CIS-4080 Homework #5: Capturing Traffic on the Experimental Network

Due: Friday, April 14, 2023

Reading: ...

Part 1

In this part you will capture and analyze some traffic on the CIS experimental network. Please refer to BLP-210-Lab.pkt for the topology of the network and BLP-210-Lab.md for a description of its configuration.

Proceed as follows:

1. On mu.cis.vtc.edu, log in as student and capture OSPF traffic on the 192.168.0.0/24 experimental subnetwork. Use a command such as:

         $ tshark -i eth2 -f 'proto ospf' -w jjones-homework-05-1.pcapng
       

   The -i option specifies which interface to capture on (eth2 is connected to the monitoring port of switch S0). The -f option specifies the capture filter; all traffic that does not match it is ignored. The -w option specifies the name of a file into which to write the capture traffic. Since the student account on mu is shared, be sure to include your name in the file name (here 'jjones' is just an example).

   You may have to wait a short time for any OSPF packets to be captured. Collect a small number of them (three or four is fine).

2. You can dissect the packets on mu, or you can transfer the captured file to your own machine (using, for example, SCP or SFTP) and examine the packets using the graphical Wireshark tool. Wireshark can read the pcapng files ("Packet Capture, Next Generation").

   What OSPF message(s) do you see? What destination IP address are they being sent to, and what is special about that address? Are there any replies? Why or why not?

   One potential network attack method that can be used against a LAN is for a computer, such as dunari on the experimental network, to pretend to be a router and exchange "fake" OSPF messages with the real routers. Is there any good reason for R1 to be sending OSPF messages onto the 192.168.0.0/24 subnetwork?

3. Run the following capture on mu:

         $ tshark -i eth2 -f 'host 192.168.0.1' -w jjones-homework-05-3.pcapng
       

   This captures all traffic to/from R1.

   Next, in a separate session to mu, use the nmap tool to probe the router for open ports. This can be done with the command:

         $ nmap 192.168.0.1
       

   Wait for the mapping to complete (it takes a few seconds). It should report only one open port (port 22 used by SSH).

4. Study the captured traffic. How does nmap work? The nmap tool has many modes of operation, and this is its most basic mode and not very stealthy.

5. Be sure to remove any files you created on mu to avoid cluttering up the system for other users. Any files you created that you want to keep should be transferred off the system (for example, to Lemuria or your own computer).

Submit to Canvas a document that describes your findings.

Last Revised: 2023-03-29
© Copyright 2023 by Peter C. Chapin <pchapin@vtc.edu>