Sign in with
Sign up | Sign in
Your question

ethereal/wireshark log analyze help

Last response: in Networking
Share
May 9, 2008 4:26:49 PM

Hello, i would like to ask you guys / girls to help me a little. I got a Ethereal/WireShark log and i need to analyze it, but i can`t to do all...(today i see first time a log like this, dunno where i can start, or what mean very much thing in the log, the courses is more theoretical so don`t have much partice and the prof just added this homework, we don`t got any notice) Pls if somebody can help, or know a good site where i can learn what mean that things in the log file, or how to earn the data from that logfile pls tell me.... Thx again
here is some question....

* What DLL/MAC layer addresses can be seen in the trace?
* What IP addresses can be seen in the trace?
* How do the DLL/MAC and IP addresses map to each other?
* What is the Ethernet packet type and what does it mean?
* Can you tell from the trace file which Ethernet card is used to capture the traffic data, a normal 10/100M Ethernet card or an 802.11b wireless card?
* Can you deduce anything about the network topology on which this trace was taken, i.e. on which machine is the trace being taken? How many hosts are on the local network? What is the default gateway? What is the network mask? Which hosts are on the local network? Which ones are remote?
* How "far" away are the remote hosts?
* What different IP packet types can be seen what does each mean?
* Does IP fragmentation occur?
* Why would some packets have the "Don't fragment" bit set?
* Why the difference in the TTL values? If there was suddenly a change in the reported TTL, what would that be an indicator of?
* Are there any protocols that appear to be operating differently than as described in class?
* This packet trace is full of surprises, especially for someone who has never looked at a packet trace in detail before. List a few observations that were surprising to you including details of the observation and why it was particularly noteworthy.

There is the log file
http://www.filecrunch.com/fileDownload.php?sub=16a307ad13cff747d2e28e37abd0628d&fileId=145967
May 14, 2008 4:49:04 PM

A question like this, since it's for a class, probably isn't good to answer directly... if we do, then what will you learn? And, while grades are important, your primary goal should be to learn. When professors make last-minute assignments like this don't panic... if they are hard then you likely won't be the only person who doesn't get it all. Look over the assignment again, and clarify anything that is confusing... then take it one step at a time.

The first step is to install WireShark, available from: http://www.wireshark.org/download.html

Once installed, open WireShark and open the log file provided. You will probably recognize some of the things right away, such as IP addresses and MAC addresses (if you don't know what they are they're probably covered in whatever text you're using, or at least on wikipedia here: http://en.wikipedia.org/wiki/Mac_address)... then it's on to the next question, and the next... if you have any specific questions about what something might mean please let us know and we can try to help.

Edit:
The log file is basically a "dump" of what packets the computer sees (in chronological order) on whatever network adapter it was set to capture packets on.
May 14, 2008 6:58:35 PM

Hi, thx for your reply... mostly i answered to all questions... except a few questions.... but thx for your reply...(the problem wasn`t to don`t know how to install the wireshark :p )
but i cant figure out this answers
* Can you deduce anything about the network topology on which this trace was taken, i.e. on which machine is the trace being taken? How many hosts are on the local network? Which hosts are on the local network? Which ones are remote?
* How "far" away are the remote hosts?
* Why the difference in the TTL values? (i know different op. system uses different TTL values from default. and also can use the TTL for traceout, to determine how much router was between the 2 hosts) If there was suddenly a change in the reported TTL, what would that be an indicator of?

if somebody check out the log and tell me that answers i will be happy.. for that question really don`t know the answer...
Related resources
May 16, 2008 8:01:56 PM

(I hope I can still help.. hopefully you take this all with a grain of salt)

1. From the log it is probably safe to say that the capturing system is partitioned from other parts of the network and the internet in general in some manner... so we can probably rule out ring and fully connected topologies. My best guess would be that the capture was taken on a tree-like network (where the individual 128.111.200.* subnet is interfacing with one device so it looks like a star for just that section, but then goes to the internal network, and then eventually to a firewall and the external network/internet, you can use the DHCP/IP resolution requests and traceroute in the log to help determine this). For getting the number of hosts, you can sort by source or destination address or generate a flow graph (statistics > flow graph) to get a view to better count the number of IPs on the same network (I would consider it proper to include the DNS here too, not just systems with the first three octets matching). The ones that have different IP ranges would then be considered remote.

2. You can look at the traceroute to 18.62.0.96 to tell how far away a lot of systems are - I also used this information to help answer the question above (look at the TTLs on the replies, you'll need to expand the Internet Protocol section to see them).

3. I think you answered your own question for this one!

I hope this helps. You can use this information to help aid your investigation, but don't rely solely on this analysis since it's probably not enough.
May 16, 2008 8:43:09 PM

Thanks David... I'm in the process of trying to register so I
can post the following response:

Howdy all. I'm the instructor this course.

First, thanks for recognizing that answering all of the questions doesn't really help the student.

Second, the assignment was posted a couple of weeks ago and is due June 4th so the student has plenty of time.

Third, if you are the student and are ready this, Brett (that's the TA for everyone else) was due to go over the homework in
discussion Friday at 12pm.

Fourth, I have no problem asking general questions on a list like this (after all, when you got out into the real world, how
else are you going to learn?), but try and answer questions on your own first.

And finally, if anyone else is reading this and is now curious about the context, here's the course web page:

http://www.cs.ucsb.edu/~almeroth/classes/S08.176A/

-Kevin
!