+1 862 207 3288 Purpose
This exercise introduces you to some of the low level networking concepts. These topics include
hardware/MAC addresses, IP addresses, the ARP protocol for mapping MAC addresses to IP addresses, the
ping command for testing network connectivity, nmap, and the packet analyzer Wireshark for monitoring
network traffic. By the end of the assignment, you should be able to use the packet analyzer to record
and examine network traffic, and to explain how ARP and DHCP go about their business of acquiring MAC
and IP addresses.
Note that nmap and Wireshark are powerful tools that we are using in a controlled environment in the
lab. Using such tools maliciously on open networks could result in negative consequences.
Perform the following tasks and answer the following questions with testing in the Cyber Security Lab
in the Windows 7 SDK VM (provide screen shots) and scholarly sources.
1. What is your address?
a. Find the addresses for b-d below (list them and provide screen shot). Make sure you have the
correct interface card, as there may be multiple active interfaces. Use the following command:
ipconfig /all
b. Physical address – this is your MAC address
c. IPv4 address
d. Subnet mask
e. The DHCP server IP address – this is the device which assigns IP addresses to devices
f. The default gateway address – this is the device that messages are sent to for routing to other
networks
2. What’s running?
a. Examine what services are running and their port numbers (provide a screen shot). The command
for this is
netstat -an
b. The information that is displayed includes the protocol, local address, remote (foreign)
address, and the connection state. The various IP addresses include port information as well. 1)
describe what the different connection states mean and 2) how might this information be useful to a
network security administrator?
3. Test your network connection
a. The ping command is a command prompt command used to test the ability of the source computer to
reach a specified destination computer. Ping is usually used as a simple way to verify that a computer
can communicate over the network with another computer or device.
i. Describe how the ping command works (i.e., what protocol does it use)
ii. Ping of loopback (address range of 127.0.0.1 to 127.255.255.255) allows a user to test one’s
own network or to ensure that the IP stack is functioning properly. Test your own connectivity with
the following command
ping 127.0.0.1
iii. 1) show a screenshot and 2) when would you most likely use this utility in your everyday life
as a student or at home?
iv. Ping one of the Google IP addresses:
ping 74.125.224.72
v. Show a screenshot. Was the ping successful? Why? When would you perform this? When and/or
why would you not ping an IP address?
4. Examine ARP traffic
a. The arp program lets you view the contents of the ARP cache. Type in the following command:
arp –a
b. Provide a screen shot. What is this information telling you?
5. Examine network traffic
a. For this task, you will analyze network activity using the Wireshark network protocol analyzer.
b. Install Wireshark on the Windows 7 SDK VM. The application can be accessed at
https://www.wireshark.org/
c. Start a Wireshark capture session
i. Open a cmd prompt and enter: ipconfig /release This command releases the IP address
currently used by your system
ii. At the cmd prompt enter: ipcofig /renew This command causes your system to acquire a
new IP address.
iii. At the cmd prompt enter: ipconfig/flushdns This command clears the DNS cache on your
systems so that every newly entered url will generate a DNS query.
iv. At the cmd prompt enter: arp –a This command shows the contents of your system’s arp
table.
v. Access a network browser tab and enter the url: www.utsa.edu
vi. Open another browser tab and enter: www.usaa.com
vii. Stop the capture session and save the data.
viii. Answer the following questions:
1. Locate the ARP packets sent and received during the capture session.
a. What is the purpose of the ARP frames?
b. What are the addresses involved? What devices do those addresses belong to?
c. Include screen prints to substantiate your answer
2. Locate the DHCP packets (bootp filter) that were generated when you released and renewed your
IP address.
a. Describe the purpose of the DHCP protocol.
b. What were the main IP addresses involved in the generation of the DHCP frames?
c. Explain the purpose and effect of each of the frames involved.
d. Include screen prints of the frames to substantiate your answer.
3. Locate the DNS query and response message for www.utsa.edu.
a. What is the purpose of DNS frames?
b. Were the DNS packets sent using the UDP or TCP transport layer protocol?
c. Why do you think that transport protocol was used rather than the other protocol?
d. What were the source and destination ports for the DNS frames generated during your capture
session?
e. Include screen prints of the frames to substantiate your answer.
4. Locate the frames for the TCP 3-way handshake between your host and the web server for
www.utsa.edu.
a. What is the purpose of the 3-way handshake frames?
b. What are the source and destination ports that were used for those frames?
c. Starting with the first frame of the 3-way handshake, list the SEQ and ACK numbers for the
three handshake frames. Do you see a pattern? What is it?
5. Locate the frames that were generated when you accessed www.usaa.com.
a. How do these frames differ from the frames generated when you accessed www.utsa.edu?
b. What do you think is the reason for this different approach for the www.usaa.com traffic?
c. List and describe all additional protocols do you see for the www.usaa .com traffic that
weren’t present for the www.usaa.com traffic?
6. Access the statistics for the capture session.
a. How long in minutes was the transfer session?
b. How many packets were captured?
c. How many bytes?
d. What were the 5 protocols generated the greatest % of bytes of traffic. Provide screen prints
to support your answer.
