L

T

T

A

O

B

2013 Cisco and

Lab - Us

Topology Part 1 will

Topology Part 2 willconsole c

Addressing

S

PC

ObjectivesPart 1: IdPart 2: Id

BackgrounThe two p768. Bothtransport provides t

Note: Undengineers

d/or its affiliates.

sing Wir

Part 1 (FTl highlight a T

Part 2 (TFl highlight a Uonnection to

g Table (Pa

Device

1 V

C-A N

entify TCP Hentify UDP H

nd / Scenarprotocols in th protocols sulayer supporttransport laye

derstanding ths.

All rights reserve

eshark t

TP) TCP capture o

FTP) UDP capture oSwitch S1.

art 2)

Interface

VLAN 1

NIC

Header FieldsHeader Fields

rio he TCP/IP tranpport upper-lat for the Hypeer support for

he parts of th

ed. This docume

to Exam

of an FTP ses

of a TFTP ses

IP Ad

192.168

192.168

s and Operats and Operat

nsport layer aayer protocol

erText Transfethe Domain N

e TCP and U

ent is Cisco Publi

mine FTP

ssion. This top

ssion. The PC

ddress S

8.1.1 25

8.1.3 25

tion Using a tion Using a

are the TCP, dcommunicat

er Protocol (HName System

DP headers a

ic.

P and TF

pology consis

C must have b

Subnet Mask

55.255.255.0

55.255.255.0

Wireshark F Wireshark T

defined in RFion. For exam

HTTP) and FTm (DNS) and T

and operation

FTP Cap

sts of a PC wi

both an Ether

k Default

0 N/A

0 192.168

FTP Session TFTP Sessio

FC 761, and Umple, TCP is uTP protocols, TFTP among

n are a critica

P

ptures

ith Internet ac

rnet connectio

t Gateway

8.1.1

Capture n Capture

UDP, defined used to providamong others others.

al skill for netw

Page 1 of 14

ccess.

on and a

in RFC de s. UDP

work

Lab - Using Wireshark to Examine FTP and TFTP Captures

2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 14

In Part 1 of this lab, you will use Wireshark open source tool to capture and analyze TCP protocol header fields for FTP file transfers between the host computer and an anonymous FTP server. The Windows command line utility is used to connect to an anonymous FTP server and download a file. In Part 2 of this lab, you will use Wireshark to capture and analyze UDP protocol header fields for TFTP file transfers between the host computer and Switch S1.

Note: The switch used is a Cisco Catalyst 2960s with Cisco IOS Release 15.0(2) (lanbasek9 image). Other switches and Cisco IOS versions can be used. Depending on the model and Cisco IOS version, the available commands and output produced might vary from what displays in the labs.

Note: Make sure that the switch has been erased and has no startup configurations. If you are unsure, contact your instructor.

Note: Part 1 assumes the PC has Internet access and cannot be performed using Netlab. Part 2 is Netlab compatible.

Required Resources Part 1 (FTP) 1 PC (Windows 7, Vista, or XP with command prompt access, Internet access, and Wireshark installed)

Required Resources Part 2 (TFTP) 1 Switch (Cisco 2960 with Cisco IOS Release 15.0(2) lanbasek9 image or comparable)

1 PC (Windows 7, Vista, or XP with Wireshark and a TFTP server, such as tftpd32 installed)

Console cable to configure the Cisco IOS devices via the console port

Ethernet cable as shown in the topology

Part 1: Identify TCP Header Fields and Operation Using a Wireshark FTP Session Capture

In Part 1, you use Wireshark to capture an FTP session and inspect TCP header fields.

Step 1: Start a Wireshark capture.

a. Close all unnecessary network traffic, such as the web browser, to limit the amount traffic during the Wireshark capture.

b. Start the Wireshark capture.

Step 2: Download the Readme file.

a. From the command prompt, enter ftp ftp.cdc.gov. b. Log into the FTP site for Centers for Disease Control and Prevention (CDC) with user anonymous and

no password.

c. Locate and download the Readme file.

