Documente Academic
Documente Profesional
Documente Cultură
Project 1-4
This project assumes you followed the steps in Hands-on
Project 1-3, and the EtherPeek for Windows demo program
is open.
To explore basic packets and statistics:
1. The Capture window now displays the basic
information about the packets you captured. Click the
down scroll arrow to view the entire list of packets (if
they scroll out of view). Click and drag the Capture
window handles so you can view more packets, if
desired.
2. Click the Nodes tab at the bottom of the Capture
window to view the list of devices for which the
EtherPeek analyzer captured packets. Do you
recognize your IP addresses? Do you see any
broadcast address?
3. Click the Protocols tab at the bottom of the Capture
window to view the protocols identified by EtherPeek.
4. Click the Conversations tab at the bottom of the
Capture window to view the conversations identified
by EtherPeek. Highlight the lines that contain the value
Ethernet Broadcast in the Net Node 2 column. View the
associated values in the Net Node 1 field to identify
the MAC addresses of the workstations that sent those
broadcast packets to the network.
5. Click the Size tab at the bottom of the Capture
window to view the packet size distribution of the
packets in the trace buffer. Packet sizes are listed in
bytes. Which packet size is most common in your trace
buffer?
6. Click the Summary tab at the bottom of the Capture
window to view the summary of information about the
trace buffer contents. Scroll through the summary to
identify the type of communications seen in the trace
buffer.
7. Click the History tab at the bottom of the Capture
window to view the Utilization graph created by
EtherPeek for the time you captured data.
8. Click the Log tab at the bottom of the Capture window
to view the EtherPeek Capture Log.
9. Close the Capture window by clicking the Close button
in the upper-right corner. Youll focus on the Filter tab
in the next project.
Project 2-2
You will need a computer with Internet access and a Web
browser to complete this project.
To visit the Ralph Becker IP Address Subnetting
Tutorial Web site:
1. Open your Web browser (click Start, point to
Programs, and click Internet Explorer; or see your
instructor if you use a different browser).
2. Enter the following URL in the Address text box:
http://www.ralphb.net/IPSubnet/index.html
3. Step through the tutorial, which provides more
information and additional examples of IP subnetting.
4. Close the Web browser, unless you plan to proceed
immediately to the next project.
Project 2-3
You will need a computer with Internet access and a Web
browser to complete this project. You will access the 3Com
Web site to look for information about IP addressing. Feel
free to spend some time browsing this Web site after you
complete the steps.
To find IP addressing information at the 3Com Web
site:
Access and read the 3Com white paper Understanding IP
Addressing to further cement the information covered in
this chapter of the book.
1. Open your Web browser (click Start, point to
Programs, and click Internet Explorer; or see your
instructor if you use a different browser).
2. Enter the following URL in the Address text box:
http://www.3com.com
3. Click the country link of your choice.
4. Type Understanding IP Addressing in the Search
field, and then click the Search button.
5. Click the 3Com Press Box Technical Papers
hyperlink. The Technical Papers list appears.
6. Scroll down the list to locate the document titled
Understanding IP Addressing: Everything You Ever
Wanted To Know, dated April 26, 1996, by Chuck
Semeria. Click the hyperlink Understanding IP
Addressing to access this document and read the
article.
7. Close the Web browser, unless you plan to proceed
immediately to the next project.
Project 3-3
To open a saved trace file and examine an ARP
packet decode:
Project 3-4
To filter out all ARP traffic in the trace file:
1. Follow Hands-on Project 3-3 to open the arp.pkt trace
file (if not already open).
2. This trace file includes some ARP, ICMP, and NetBIOS
traffic. To highlight only the ARP packets (requests and
replies), click the Protocols tab at the bottom of the
trace file window. The Protocols window appears. If the
window cannot display all the protocol entries, click
the down scroll arrow until you can see the ARP
protocol and the Req and Rsp rows.
3. Right-click the ARP row to open the protocols menu,
as shown in Figure 3-24.
4. Click Select Related Packets, and then click By
Protocol in the resulting shortcut menu. EtherPeek
displays the Selection Results window and indicates
the number of packets that are related to the ARP
selection, as shown in Figure 3-25.
5. Click Hide Unselected. You should now have a trace
summary window that displays only three ARP packets
Packets #1, #4, and #5. What is the purpose of
Packets #4 and #5?
