Lab4
.pdf
School
Carnegie Mellon University**We aren't endorsed by this school
Course
15 744
Subject
Computer Science
Date
Dec 16, 2024
Pages
9
Uploaded by PresidentDuckPerson1267
LAB 4: DATA LINK LAYERLab 4: Network Plug-n-Play and Data Link (MAC) Layer ObjectiveIn this final lab of the class, you will continue to use Wireshark and the network testbeds (the “Racks”), but now you will mainly explore some final network pug-n-play applications and the Data Link (or MAC) layer. In particular, you will be looking at the Dynamic Host Configuration Protocol (DHCP), Ethernet Frames, the Address Resolution Protocol (ARP), a network attack based on the Data Link Layer, and a final analysis of a pcapfile containing multiple packets that execute a particular network function. Once again, you will use the hardware network testbeds (the “Racks”) to create the traffic you will observe and analyze. Before going to the network testbeds (the “Racks”), please read this handout COMPLETELY and make sure that you understand all the steps and questions being asked . This will help you to 1be better prepared for Lab # 4. This will also help you to manage your time at the testbed better. Write a report to show you have executed the lab procedures. In this report, answer the questions that are interleaved among the procedures. Feel free to also include questions, ponderings, and any interesting stuffyou observed. For each question, do not forget to include your generated evidence to support your answers (e.g., screenshots, calculations, annotations, etc.). A good idea would be to review the lecture slides or the corresponding textbook sections regarding the Dynamic Host 1Configuration Protocol (DHCP), the Data Link (MAC) Layer, and the Address Resolution Protocol (ARP) to fully understand the concepts you will use, observe, and test in this Lab.PAGE OF NOVEMBER 26, 2024VERSION 3.319
LAB 4: DATA LINK LAYERProcedures1.Verify that power switch nine (9) (on the power rail behind the rack) is turned on.2.Verify that the (four) Netgear switches inside the Rack display the numbers 1, 2, 3, and 4. Note that we have two (2) new switches for you to observe this time (four (4) in total). PAGE OF NOVEMBER 26, 2024VERSION 3.329
LAB 4: DATA LINK LAYER3.Turn on (Restart if it is already on) the testbed’s PC by powering on switch eight (8) (on the power rail behind the rack). If the PC was manually powered offbefore, you will need to turn OFF and ON switch eight (8) to restart the computer. 4.Login to the Rack’s PC with the following credentials:Username: studentPassword: 740Rocks$5.We will need to use the components of Lab # 3in this final lab. If power switch three (3) is turned off, turn it on (on the power rail behind the rack) and wait for three (3) minutes for all the routers to start. •Please do not create BGP black holes or change any router configurations. Remember, "With great power comes great responsibility!” 6.If power switches one (1) and/or four (4) are ON, turn both OFF and wait for five (5) seconds to dissipate static and capacitance charges. 7.Turn ON switch one (1). Do NOT turn on switch four (4) yet. 8.When you are done with the lab, shut down the computer and turn offall the power switches EXCEPT 9! Part 1: Dynamic Host Configuration Protocol (DHCP)Our first step in this final lab is to explore a plug-and-play mechanism that is very helpful for network administrators everywhere, namely the Dynamic Host Configuration Protocol (DHCP). This protocol is convenient to provide recently booted computers with network information, including their unique IP address, network mask (prefix) information, default gateway (router), etc. For this first part of the lab, we will use the Wireshark application on the Rack’s computer (the “NUC”). Please complete the following steps: •First, start your Wireshark capture on the Rack’s computer (the “NUC”). •Then, it is time to start the Lab # 4 components by turning on switch four (4) (on the power rail behind the rack). •Wait around twenty (20) seconds so all the DHCP configurations take place (you can watch them live in your packet capture in the Rack’s computer). •Stop the Wireshark packet capture and save the PCAP file for your future (and deeper) analysis. •Transfer the PCAP file to your USB flash drive and delete it from the NUC. •To transfer the files from the Rack’s Computer to your laptop, you can use the USB extender available on top of the Rack. PAGE OF NOVEMBER 26, 2024VERSION 3.339
LAB 4: DATA LINK LAYERAnswer the following questions: 1.(5 points) How many end hosts configure their IP addresses using DHCP? How many DHCP server(s) are in the network? Make a list of Ethernet addresses and the IP address associated with each end host. What are the IP address(es) of the DHCP server(s)? 2.(5 points) Using the message being sent by the DHCP Server to offer an IP address to the recently-booted Clients, answer these questions: What is the lease time (in seconds) for the offered IP address? What is the network prefix (/##) for the subnetwork where the IP address is located? What is the address of the DNS Resolver? What is the address of the default gateway? On what part of the DHCP message is all this information included? Make sure to explain where you obtained all the information to answer these questions. 3.(10 points) Draw the sequence diagram showing the messages exchanged between any one of the end hosts (of Question 1) and the DHCP server(s). Indicate source and destination MAC addresses, source and destination IP addresses, source and destination port numbers, and any important application layer (DHCP) fields used for each of the messages. Point out if any of the messages are broadcast (you can use the “funky-looking” arrows we used in class to represent broadcast messages). For the following parts, you will need to capture the data on your computer. Part 1I: Address Resolution Protocol (ARP)Now, it is time to analyze some of the components in the Data Link (MAC) Layer. In particular, we want to analyze how the Address Resolution Protocol (ARP) helps us to map logical (IPv4) addresses in the Network layer to physical (MAC) addresses in the Data Link layer. Complete the following steps: For the following parts, we will use a packet capture (i.e., Wireshark) on your Computer. •Start a new Wireshark capture on your Computer (NOT in the Rack’s NUC). •From the testbed’s PC (the “NUC”), send a pingfrom the testbed’s PC to the newly DHCP-configured devices (using the IP addresses you found in the previous questions). •Stop the Wireshark packet capture and save the PCAP file for your future (and deeper) analysis. Answer the following questions: 4.