URL:http://www.docs.uu.se/~perg/course/datakom/dv97/snoopuppg.html>

Eavesdropping network traffic


Introduction

The purpose of this lab is to familiarize you with some of the low level details of network traffic on an Ethernet LAN. More precisely, you will study the TCP protocol and snoop on some of the TCP/IP packets that transit the Ethernet your workstation is attached to. You will also be confronted with a sequrity pithole that is the result of unprotected network traffic.

Important note!  To complete this lab you need to run a special program that will be available only during the scheduled lab time. Hence, no late runners will be accepted!

Prerequisites

This lab is designed so that it can (and shall) be completed during the lab session. This, however, means that you have to prepare yourself so that you have some basic knowledge of TCP/IP and the IEEE standard 802.3.

Reading the following sections in Tanenbaum's book should be enough:

Description

In order to monitor the network traffic you need to log in on a workstation and run a command line program called snoop. This program monitors the network interface on your host workstation and prints out the headers of certain data packets (or complete packets) according to the options you give. The following options are accepted by the program.

SYNOPSIS

OPTIONS

OUTPUT (read this section carefully)

If the -e option is given, the link level header is printed out. More specifically, the source and destination addresses, protocol, and packet length are printed.

Arp output shows the type of request and its arguments. The format is intended to be self explanatory.

The general format of a TCP protocol line is: src > dst: flags data-seqno ack window urgent options. Src and dst are the source and destination IP addresses and ports. Flags are some combination of S (SYN), F (FIN), P (PUSH) or R (RST) or a single `.' (no flags). Data-seqno describes the portion of sequence space covered by the data in this packet (the notation is 'first:last(nbytes of user data)'). Ack is sequence number of the next data expected the other direction on this connection. Only the first sequence number in each direction is specified as an absolute number. The sequence numbers for the remaining packets in each direction are specified relative to the first sequence numbers. Window is the number of bytes of receive buffer space available the other direction on this connection. Urg indicates there is `urgent' data in the packet. Options are tcp options enclosed in angle brackets (e.g., <mss 1024>). Src, dst and flags are always present. The other fields depend on the contents of the packet's tcp protocol header and are output only if appropriate. A packet with the IP don't fragment flag is marked with a trailing '(DF)'.

All output lines are preceeded by a timestamp. The timestamp is the current clock time in the form
hh:mm:ss.frac and is as accurate as the kernel's clock. The timestamp reflects the time the kernel first saw the packet.

When the -x option is given the packet content will be dumped in hexadecimal notation. The content is formated in 16-bit segments, e.g. the hex dump '020a 0802' is four bytes long (with decimal values 2, 10, 8 and 2 respectively).

EXAMPLES

This will print the contents of all arp packets:

This will print the two first TCP packets on the Telnet port from Veda.DoCS.UU.SE. The printout will include link-level information and addresses will not be converted into names:

Excercises

Startup question: Which machine is your host, i.e. which machine do you intend to run snoop on?

Disecting a TCP/IP packet

In this small exercise you are supposed to capture one TCP/IP packet, preferably the first one, from a Telnet session and study its contents.

To accomplish this you need to start snoop with the right options and then remote login on one of the machines in room 1411 - 1413 and, finally, Telnet back to your host. Make sure that the printout contains the full contents of the packet (use the -x option) so that you can identify the different parts.

Scribble down here what snoop printed (the hex portion is the important part, you can skip the rest):

---------------------------------------------------------------------

To answer the following questions it might be a good idea to have figures 5-45 and 6-24 in Tanenbaum's book at hand.

Question 1: In your hex dump above, which comes first in the packet, the IP header or the TCP header?

Question 2: At which bytes do the headers end? (You can just mark it in your hex dump above.)

Question 3: Where can the protocol identifier be found in the IP header and what decimal value does it have in your hex dump?(If you can't manage to find it, you can cheat by looking in IETF's RFC 1700 where the value is listed along with the values for all the other recognized protocols.)

Question 4: Where can the source and destination addresses be found and what values (in the three dot notation, e.g. 130.238.8.101) do they have in your hex dump?

Question 5: What port number (in decimal notation, please) does the Telnet service have, and where do you find it in your dump?

TCP setup and release

You will now study the handshaking which takes place during the setup and release of a TCP connection. Again we use the Telnet service to initiate the connection.