6. If the capture stopped notification dialog box appears,
click OK. Close the trace summary window, and
proceed immediately to Hands-on Project 3-5.
Project 4-6
This Hands-on Project assumes that you have Internet
access.
To trace the route to another device on the
Internet:
1. Click Start, point to Programs, point to Accessories,
and then click Command Prompt. The Command
Prompt window opens.
2. Enter tracert to view the available command-line
parameters. Keep the Command Prompt window open
while you follow the next steps to launch the
EtherPeek demo program.
3. Click Start, point to Programs, and then click
WildPackets EtherPeek Demo.
4. The list of EtherPeek demo limitations appears. Click
OK.
5. The Select Adapter window may appear. Click the
adapter installed in your system. Click OK to close the
Adapter Selection window.
6. Click Capture on the menu bar, and then click Start
Capture.
7. The Capture Options window appears. Click OK to
accept the default buffer size of 1024 kilobytes. The
Capture window appears. The Capture window number
increments each time you start a new capture process.
8. Click the Filters tab and select the My IP Address
filter (created in Hands-on Project 4-2).
9. Click Start Capture in the Capture window.
10. Click the Command Prompt button on the
taskbar, or use Alt+Tab to make the Command
Prompt window active.
11. Type tracert ip_address, where ip_address is the
address supplied by your instructor for this project, and
then press Enter.
12. Once your route tracing session completes
successfully, close the Command Prompt window. Make
the EtherPeek Demo window active.
13. If the demo is still capturing, click the Stop
Capture button. (If the program automatically stopped
capturing, click OK in the resulting message box.) Click
the Packets tab. Scroll through the packets you
captured in your trace buffer. Answer the following
questions about your TRACEROUTE process:
a. What was the starting TTL value?
b. How many routers did you cross to reach your
destination?
c. Did all the routers along the path answer?
d. How many packets did this route tracing process
require?
Project 6-3
For this Hands-on Project, your instructor provides a target
domain name.
To view and analyze Whois communications:
1. The NetScanTools 4.12 trial program should already be
running. If not, refer to Hands-on Project 6-2 to start
the program.
2. To start the EtherPeek demo program, click Start,
point to Programs, and then click WildPackets
EtherPeek Demo.
3. Click OK to close the EtherPeek Demo information
window.
4. If the Select Adapter window appears, select your
network adapter, and click OK.
5. Click Capture on the menu bar, and then click Start
Capture.
6. The Capture Options window appears. Click OK to
accept the default buffer size of 1024 kilobytes. The
Capture window appears. The Capture window number
increments each time you start a new capture process.
7. Click the Filters tab, and then select the My IP
Address filter (created in Hands-on Project 4-2).
8. In a moment, you will capture the packets of a Whois
communication, one at a time. Remember that the
EtherPeek demo only captures 250 packets, or runs for
30 seconds, whichever comes first. This is the reason
for using a filter on your own traffic. Most likely, you
must capture each communication in separate capture
processes. Click the Start Capture button.
9. Press Alt+Tab as many times as necessary to return
to the NetScanTools demo.
10. Click the Whois tab. Enter the domain name
provided by your instructor in the Enter Query field.
Click the Query button.
11. When the Whois query is complete, click Stop.
12. Press Alt+Tab as many times as necessary to
return to the EtherPeek demo.
13. Click the Stop Capture button. Click the Packets
tab. Review the packets saved in your demo. Answer
the following questions about your captured packets:
a. What port number does the Whois process use?
b. Is this process TCP-based or UDP-based?
c. When was this Whois database last updated?
14. Close the EtherPeek demo program, unless you
proceed immediately to the next project.
15. Press Alt+Tab to return to the NetScanTools trial
program. Click the Exit button to close the program.
Project 6-4
To view and analyze an FTP connection:
Your instructor will supply you with an FTP server IP
address, user name, and password to use in this project.
1. Click Start, point to Programs, point to Accessories,
and then click Command Prompt. A Command
Prompt window appears. You will execute FTP
commands from this window after you start the
EtherPeek demo to capture your packets.
2. If the EtherPeek demo is not running, click Start, point
to Programs, and then click WildPackets EtherPeek
Demo to start the analyzer program.
3. Click OK to close the EtherPeek Demo information
window.
4. Click Capture on the menu bar, and then click Start
Capture.
