Write a tcpdump command to capture all your traffic on port 80 and then open the website google.ca make a search about “arcade” and then verify your captured data.

tcpdump -i eth1 tcp port 80