Start by shutting down your previous Telnet session and exit snoop (if it has not done so by itself. If you were wise enough to use the -c 1 option in the previous exercise it should have exited automatically). Start snoop again, but this time without the -x option and then Telnet back to your host. Type Ctrl-D at the login prompt to shut down the Telnet session.

You should now have a printout of the twenty or so packets that were sent by the two hosts in the short Telnet session.

Question 6: Which packets constitute the TCP setup phase? How does the recipient recognize a TCP packet a connection setup request packet, i.e. what is the recipient's reply in your Telnet session?

Question 7: Do you notice anything strange about the sequence numbers? (Hint: are they strictly increasing? Is it a 32-bit wrap-around you see, i.e. could you have run out of sequence numbers?)

Question(s) 8: On some of the packets you can see the letter P, what does it mean? Why are packets usually marked with a 'P' in an interactive session? Is it effective?

Question 9: Some lines may contain the following '. ack seq-nr', what does it mean? By inspecting your printout, how does TCP usually try to send acknowledgements?

Question 10: Refer to figure 6-28 in Tanenbaum's book. Draw your own TCP connection management finite state machine (FSM) for the printout you received. Consequently, you can ignore all the non-setup and non-release packets. You should draw one FSM for the client and one for the server. Include the snoop printout and indicate which lines in the printout correspond to the transitions in your FSMs.

Other kinds of packets

Of course, TCP/IP packets are not the only ones that are sent on the Ethernet your host is attached to. Another type is the Address Resolution Protocol (ARP) packet. Any packet sent to your host is actually addressed to a hardware address that is globally unique to the Ethernet interface of your host. This is the MAC-address. If the sender do not know the MAC-address of your host's Ethernet interface, it must broadcast an ARP-packet to get the address before it can send any other packets to you.

The ARP protocol is described in IETF's RFC 826. The following is a small (and slightly edited) excerpt from that RFC.

"Packet format:

...

To communicate mappings from <protocol, address> pairs to 48-bit Ethernet addresses, a packet format that embodies the Address Resolution protocol is needed. The format of the packet follows.

...

Ethernet packet data:

16.bit: Hardware address space (e.g., 1 for Ethernet)

16.bit: Protocol address space. For Ethernet hardware, this is from the set of type fields ether_typ$<protocol>.

8.bit: byte length of each hardware address

8.bit: byte length of each protocol address

16.bit: opcode (1 for REQUEST, 2 for REPLY)

nbytes: Hardware address of sender of this packet.

mbytes: Protocol address of sender of this packet.

nbytes: Hardware address of target of this packet (if known).

mbytes: Protocol address of target."

Let's snoop on some APR-packet traffic. Start snoop with the options, -nax. Hopefully, you will eventually catch a request and corresponding reply. If you do not succeed to get a request-reply sequence within a few minutes you can abort and simply use one of the (many) request packets.

Scribble down here what snoop printed (the contents of the request packet is enough):

---------------------------------------------------------------------

Question 11: What is the MAC-address of the host who made the ARP-request?

While you are at it, figure out a way to find the MAC-address for the Ethernet interface of your host using snoop.

Question(s) 12: Which address did you obtain and how did you do it? Did your idea work? Reason?
(If your idea failed you can always fall back on the -e option for snoop.)

Now, try the following, start snoop with just the -a option. Study the printout for a while then exit snoop with Ctrl-C.

Question 13: Why is the ARP traffic quite moderate even though the network traffic probably is quite busy?

Watch your back, somebody might be eavesdropping!

Those of you who have a malicious mind may have already figured out that snoop can be used for other, less noble, purposes. For instance, recall the Telnet session examined earlier. If you had completed the login and typed your username along with your password while, at the same time, someone else were snooping your network traffic, you would have been in trouble. Your username and password would have been out in the open. Snatching your partner's password is exactly what you will do in this exercise.

Note! We do remind you that this kind of behaviour is highly unethical under normal circumstances. Consider this exercise an illustration of how hazardous unencrypted network traffic can be in the hands of people with harmful intent.

Before you start, the person (you or your lab-partner), whose password is to be cracked, should change password to a tempory one (or, alternatively, change into a new password after this lab). Then, snoop on the packets during the telnet login procedure so that you can figure out the password.

The details? You figure it out (it is not difficult).

Report

The report for this lab is to be completed during the laboration. It shall consist of the answers to the exercise questions. A printout of the packets (including their contents) that were needed to get the password in the final exercise shall also be included along with a short description of how you went along to get the password (simply asking your partner is a no-no solution).