(4 points) Choose one of the ping packets, what are the source and destination MAC addresses of the first pingsent out of the NUC? What are the source and destination IP addresses of the first pingsent out of the NUC? Based on the information you gathered in the previous questions, explain whether all the hosts in the ping test are in the same subnetwork. 5.(6 points) Choose one of the ping packets, was an ARP request made before sending the ICMPpacket? (Spoiler alert: Yes). What are the fields in the ARP request that enable the PAGE OF NOVEMBER 26, 2024VERSION 3.349
LAB 4: DATA LINK LAYERdestination host to identify the request and send a reply? What are the fields in the ARP reply that enable the receiving host to get the response and update its ARP cache/table? 6.(5 points) Choose one of the ping packets, who is the manufacturer of the Ethernet adapter for both the source and destination Ethernet adapters? To determine this, use the document at http://standards-oui.ieee.org/oui.txt (Do not forget to include a preferably annotated screenshot of your result). What information did you use to find the correct manufacturer? Now, let’s try to pinga computer going through our NAT router and some external networks. Please complete the following steps: •Start a new Wireshark capture on your Computer (NOT in the Rack’s NUC). •Send a pingfrom the testbed’s PC (the “NUC”) to 2.0.0.1. •Stop the Wireshark packet capture and save the PCAP file for your future (and deeper) analysis. Answer the following questions: 7.(12 points) Trace and explain all the Ethernet frames for this pingto be delivered to the final destination. Specifically, identify the MAC address changes that apply at each hop. The network diagram from Lab 3bwill be really useful for tracing all the frames of the pingrequest between the source node and destination node. What nodes (e.g., routers) forward the packet until it reaches the destination? How many hops are there between the source and destination (explain your answer)? Does the IP address change when the packet is being forwarded in the public network, why or why not? Does the IP address change when the packet is forwarded inside the private network, why or why not? 8.(8 points) Take a look at the first Frame sent from the PC, which contains the ping. What is the destination MAC address of the frame? What is the destination IP address in the encapsulated packet? Do the IP address and the MAC address refer to the same interface? If not, thoroughly describe how the Data Link layer of the sending computer knew what this MAC address should be. 9.(10 points) You have seen how ARP is used to determine the destination MAC address for an outgoing packet. Generalize a rule for the destination MAC address of the Frame when the destination IP address is in the same subnet as well as when it is not in the same subnet. Part 1II: ARP Table (Cache)As you might remember, the ARP protocol is automatically initiated by the Network Interface Card (NIC) in routers and end host computers. Whenever a new mapping is learned by the NIC, it is registered in its ARP table (cache). This process is automatically done for all the NICs in a computer. However, it is possible to modify or add new entries manually to the ARP table (cache). For this, we can use the following command to modify the ARP table on a computer: PAGE OF NOVEMBER 26, 2024VERSION 3.359
LAB 4: DATA LINK LAYERsudo arp -s InetAddr EtherAddr This command allows you to manually add or modify an entry to the ARP cache (table) that resolves the IP address InetAddrto the physical address EtherAddr. What would happen if, when you manually added an entry or modified an existing one, you entered the correct IP address but the wrong Ethernet address for that remote interface? Answer the following question: 10.(8 points) Try the aforementioned scenario in one of the Lab 4 computers that obtain their IP addresses using DHCP and report on your findings. sshinto the lowest IP address. For example, if you have two devices with two different IP addresses, x.x.3.1and x.x.3.2, sshinto the Raspberry PI with the IP address x.x.3.1 (This is just an example of IP addresses and might NOT reflect what you see in the Lab). Once sshinto the correct Raspberry PI, first, print the ARP table in this device to see all the mappings that have been registered already . Then, modify one entry in the ARP table in this device using the 2previously described command . You might also want to do some connection experiments 3(e.g., ping) to see the result of the changes (before and after the ARP table change) in the host. Present a screenshot of your modifications to the ARP table and your testing to see the successful modification of the table and its impact on the network. Part IV: Obligatory Security-Related SectionOur attacker fromLab 1 is back and is not happy that they could not spoof the DNS reply for cool.com. So, let’s run an experiment to check an attack in the Data Link layer. Complete the following steps: •Start a new Wireshark capture on your Computer (NOT in the Rack’s NUC). •If you have not done so, turn on Lab one (1) using power switch one (1) (on the rail on the back) and give it a few seconds to start. •Open the Lab # 1interface (available on the desktop of the testbed’s PC) and make sure all the hosts are active (up) in the Lab 1 application interface. •Make sure your Wireshark capture is on for the next step •Run the Python script (using PowerShell) located at C:\Users\Public\Documents\Lab4\start_super_spoofer.py python start_super_spoofer.py•Visit cool.com. What webpage did you get (Hint: it is a different webpage than the one of Lab one (1)!)? This might take a couple of minutes, so please be patient until it shows all ARP entries.2If you modify the entry for the Rack’s computer, the change will cause you to break the SSHconnection from the computer to the 3Raspberry Pi. So, we advise you to modify another entry in the ARP table to avoid this issue.PAGE OF NOVEMBER 26, 2024VERSION 3.369