L

S

S

Lab - Using W

2013 Cisco and

Step 3: Sto

Step 4: Vie

Wiresharkanalysis, t198.246.1

Wireshark to

d/or its affiliates.

op the Wire

ew the Wire

k captured matype tcp and 112.54, is the

Examine FT

All rights reserve

shark captu

eshark Main

any packets dip.addr == 1address for f

TP and TFTP

ed. This docume

ure.

n Window.

during the FT98.246.112.5

ftp.cdc.gov.

Captures

ent is Cisco Publi

P session to f54 in the Filte

ic.

ftp.cdc.gov. Ter: entry area

To limit the ama and click Ap

P

mount of datapply. The IP a

Page 3 of 14

a for address,

L

S

Lab - Using W

2013 Cisco and

Step 5: An

After the Ttransport illustrates

TCP is rowindow siAt the conTCP perfo

In Wireshfirst TCP dappears s

The image

Wireshark to

d/or its affiliates.

nalyze the T

TCP filter haslayer protocothe three-wa

utinely used dize. For each nclusion of theorms an orde

ark, detailed datagram fromsimilar to the p

e above is a T

Examine FT

All rights reserve

CP fields.

s been appliedol TCP creatinay handshake

during a sessdata exchang

e data transferly shutdown

TCP informatm the host copacket detail

TCP datagram

TP and TFTP

ed. This docume

d, the first thrng a reliable se.

ion to controlge between ter, the TCP seand terminat

tion is availabomputer, andpane shown

m diagram. A

Captures

ent is Cisco Publi

ree frames in ession. The s

datagram dehe FTP clientession is closion.

ble in the packexpand the Tbelow.

An explanation

ic.

the packet lissequence of [

elivery, verify t and FTP sersed. Finally, w

ket details paTCP record. T

n of each field

st pane (top s[SYN], [SYN,

datagram arrrver, a new T

when the FTP

ane (middle seThe expanded

d is provided f

P

section) displaACK], and [A

rival, and manTCP session isP session is fin

ection). Highld TCP datagra

for reference

Page 4 of 14

ays the ACK]

nage s started. nished,

ight the am

:

Lab - Using Wireshark to Examine FTP and TFTP Captures

2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 5 of 14

The TCP source port number belongs to the TCP session host that opened a connection. The value is normally a random value above 1,023.

The TCP destination port number is used to identify the upper layer protocol or application on the remote site. The values in the range 01,023 represent the well-known ports and are associated with popular services and applications (as described in RFC 1700, such as Telnet, FTP, HTTP, and so on). The combination of the source IP address, source port, destination IP address, and destination port uniquely identifies the session to both sender and receiver.

Note: In the Wireshark capture below, the destination port is 21, which is FTP. FTP servers listen on port 21 for FTP client connections.

The Sequence number specifies the number of the last octet in a segment. The Acknowledgment number specifies the next octet expected by the receiver. The Code bits have a special meaning in session management and in the treatment of segments.

Among interesting values are: - ACK Acknowledgement of a segment receipt. - SYN Synchronize, only set when a new TCP session is negotiated during the TCP three-way

handshake. - FIN Finish, request to close the TCP session.

The Window size is the value of the sliding window; determines how many octets can be sent before waiting for an acknowledgement.

The Urgent pointer is only used with an Urgent (URG) flag when the sender needs to send urgent data to the receiver.

The Options has only one option currently, and it is defined as the maximum TCP segment size (optional value).

Using the Wireshark capture of the first TCP session startup (SYN bit set to 1), fill in information about the TCP header:

From the PC to CDC server (only the SYN bit is set to 1):

Source IP Address:

Destination IP Address:

Source port number:

Destination port number:

Sequence number:

Acknowledgement number:

Header length:

Window size:

In the second Wireshark filtered capture, the CDC FTP server acknowledges the request from the PC. Note the values of the SYN and ACK bits.

L

Lab - Using W

2013 Cisco and

Fill in the

Sour

Dest

Sour

Dest

Sequ

Ackn

Hea

Wind

In the finamessage to 1.

