Lab 1: Wireshake Capture

topology Tasks :

1. Check the IP of PC A.
      + IP address of PC.
      + Subnet Mask.
      + Default Gateway.
      + DNS Server.
      + DHCP Server.
      + MAC address.
2. Use Wireshark capture ICMP Request, ICMP Reply.
      + Delete ARP Cache: arp -d.
      + Turn on Wireshark capture.
      + Ping 8.8.8.8.
3. Use Wireshark capture DNS Query, DNS Response.
      + Disable IPv6 address.
      + Clear DNS Cache: ipconfig /flushdns.
      + ping google.com.

4. Use Wirshark capture DHCP Packets.
      + Turn on Wireshark capture.
      + ipconfig /release to delete ip on PC, 
      + ipconfig /renew to get ip from DHCP Server (modem).
5. Use Wireshark capture IP Header, TCP Header, Ethernet Header.
       + Turn on Wireshark capture.
       + Open "cmd".
       + ping 8.8.8.8.
       + telnet google.com 80

1. Check the IP of PC A.
      + IP address of PC.
      + Subnet Mask.
      + Default Gateway.
      + DNS Server.
      + DHCP Server.
      + MAC address.

Open "cmd". Type ipconfig /all

C:\Users\tranv> ipconfig /all

Windows IP Configuration

   Host Name. . . . . . . . . . . . : DESKTOP-6BRNO9S
   Primary Dns Suffix. . . . . . . :
   Node Type. . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : Home

Ethernet adapter Ethernet 2:

   Connection-specific DNS Suffix. : Home
   Description . . . . . . . . . . . : Intel (R) 82579LM Gigabit Network Connection
   Physical Address. . . . . . . . . : B8-CA-3A-83-C7-4A
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled. . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.1.3 (Preferred)
   Subnet Mask. . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Tuesday, June 30, 2020 9:02:07 PM
   Lease Expires. . . . . . . . . . : Thursday, July 2, 2020 9:02:07 AM
   Default Gateway. . . . . . . . . : 192.168.1.1
   DHCP Server. . . . . . . . . . . : 192.168.1.1
   DNS Servers. . . . . . . . . . . : 8.8.8.8
                                       203.162.4.190
   NetBIOS over Tcpip. . . . . . . . : Enabled

C:\Users\tranv>

2. Use Wireshark capture ICMP Request, ICMP Reply.
      + Delete ARP Cache: arp -d.
      + Turn on Wireshark capture.
      + Ping 8.8.8.8.

When we delete the ARP table, the error will be as follows.

C:\Users\tranv> arp -d
The ARP entry deletion failed: The requested operation requires elevation.


C:\Users\tranv>

We have to open cmd with admin level to delete the ARP table. We click start menu -> type cmd -> select "run as administrator".

Microsoft Windows [Version 10.0.18362.900]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\Windows\system32> arp -d

C:\Windows\system32> arp -a
No ARP Entries Found.

C:\Windows\system32>

We turn on Wireshark capture and ping 8.8.8.8.

C:\Windows\system32> ping 8.8.8.8

Pinging 8.8.8.8 with 32 bytes of data:
Reply from 8.8.8.8: bytes = 32 time = 29ms TTL = 120
Reply from 8.8.8.8: bytes = 32 time = 28ms TTL = 120
Reply from 8.8.8.8: bytes = 32 time = 28ms TTL = 120
Reply from 8.8.8.8: bytes = 32 time = 28ms TTL = 120

Ping statistics for 8.8.8.8:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 28ms, Maximum = 29ms, Average = 28ms
    
C:\Windows\system32>

We will capture the ICMP request and ICMP Reply packet.

topology

We use the "icmp.type == 8" to filter ICMP request packets.ICMP Request has type is 8. topology

We use the "icmp.type == 0" to filter ICMP replies. ICMP Reply has type is 0.

