ACTIVITY: VIEWING NETWORK DATA WITH WIRESHARK
This activity is ungraded.
Remember: Be sure to watch these Demo videos from this unit before trying this activity. Watching me do it first will help you understand each of the steps.
Welcome to WiresharkLocal Communication through WiresharkRemote Communication through Wireshark
System: You can complete this activity on any system. You should have at least 6GB of RAM.
Time: This activity should take you 30 to 60 minutes to complete.
Downloads
Download and install WiresharkDownload and install VMware Workstation PlayerDownload Kali Linux
Goal
To learn how to find and interpret network activity within Wireshark
Instructions
Set up your virtual machine
Launch VMware Workstation Player.Enter a valid email address and then click the Continue button.Click the Finish button.Click Create a New Virtual Machine.Click the Browse… button, and browse to the location of your Kali ISO. This should be the Downloads folder.Double click the Kali ISO.Click the Next > button.In the Version dropdown, select Debian 8.x 64-bit and click the Next > button.Change the Virtual machine name in the text box to Kali and click the Next > button.Select the radio button for Store virtual disk as a single file and click the Next > button.Click the Finish button.Click Edit virtual machine settings.Change the Memory for this virtual machine to 2048 MB (if you have at least 6 GB of RAM).Select Network Adapter, click the radio button for Bridged and put a check in the box next to Replicate.Click the OK button.Click Play virtual machine.
Install VMware (and optionally, VMware Tools)
When prompted for VMware Tools, click the Download and Install button.In the Kali screen, use your arrow to scroll down to Graphical install and hit Enter.Click through the installer using default settings, or change them for your location.Select your own hostname and password when prompted, and continue to accept all default selections, when applicable.When prompted, select /dev/sda for the boot loader installation.When prompted, login with the username of root, and the password you selected.Optional, but recommended: Manually install or upgrade VMware Tools in a Linux Virtual MachineInstructionsChange the Kali resolution by clicking the triangle at the top on the far right, then the All Settings button (first of 3), and then Displays.Click the second icon on the left toolbar to open up a terminal.Type ip a, and notice the IP address assigned to the eth0 interface.Open up a command line window in the Windows host, by clicking the Start button, typing cmd, and hitting Enter.Type ipconfig to locate your host’s IP address.
Use Wireshark to view network activity
Open Wireshark on the hostClick the Wi-Fi adapter (assuming you’re not using a wired Ethernet connection). This will start a live capture.In the filter box (below the toolbar at the top), type arp or icmp and hit Enter.In the command line on the host, ping the IP address of your Kali VM.In Wireshark, you should see an ARP Request, an ARP Reply, as well as four ICMP Echo Requests and Replies. Click the red square icon (second from the left) on the toolbar at the top to stop the capture.In the middle Wireshark pane (Packet Details), look for the first ARP, and expand the triangle next to Ethernet_II and the triangle next to Address Resolution Protocol (Request).
Things to note
In the Ethernet frame, the source MAC address is the MAC address of the host machine, and the destination MAC address is the Layer 2 Broadcast Address (12 Fs).In the ARP (which is encapsulated inside the Ethernet frame), the Sender MAC and Sender IP address belong to the host machine. Also notice that the Target MAC is all 0s (the sender left that field blank), but the Target IP address is that of the Kali box.In the top pane (Packet List), Wireshark turns this into a nice English question in the Info column.The next frame, below the Packet List, is the response. Compare the fields in the Ethernet frame and the ARP in this response to the frame above, the request. ARP is a pure Layer 2 protocol. It is not routable. There is no IP header. Even though you did see IP addresses in the ARP fields, that does not make it a Layer 3 routable protocol.
Now that the host machine got the ARP reply, with the MAC address of the Kali box, it can send the ICMP Echo Replies. The next 8 rows should be 4 ICMP Echo Requests and 4 ICMP Echo Replies. ICMP is a Layer 3 protocol.
Select the first ICMP Echo Request.Notice how ICMP is encapsulated inside of an IP packet, which is encapsulated inside an Ethernet frame.Expand the fields of all protocols, by clicking the triangles.
Notice with the ICMP Echo Requests that the source MAC address and the source IP address are those of the host machine, while the destination MAC address and the destination IP address are those of the Kali box.
For the ICMP Echo Replies, the pairs are reversed. This is local communication. The source determined that the destination was on the same subnet by first logically ANDing its IP address with its subnet mask, and then logically ANDing the destination IP address subnet mask with the source subnet mask. When both resultant network IDs came out the same, the source realized it had to ARP for the MAC address of the actual destination.
Viewing Remote Communication
Start a new Wireshark capture by clicking the blue fin (first icon from the left), with the same filter as in Step 3 under Use Wireshark to view network activity (arp or icmp).Open up a new command line interface with Administrator privileges, by clicking the Start button, typing cmd, right clicking on the icon, selecting Run As Administrator, and clicking the Yes button.At the prompt, type arp -d, which will clear the host’s ARP cache. Then, immediately type ping www.google.com. You will have a new set of ARPs and ICMPs.
After you've finished, answer the Check Your Work questions.
转载于:https://www.cnblogs.com/sec875/articles/10015895.html
