Lab 5 - Application layer analysis

Lab 5 - Application layer analysis#

The purpose of this lab is to capture network traffic related to the exchange of messages involving application-level protocols, their analysis and the identification of the different message fields. Specifically, this session will look at DNS and HTTP protocols.

Assessment#

This session will be graded (1/6 of the lab grade), so you must complete the corresponding questionnaire in Campus Virtual, answering the questions. The questions to be answered will be available during the practical session and must be submitted before it ends. Each wrong answer will be penalized with 1/3 of the assigned value.

Setup#

The network connection must be correctly configured to carried out the lab:

  1. Aspects already seen in previous labs are assumed to be known, for example, the command to know the own IP and the usage of Wireshark.

  2. Prepare your working directory:

    • Create the p5 directory in /home/alumno. Assuming your current directory is /home/alumno, the command would be:

      mkdir p5

    • If it already exists, remove it and create it again:

      rm -rf p5
mkdir p5

    • Go to this directory and do the tasks from there:

      cd p5

    • Check that you are in the correct directory with:

      pwd

      It should show:

      /home/alumno/p5

  3. Be sure that the network interface of the virtual machine has an IP address of type 172.24.21x.xxx.

  4. Be sure that you can go out to the Internet using the virtual machine. For example, you can run:

    ping -c 3 8.8.8.8

    This should provide a result similar to:

    3 packets transmitted, 3 received, 0% packet loss, time XXXms

  5. Open a browser inside the virtual machine and have these instructions and the quiz of Campus Virtual on hand. This will make it easier for you to follow them and download the needed files.

    Important

    Do not save your Campus Virtual password in the vitual machine.

DNS#

dns1.pcapng#

This capture was generated using the following command:

host www.uclm.es

This command resolves the name www.uclm.es to the corresponding IP address or addresses using the DNS protocol.

Download the capture dns1.pcapng and perform an analysis with wireshark or tshark. Answer the questions related to this capture.

dns2.pcapng#

Download the capture dns2.pcapng and analyze it. Later, answer the related questions in the quiz. This capture was generated using the following command:

host redes1.com

HTTP#

http1.pcapng#

In this exercise the curl command will be used. This is a tool that allows you to make HTTP requests. By default, it uses the GET method which is the case of this example. Another method can be used through the -X option.

This time, you must create a capture named http1.pcapng that will contain HTTP traffic. To do this:

  1. Run wireshark.

  2. Open a terminal.

  3. Start capturing traffic with wireshark.

  4. Run the following in the terminal (you should view an output similar to the one shown):

    curl http://httpbin.org/get

    The output should be similar to:

    {
  "args": {},
  "headers": {
    "Accept": "*/*",
    "Host": "httpbin.org",
    "User-Agent": "curl/7.74.0",
    "X-Amzn-Trace-Id": "Root=1-621ff61f-71e17fc20c02922e7e26a8df"
  },
  "origin": "182.200.203.150",
  "url": "http://httpbin.org/get"
}

  5. Stop to capture traffic with wireshark.

  6. Save the capture as http1.pcapng. Be sure that you save it in /home/alumno.

  7. Use http as display filter.

  8. Only 2 HTTP packets shoul be shown. If you do not get this output, you must repeat the capture.

Now, with the 2 shown HTTP packets, you can complete the part of the quiz assigned to this exercise.

http2.pcapng#

To generate the network traffic in this exercise, the wget command will be used, which is used, among many other functionalities, to download files using HTTP. Unlike curl, this command saves server responses to files, as well as implementing higher level functionality such as following HTTP redirects automatically. In fact, this is exactly what it will do in this example.

In short, wget is a higher level tool than curl and allows you to download files over HTTP as a conventional browser would do, but without the need of a graphical environment.

Using the above procedure, you must create the capture named http2.pcapng as follows:

  1. Run wireshark.

  2. Open a terminal.

  3. Start to capture traffic with wireshark.

  4. Run the following in the terminal:

    wget http://www.uclm.es

    You should view an output similar to:

    --2022-03-07 09:31:00--  http://www.uclm.es/
Resolving www.uclm.es (www.uclm.es)... 51.105.185.204
Connecting to www.uclm.es (www.uclm.es)|51.105.185.204|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://www.uclm.es/ [following]
--2022-03-07 09:31:00--  https://www.uclm.es/
Connecting to www.uclm.es (www.uclm.es)|51.105.185.204|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 113381 (111K) [text/html]
Saving to: ‘index.html’
index.html              100%[==============================>] 110.72K  --.-KB/s    in 0.03s
2022-03-07 09:31:00 (3.57 MB/s) - ‘index.html’ saved [113381/113381]

  5. Stop to capture traffic with wireshark.

  6. Save the capture as http2.pcapng. Be sure that you save it in /home/alumno.

  7. Use ip.addr == 51.105.185.204 as display filter.

  8. You should view different types of traffic. Also wget must have downloaded a file named index.html. If any of this is missing, you should repeat the capture.

Now, with all the requirements fulfilled, you can analyze the traffic and answer the part of the quiz assigned to this exercise.

Cleanup#

Finally, remove the created directory /home/alumno/p5 with:

rm -rf /home/alumno/p5
Contents