3. Use Wireshark capture DNS Query, DNS Response.
      + Disable IPv6 address.
      + Clear DNS Cache: ipconfig /flushdns.
      + ping google.com.

First, we disable IPv6. Because windows 10 support IPv6 so Google use IPv6 to reply.

topology

At this time, PC ping Google. Google will return IPv4. Before ping google .com ta Must delete DNS cache on the computer.

C:\Windows\system32> ipconfig /flushdns

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

When we ping google.com, the PC will send out DNS Query packet.

C:\Windows\system32> ping google.com

Pinging google.com [216.58.200.78] with 32 bytes of data:
Reply from 216.58.200.78: bytes = 32 time = 28ms TTL = 120
Reply from 216.58.200.78: bytes = 32 time = 27ms TTL = 120
Reply from 216.58.200.78: bytes = 32 time = 27ms TTL = 120
Reply from 216.58.200.78: bytes = 32 time = 27ms TTL = 120

Ping statistics for 216.58.200.78:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 27ms, Maximum = 28ms, Average = 27ms

C:\Windows\system32>

DNS Query topology

DNS Response topology The DNS Response packet will reply that google.com use 216.58 .200.78.

4. Use Wirshark capture DHCP Packets.
      + Turn on Wireshark capture.
      + ipconfig /release to delete ip on PC, 
      + ipconfig /renew to get ip from DHCP Server (modem).

We turned on Wireshark capture. Then delete ip with the command "ipconfig /release" . The PC will send the DHCP Release packet. See the picture below.

topology We type "ipconfig /renew" to get a new ip from the DHCP Server.

topology

We see the DHCP packets.

DHCP Discover: find DHCP Server , and ask for an IP from the DHCP Server.
DHCP Offer: DHCP Server offer IP for PC.
DHCP Request: The PC accepts the offer and sends the request to the server.
DHCP Ack: Server send Ack to PC. So PC has got IP.

  5. Use Wireshark capture IP Header, TCP Header, Ethernet Header.
         + Turn on Wireshark capture.
         + Open "cmd".
         + ping 8.8.8.8.
         + telnet google.com 80.

We turn on Wireshark capture. Open "cmd". Type "ping 8.8.8.8". We will see Wireshark will capture IP Header, Ethernet Header topology

Source ip is 192.168.1.3.
Destination ip is 8.8.8.8.
Protocol is 1 (ICMP).
Time To Live (TTL) is 128. Depending on the operating system, the default TTL value different. Cisco Router sends TTL = 255, Linux has TTL = 64. Window has TTL = 128 . TTL through each router will minus 1.

We see that the Ethernet protocol on a LAN has fields.

SMAC is the MAC address of the sender.
DMAC is the MAC address of the recipient.
Type: 0x0800: Based on the value of 0x0800 that knows above layer 3 runs IP protocol. Layer 3 has many protocols like IPX, Apple Talk, IP. Every protocol will There is a specified number. But current network systems are using IP, so type is 0x0800.

To capture TCP header. We use the command "telnet google.com 80". Telnet is the protocol used to connect remotely. Telnet uses TCP by default, port 23 .We can use telnet with port 80 to test the web server at port 80.

C:\Windows\system32> telnet google.com 80

topology

We see the sending PC has a Source Port of 52680 and a Destination Port of 80.

The PC will perform a 3-way handshake connection. topology

PC ----------- Server
    --SYN ->   
    <- SYN, ACK--
    --ACK ->

When we press "ctrl + z" to disconnect. topology

PC ------- Server
    <- FIN, ACK
    -> ACK
    -> FIN, ACK
    <- ACK

On the Command Prompt screen

HTTP / 1.0 400 Bad Request
Content-Length: 54  
Content-Type: text / html; charset = UTF-8
Date: Tue, 30 Jun 2020 14:26:01 GMT                                  
<html> <title> Error 400 (Bad Request) !! 1 </title> </html>                                                                  

Connection to host lost.

C:\Windows\system32>