5. The Capture Options window appears. Click OK to
accept the default buffer size of 1024 kilobytes. The
Capture window appears. The Capture window number
increments each time you start a new capture process.
6. Click the Filters tab, and select the My IP Address
filter (created in Hands-on Project 4-2).
7. In a moment, you will capture the packets of an FTP
session. Remember that the EtherPeek demo only
captures 250 packets, or runs for 30 seconds,
whichever comes first. This is the reason for using a
filter on your own traffic. Be certain you can complete
Steps 7 through 12 within 30 seconds. If you dont,
close the Capture window and follow Steps 4 through
12 again. Click the Start Capture button.
8. Press Alt+Tab as many times as necessary to return
to the Command Prompt window.
9. Note the IP address of the FTP server that your
instructor supplied. At the command prompt, type ftp
ip_address (where ip_address is the FTP server
address provided by your instructor). Ensure you can
connect to the FTP server before proceeding. If you
have any connection problems, recheck the IP address,
or consult with your instructor.
10. When prompted, enter your user name and
password supplied by the instructor.
11. Type dir, and press Enter. The directory list
appears.
12. Type quit, and press Enter, and then type exit,
and press Enter. The Command Prompt window
closes.
13. If the EtherPeek window is not active, press
Alt+Tab until it is the active window. Click the Stop
Capture button if the capture is still running. Again,
the EtherPeek demo only captures packets for 30
seconds. The capture process may have automatically
stopped. If so, click OK in the capture stopped
notification dialog box. Next, you examine the FTP
communications to answer a series of questions.
14. Click the Packets tab. Scroll through the FTP
communications. Double-click the packets of interest
and use the Decode Prev and Decode Next buttons
to answer these questions about your FTP session:
a. What FTP commands did your FTP client session
issue during this exercise?
b. How many connections did your FTP client open
with the FTP server to log on and transfer the
directory list?
c. Were your user name and password visible in the
trace file?
15. Close the EtherPeek demo program.
Project 6-5
To view and analyze an HTTP session:
This Hands-on Project assumes that you are using either
Microsoft Internet Explorer or Netscape Navigator to
access the Internet, and that you have a working Internet
connection. Your instructor will let you know what Web site
to access in this project.
1. Start your Internet browser.
2. Click Start, point to Programs, and then click
WildPackets EtherPeek Demo to start the analyzer
program.
3. Click OK to close the EtherPeek Demo information
window.
4. Click Capture on the menu bar, and then click Start
Capture.
5. The Capture Options window appears. Click OK to
accept the default buffer size of 1024 kilobytes. The
Capture window appears. The Capture window number
increments each time you start a new capture process.
6. Click the Filters tab, and select the My IP Address
filter (created in Hands-on Project 4-2).
7. In a moment, you will capture the first packets of an
HTTP session. Remember, the EtherPeek demo only
captures 250 packets, or runs for 30 seconds,
whichever comes first. This is the reason for using a
filter on your own traffic. The Web site you access will
probably require more than 250 packets to access and
download the home page images. Click the Start
Capture button.
8. Press Alt+Tab as many times as necessary to return
to the browser window. Enter the URL of the Web site
your instructor provides. After the home page loads
completely, press Alt+Tab as many times as
necessary to return to the EtherPeek Capture window.
Click the Stop Capture button if the capture is still
running. Again, the EtherPeek demo only captures
packets for 30 seconds. The capture process may have
automatically stopped. If so, click OK in the capture
stopped notification dialog box. Next, you examine the
HTTP communications to answer a series of questions.
9. Click the Packets table. Scroll through the HTTP
communications. Double-click the packets of interest
and use the Decode Prev and Decode Next buttons
to answer these questions about your HTTP session:
a. What HTTP version does your client support?
b. What HTTP version does the server support?
c. Can you identify the operating system and any other
attributes of the HTTP server?
d. Can you identify any of the graphic elements that
are downloaded when you access this page?
e. How many connections did your HTTP process
require?
10. Close the Internet browser.
11. Close the EtherPeek demo program.
Project 8-2
To interpret the process of DHCP renewal, rebind,
and reinitialize sequences:
1. Click File, Open, and open the trace file
DHCPlab.pkt contained in the 18654-2\Ch8 folder on
your hard disk. The packet summary window appears.