Wireshark to

d/or its affiliates.

following info

rce IP addres

tination IP ad

rce port numb

tination port n

uence numbe

nowledgemen

der length:

dow size:

al stage of theto the server

Examine FT

All rights reserve

ormation rega

ss:

dress:

ber:

number:

er:

nt number:

e negotiation t. Notice only

TP and TFTP

ed. This docume

rding the SYN

to establish cthe ACK bit is

Captures

ent is Cisco Publi

N-ACK messa

ommunicatios set to 1, and

ic.

age.

ns, the PC sed the Sequen

ends an acknonce number ha

P

owledgementas been incre

Page 6 of 14

t emented

L

Lab - Using W

2013 Cisco and

Fill in the

Sour

Dest

Sour

Dest

Sequ

Ackn

Head

Wind

How man

After a TCserver comWhen theacknowled

Wireshark to

d/or its affiliates.

following info

rce IP addres

tination IP ad

rce port numb

tination port n

uence numbe

nowledgemen

der length:

dow size:

y other TCP d

CP session is mmunicate be

e FTP server sdgment to the

Examine FT

All rights reserve

ormation rega

ss:

dress:

ber:

number:

er:

nt number:

datagrams co

established, etween each sends a Respe TCP sessio

TP and TFTP

ed. This docume

rding the ACK

ontained a SY

FTP traffic caother, unawa

ponse: 220 to n on the serv

Captures

ent is Cisco Publi

K message.

YN bit?

an occur betware that TCP h

the FTP clienver. This sequ

ic.

ween the PC ahas control annt, the TCP s

uence is visibl

and FTP servnd managem

session on thele in the Wire

P

ver. The FTP ent over the s

e FTP client sshark capture

Page 7 of 14

client and session. sends an e below.

L

Lab - Using W

2013 Cisco and

When theacknowledsends a Tsession aWhen theis sent to and captu

By applyinsequencefile. After

Wireshark to

d/or its affiliates.

e FTP sessiondges the FTP

TCP datagramcknowledges

e originator of acknowledge

ure below.

ng an ftp filtee of the eventsthe file transf

Examine FT

All rights reserve

n has finishedP termination wm to the FTP c receipt of thethe TCP term

e the terminat

r, the entire ss during this Ffer completed

TP and TFTP

ed. This docume

, the FTP cliewith a Respoclient, announe termination mination, FTPion and the T

sequence of thFTP session. , the user end

Captures

ent is Cisco Publi

ent sends a coonse: 221 Gooncing the termdatagram, th server, recei

TCP session is

he FTP trafficThe usernam

ded the FTP s

ic.

ommand to qodbye. At thismination of thehen sends its ives a duplicas closed. This

c can be examme anonymousession.

quit. The FTPs time, the FTe TCP sessioown TCP ses

ate terminatios sequence is

mined in Wireus was used t

P

P server TP server TCPon. The FTP cssion terminaton, an ACK das visible in the

eshark. Noticeto retrieve the

Page 8 of 14

P session client TCP tion. atagram e diagram

e the e Readme

L

P

S

Lab - Using W

2013 Cisco and

Apply the transmittemust term

In this exaset in framthe server

In frame 6with an ACFTP serve

Part 2: IdS

In Part 2,

Step 1: Se

a. Estab

b. If not the de

Wireshark to

d/or its affiliates.

TCP filter aged for the termminate indepe

ample, the FTme 63. The PCr to the client

65, the PC seCK to acknower and PC.

dentify USession C

you use Wire

t up this ph

blish a console

already doneefault gatewa

Examine FT

All rights reserve

ain in Wireshmination of thendently. Exam

TP server hasC sends an Ain frame 64.

ends a FIN to wledge the FIN

DP HeadCapture eshark to capt

hysical topo

e and Etherne

e, manually coy.

TP and TFTP

ed. This docume

hark to examine TCP sessiomine the sour

s no more datACK to acknow

the FTP servN from the PC

er Fields

ture a TFTP s

ology and p

et connection

onfigure the IP

Captures

ent is Cisco Publi

ne the terminaon. Because Trce and destin

a to send in twledge the re

ver to terminatC in frame 67

s and Ope

session and i

repare for T

n between PC

P address on

ic.

ation of the TTCP connectionation addres

the stream; it eceipt of the F

te the TCP se7. Now the TC

eration Us

nspect UDP h

TFTP captu

C-A and Switc

the PC to 19

TCP session. on is full-dupl

sses.

sends a segmFIN to termina

ession. The FCP session te

sing a W

header fields

re.

ch S1.