LAB 4: DATA LINK LAYER•Stop the Wireshark packet capture and save the PCAP file for your future (and deeper analysis). Answer the following question: 11.(12 points) Unlike Lab 1, why do you think the attacker did not have to deal with a race condition (i.e., why did the real DNS server never reply)? Using your gathered evidence in Wireshark and the correct network terminology that you have learned throughout the semester, make sure to provide a detailed explanation of how the attack was conducted and why it was successful. Also, explain how this attack was different than the one tried in Lab # one (1). Part V: Packet AnalysisFor this final section of the lab, you do not need to use the testbeds (the “Racks”)! Download the Lab4_Final.pcapfile from Canvas. This file is a Wireshark capture file with some interesting data in it. Open it in Wireshark and take a look. There are only eight (8) packets here, so it should not take too long to examine them and figure out what is going on. For each of the packets, write a short description of the purpose of the packet and also write a description of the whole interaction. Back your assertion up with data from the packet. List anything else interesting in the packet. We are NOT looking for a straight recital of what the packet contents are; we are looking for the deeper meaning behind the packet and the whole interaction. So, do not say, “This is a UDP packet sent to port 67.” Instead, say, “This is the DHCP OFFER message from the server. You can see the XID field is the same as the DHCP DISCOVER message…” Answer the following question: 12.(15 points) Fully analyze each of the packets and the whole interaction, showing that you fully understand what is going on! Write a short description of the purpose of each packet and the whole interaction. You can rely on your research abilities to find more information about the different errors, characteristics, protocol types, etc. This will help you to provide a complete analysis of each packet and the whole interaction. Course Evaluations (Extra credit)We value your honest evaluation of the course. While we would love for your experience in the course to have been absolutely perfect in every way, we know realistically that might not have happened. Please help us improve the course and the experience for future students by filling out the Faculty Course Evaluations (FCEs). PAGE OF NOVEMBER 26, 2024VERSION 3.379
LAB 4: DATA LINK LAYERWhile the numbers in the course evaluation are extremely helpful, the really good information that will help us improve the most is to be found in the comments. If there is any question on the course evaluation that you have NOT given us perfect marks for, please leave us a detailed comment explaining what we could do to improve and earn perfect marks. Also, if you liked the course, let us know what you enjoyed the most about the course. I understand separating grading from your overall experience with the course is not always easy. However, grades are always a subjective topic. Hence, try to provide us with feedback outside of the grading system to help us improve the class in other important aspects. If you attach the printout (screenshot) from the end of the FCE evaluation to this lab report, proving that you filled out course evaluations for this course (but without your answers, obviously), then you will receive extra credit (points) worth 20% of a lab grade. We are looking for pages that show images like the one above, which were obtained after completing the course evaluation for 14740. 4If you also attach the following signed and dated statement to your lab report, you will receive an additional extra credit worth 25% of a lab grade. Your signature indicates that the statement is 100% true. Do not sign and submit the statement if you did not provide a useful and complete evaluation according to the definition above for all the questions that were NOT given a perfect score in the FCE. I have provided a useful course evaluation. For each question on the Faculty course evaluation (FCE), I either gave perfect marks or left a helpful and detailed comment explaining what could be done to improve the course to that point. signed name and date Turn-inWrite a report of your interactions and answer ALL the questions. Make sure to include enough details to ensure we understand that you understand what is going on. For instance, screenshots should probably be annotated to show where a number came from. Do not assume that because you know how to read a Wireshark capture, we know that you know it. Our graders will not make that assumption. So, prove it to us by describing/annotating every value you find from Wireshark.The picture is only to provide you with a reference, but the actual image that you will get (after filling out the 4course evaluation) might be slightly different. The important part is that you need to complete the FCE for this course and present proof that you did so!PAGE OF NOVEMBER 26, 2024VERSION 3.389
LAB 4: DATA LINK LAYERPlease carefully follow the instructions if you provided the required attachments for the course evaluation (on Gradescope). Incomplete or inaccurate attachments will NOT be considered for extra credit.Turn your answers in a PDF fileand submit it to the Lab 4“Assignment” on Gradescope.In Gradescope, Map the questions to the corresponding page in your document. Students who fail to map a question correctly will lose all the points for that question.Do not forget to save (and name)all your PCAP files for your future analysis.PAGE OF NOVEMBER 26, 2024VERSION 3.399