2. Double-click Packet #3 to open the decode window.
Answer the following questions about this packet:
a. Does this DHCP client already have an IP address?
b. What Message Type is used in this packet?
c. What is the purpose of this packet?
d. Does the client receive a reply to this packet?
e. What DHCP process is the client performing at this
time?
3. Click the Decode Next button until you see Packet
#5. Answer the following questions about this packet:
a. Does this DHCP client still have an IP address?
b. What is the Message Type used in this packet?
c. What is the primary difference between this packet
and Packet #3?
d. Does the client receive a reply to this packet?
e. What DHCP process is the client performing at this
time?
4. Click the Decode Next button until you see Packet
#10. Answer the following questions about this packet:
a. Does this DHCP client still have an IP address?
b. What is the Message Type used in this packet?
c. Does the client receive a reply to this packet?
d. What DHCP process is the client performing at this
time?
5. Examine the remaining DHCP packets in the trace file.
Did the client get the requested IP address?
6. Close the decode window. Close the packet summary
window.
Project 8-3
To edit and test a DHCP filter:
1. Click View, Filters to open the Filter window.
2. Double-click the DHCP filter. As you see, this is a
Protocol filter.
3. Click the Protocol button to view the protocol
selected for this filter. You should see the DHCP
protocol highlighted.
4. Click OK to close the Protocol window.
5. This filter captures all DHCP packets that the analyzer
sees. You are interested in capturing only DHCP
packets that come from the IP address 0.0.0.0,
indicating that a new device is booting onto the
network, or a DHCP client reinitialized. Click the
Address filter check box.
6. Click the down arrow in the Type field (next to the
Address 1 section). Select IP.
7. The value 0.0.0.0 is automatically placed in the
Address 1 field. This is acceptable. You do not need to
change the directional information or add an Address 2
value. Click OK. Next, you test your filter by applying it
to an existing trace file.
8. Click File, Open, and open the trace file
DHCPlab.pkt contained in the 18654-2\Ch8 folder on
your hard disk. The packet summary window appears.
9. Select the Edit menu, and then choose Select.
10. Scroll down in the Selection criteria box until you
see the DHCP filter. Click the check box next to the
DHCP filter.
11. Click the Select Packets button. Four packets are
highlighted in the summary window.
12. Click the Hide Unselected button to view the
packets that matched your filter.
13. Click the Close button to close the Select window.
Double-click each packet to view the full decode
window and further examine the packet.
14. Close the EtherPeek for Windows demo program.
Project 9-4
In this project, you set up a Boolean filter to locate all
traffic to and from the following suspect port numbers:
31337 Back Orifice
31335 Trinoo agent to handler communications
27444 Trinoo handler to agent communications
To set up a filter to catch traffic associated with
Back Orifice and Trinoo communications:
1. Launch the EtherPeek for Windows demo program.
2. Click View, Filters to open the Filters window. Click
the Insert button .
3. Enter the name BO-Trinoo in the Filter text box.
4. Click the down arrow in the Type list box and select
Advanced.
5. Click the And button and select Port. The Port Filter
window appears.
6. Type 31337 in the Port 1 text box.
7. Be sure the directional button between the Port 1 and
2 sections is labeled Both directions. Click OK. The
first filter criterion is placed in the Edit Filter window.
8. Because you are interested in packets that match
31337, 31335, or 27444, use the OR operand. Click the
Or button and select Port. The Port Filter window
appears.
9. Type 31335 in the Port 1 field.
10. Be sure the directional button is labeled Both
directions. Click OK. The second filter criterion is
placed in the Edit Filter window.
11. Click the Or button and select Port. The Port Filter
window appears.
12. Type 27444 in the Port 1 field.
13. Be sure the directional button is labeled Both
directions. Click OK. The third and final filter criterion
is placed in the Edit Filter window.
14. Click OK to close the Edit Filter window.
15. Close the EtherPeek for Windows demo program.
By running this filter on a network, you can capture traffic
that is on the way to or coming from these suspect ports.
Project 11-2
To build an advanced filter based on SNMP GET-
REQUEST, GET-RESPONSE, GET-NEXT, and TRAP traffic:
1. In the Filters window in EtherPeek, click the Insert
button . The Edit Filter window appears.
2. Type SNMP-All in the Filter text box to name your
filter.
3. Click the down arrow next to the Type field, and then
click Advanced. The Edit Filter window appears.
4. Click the And button, and then click Protocol.
5. Click the boxed plus sign next to the frame type used
on your network. The pre-defined protocol filter list
appears.
6. Click the boxed plus sign next to IP. Click the boxed
plus sign next to UDP. Click SNMP.
7. Click OK. The value Protocol SNMP is shown in the Edit
Filter window.
8. Because you are interested in packets that are
either SNMP GET (or GET-REQUEST, GET-RESPONSE,
or GET-NEXT) or SNMP TRAP messages, click the Or
button, click Protocol, and again click the boxed
plus sign next to the frame type used on your
network.
9. Click the boxed plus sign next to IP. Click the boxed
plus sign next to UDP. Scroll down and click SNMP-
Trap.
10. Click the OK button to return to the Edit Filter
window. Click OK to return to the Filters window.
11. Proceed immediately to Hands-on Project 11-3.
Project 11-3
To build an advanced filter based on SNMP GET-
REQUEST, GET-RESPONSE, and GET-NEXT traffic from
unauthorized sources:
1. In the Filters window in EtherPeek, click the Insert
button . The Edit Filter window appears.
2. Type SNMP-Unauthorized in the Filter text box to
name your filter. In this project, we assume that your
network has one SNMP manager that uses the IP
address 10.23.3.4. You will build a filter for all SNMP
traffic that comes from devices other than 10.23.3.4.
Youll also use the port definition method for building
your SNMP filter.
3. Click the arrow next to the Type field. Select
Advanced. The Edit Filter window appears.
4. Click the And button. Select Port.
5. Enter the value 161 in the Port 1 field. Leave Port 2 as
Any port.
6. Click OK to return to the Edit Filter window.
7. Click the And button. Click Address.
8. Verify that IP is listed in the Type field. Click IP.
9. Enter the address 10.23.3.4 in the Address field.
Leave Address 2 as any address.
10. Click OK. The Edit Filter window appears. Currently,
the filter is looking for all SNMP GET-REQUEST, GET-
RESPONSE, and GET-NEXT traffic from 10.23.3.4.
However, you are looking for the SNMP traffic from
unauthorized
systems.
11. Click the box that shows the Address filter that you
just created. Click the Not button. You have now
defined a filter for all SNMP traffic using port 161 from
any device except 10.23.3.4. Click OK.
12. Close the EtherPeek for Windows demo program.
Project 13-2
To examine IPv6 communications:
1. Start the EtherPeek for Windows demo program.
2. Click File, Open.
3. Insert the CD that accompanies this book into your CD-
ROM drive. Open the 18654-2\Ch13 folder on your
hard disk.
4. Select the trace file ipv6dump.pkt. Click Open. The
packet summary window appears.
5. Click and drag the summary window columns to
increase their size, making the IPv6 source and
destination addresses viewable.
6. Scroll down to Packet #28, and double-click this
packet. The decode window appears and displays the
IPv6 packet structure.
7. Answer the following questions about this packet:
a. What is the purpose of this packet?
b. What is the hop count limit on this packet?
c. Compare the Ethernet header source/destination
addresses to the IPv6 header source/destination
addresses. How do they compare?
8. Click the Decode Next button to view Packet #29.
What is the purpose of this packet?
9. Close the decode window. Close the packet summary
window and proceed immediately to the next project.
Project 13-3
To build an IPv6 filter:
1. In the EtherPeek demo, click View, Filters to open the
Filters window. Click the Insert button . The Edit Filter
window appears.
2. Enter the name IPv6 in the Filter text box.
3. Click the Protocol filter check box.
4. Click the Protocol button.
5. Click the boxed plus sign to the left of the frame type
used on your network.
6. Click to highlight IPv6, and then click OK.
7. Click OK to close the Edit Filter window, and click the
Close button in the upper-right corner to close the
Filter window.
8. What do you think this filter is based on?
9. To test your filter, open the ipv6dump.pkt file (in the
18654-2\Ch13 folder on your hard disk).
10. Click Edit, Select.
11. In the Selection criteria area, scroll down to locate
and then click the check box next to the IPv6 filter.
12. Click the Select Packets button. The Selection
Results dialog box appears, stating that 242 packets
are selected.
13. In the Selection Results dialog box, click the Hide
Unselected button. Click the Close button in the
Select window. The packet summary window should
show 242 packets highlighted out of the entire 250-
packet trace file.
14. Close the EtherPeek for Windows demo program.