92.168.1.3. It

P

Four packetslex, each dire

ment with theate the sessio

FTP server resrminated betw

Wireshark

.

is not require

Page 9 of 14

s are ection

FIN flag on from

sponds ween the

TFTP

ed to set

L

Lab - Using W

2013 Cisco and

c. ConfigpinginSwitcSwitcEnterSwitcS1(coS1(coS1(co*Mar *Mar changS1(coS1# pType Sendi!!!!!Succe

Wireshark to

d/or its affiliates.

gure the switcng 192.168.1.ch> enablech# conf tr configurch(config)onfig)# inonfig-if)#onfig-if)# 1 00:37: 1 00:37:ged state onfig-if)#ping 192.1escape seing 5, 100! ess rate i

Examine FT

All rights reserve

ch. Assign an3. Troubleshoe t ration comm# host S1 nterface vl# ip addres# no shut :50.166: %L:50.175: %Lto up # end 168.1.3 equence to 0-byte ICMP

is 100 perc

TP and TFTP

ed. This docume

n IP address ooot as necess

mands, one

lan 1 ss 192.168

LINK-3-UPDLINEPROTO-

abort. P Echos to

cent (5/5)

Captures

ent is Cisco Publi

of 192.168.1.1sary.

e per line.

8.1.1 255.2

DOWN: Inter-5-UPDOWN:

o 192.168.1

, round-tr

ic.

1 to VLAN 1.

. End wit

255.255.0

rface VlanLine prot

1.3, timeo

rip min/av

Verify conne

th CNTL/Z.

n1, changedtocol on In

out is 2 se

vg/max = 1/

Pa

ctivity with the

d state tonterface V

econds:

/203/1007

age 10 of 14

e PC by

o up Vlan1,

ms

L

S

S

Lab - Using W

2013 Cisco and

Step 2: Pre

a. If it dobe co

b. Start tc. Click

your u

The T

Notice192.1

d. Test tS1# cAddreDesti!! 1638 If younot, thcheckusern

Step 3: Ca

a. OpenScrollApply

Wireshark to

d/or its affiliates.

epare the T

oes not alreadpied to this lo

tftpd32 on thBrowse and username.

TFTP server s

e that in Curre68.1.3.

the ability to ccopy startess or namination fi

bytes cop see that the hen troubleshk to make surname has ade

apture a TFT

Wireshark. Fl down and sey. Then click

Examine FT

All rights reserve

FTP server

dy exist, creatocation.

e PC.

change the c

should look lik

ent Directory,

copy a file usit tftp me of remotilename [s1

pied in 0.0file has copie

hoot. If you gee your firewa

equate permis

TP session

From the Editelect UDP. ClOK.

TP and TFTP

ed. This docume

on the PC.

te a folder on

current directo

ke this:

, it lists the us

ng TFTP from

te host []1-confg]?

026 secs (ed (as in the aet the %Errorll is not block

ssion, such as

in Wireshar

t menu, choosick the Valida

Captures

ent is Cisco Publi

n the PC desk

ory to C:\Use

ser and the Se

m the switch t

? 192.168.

(63000 byteabove output)r opening ting TFTP, ans the desktop

rk

se Preferencate the UDP

ic.

ktop called TF

rs\user1\Des

erver (PC-A)

to the PC. Tro

.1.3

es/sec) ), then you aretftp (Permd that you are

p.

ces and click tchecksum if

FTP. The files

sktop\TFTP b

interface as t

oubleshoot as

e ready to gomission dene copying to a

the (+) sign tof possible ch

Pa

s from the swi

by replacing u

the IP addres

s necessary.

o on to the nexnied) error, a location wh

o expand Proheck box and

age 11 of 14

tch will

user1 with

ss of

xt step. If first ere your

otocols. click

L

Lab - Using W

2013 Cisco and

b. Start

c. Run t

d. Stop t

e. Set thused

In Wirfirst Umay bexpan

The fidatagport.

Wireshark to

d/or its affiliates.

a Wireshark c

he copy stathe Wireshark

he filter to tftpto analyze tra

reshark, detaUDP datagrambe necessary nd box. The e

gure below isgram. Similar t

Examine FT

All rights reserve

capture.

art tftp cok capture.

p. Your outputansport layer

iled UDP infom from the hos

to adjust the expanded UD

s a UDP datagto TCP, each

TP and TFTP

ed. This docume

ommand on th

t should look UDP operatio

ormation is avst computer, packet detailP datagram s

gram diagram UDP datagra

Captures

ent is Cisco Publi

he switch.

similar to theons.

ailable in the and move thels pane and eshould look si

m. Header infoam is identifie

ic.

e output show

Wireshark pae mouse poinexpand the UDmilar to the d

ormation is sped by the UDP

wn above. This

acket details nter to the pacDP record by

diagram below

parse, compaP source port

Pa

s TFTP transf

pane. Highligcket details pay clicking the pw.

ared to the TCt and UDP de

age 12 of 14

fer is

ght the ane. It protocol

CP estination

L

Lab - Using W

2013 Cisco and

Usingcheck

Sour

Dest

Sour

Dest

UDP

UDP

How d

Exam

Sour

Dest

Sour

Dest

UDP

UDP

Noticeremaiused

Also nYou c

Wireshark to

d/or its affiliates.

g the Wireshaksum value is

rce IP Addres

tination IP Ad

rce Port Num

tination Port N

P Message Le

P Checksum:

does UDP ve

mine the first fr

rce IP Addres

tination IP Ad

rce Port Num

tination Port N

P Message Le

P Checksum:

e that the retuinder of the Tto begin the T

notice that thecan learn mor

Examine FT

All rights reserve

rk capture of a hexadecim

ss:

ddress:

mber:

Number:

ength:

rify datagram

rame returned

ss:

ddress:

mber:

Number:

ength:

urn UDP dataFTP transfer.TFTP session

e UDP Checkre about why t

TP and TFTP

ed. This docume

the first UDPmal (base 16)

m integrity?

d from tftpd se

agram has a d. Because then is used to m

ksum is incorrthis happens

Captures

ent is Cisco Publi

P datagram, filvalue, denote

erver. Fill in t

different UDP ere is no relia

maintain the T

rect. This is mby searching

ic.

ll in informatioed by the prec

he informatio

source port, ble connectioFTP transfer.

most likely caug for UDP che

on about the ceding 0x cod

on about the U

but this sourcon, only the or.

used by UDP ecksum offloa

Pa

UDP header.de:

UDP header:

ce port is useriginal source

checksum ofad.

age 13 of 14

The

ed for the e port

ffload.

Lab - Using Wireshark to Examine FTP and TFTP Captures

2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 14 of 14

Reflection This lab provided the opportunity to analyze TCP and UDP protocol operations from captured FTP and TFTP sessions. How does TCP manage communication differently than UDP?

Challenge Because neither FTP nor TFTP are secure protocols, all transferred data is sent in clear text. This includes any user IDs, passwords, or clear-text file contents. Analyzing the upper-layer FTP session will quickly identify the user ID, password, and configuration file passwords. Upper-layer TFTP data examination is a bit more complicated, but the data field can be examined and the configuration user ID and password information extracted.

Cleanup Unless directed otherwise by your instructor:

1) Remove the files that were copied to your PC.

2) Erase the configurations on switch S1. 3) Remove the manual IP address from the PC and restore Internet connectivity.

Source IP Address: Destination IP Address: Source port number: Destination port number: Sequence number: Acknowledgement number: Header length: Window size: Sou rce IP addres ss: Des tination IP ad dress: Sou rce port num ber: Des tination port n number: Seq uence numbe er: Ackn nowledgemen nt number: Hea der length: Win dow size: Sou rce IP addres s: Des tination IP ad dress_2: Sou rce port numb ber: Des tination port n number_2: Seq uence numbe er_2: Ackn nowledgemen nt number_2: Hea der length_2: Win dow size_2: Sou rce IP Addres ss: Des tination IP Ad dress: Sou rce Port Num ber: Des tination Port Number: UDP P Message Le ength: UDP P Checksum: Sou rce IP Addres ss_2: Des tination IP Ad dress_2: Sou rce Port Num ber_2: Des tination Port Number_2: UDP P Message Le ength_2: UDP P Checksum_2: 1: 2: 3: