LAB 4: DATA LINK LAYER

Lab 4: Data Link Layer ObjectiveIn this lab, you will continue to use Wireshark and the network testbed, but now you will explore the data link layer. In particular, you will be looking at Ethernet frames and the Address Resolution Protocol. Once again, you will use the hardware network testbed, which will create the traffic that you will observe.

Procedures1. Verify that power switch 9 (on the power rail behind the rack) is turned on. If not, turn it on

and wait about 5 minutes before proceeding with the next step.

PAGE OF VERSION 1.011 5

LAB 4: DATA LINK LAYER

2. Verify that the Netgear switches inside the rack display the numbers 1, 2, 3 and 4.Note that we have two new switches for you to observe this time.

3. Turn on (Restart if it is already on) the PC by powering on switch 8. 4. Make sure the keyboard is on (switch is located on the right side of the keyboard). 5. Leave power switch 3 on, you don't need to restart it. Also, please don't create BGP

blackholes or change any router configurations. Remember, "with great power comes great responsibility."

6. If power switch 1 or 4 is ON, turn both OFF and wait for 5 seconds to dissipate static and capacitance charges. Turn on switch 1. Don't turn on switch 4 yet.

7. (Optional) Connect the blue Ethernet cable to your laptop and start Wireshark. 8. When you are done with the lab, shut down the computer and turn off all the power switches

EXCEPT 9!

PAGE OF VERSION 1.012 5

LAB 4: DATA LINK LAYER

QuestionsBy now you should understand all of the theory about how the testbed works. Therefore, let's proceed with the questions. Take screenshots and annotate them in your report in order to substantiate your answers. Start your Wireshark capture. Turn on switch 4. Answer the following questions: 9. (5 points) How many hosts configure their IP addresses using DHCP? Make a list of

Ethernet addresses and the IP address assigned to each. What are the IP address(es) of the DHCP server(s)?

10. (10 points) Draw the sequence diagram showing the messages exchanged between any one of the hosts and the DHCP server. Indicate Source and Destination - MAC Addresses, IPs and Ports along with any important application layer fields used for each of the messages. Point out if any of the messages are broadcast.

Start a new Wireshark capture (save your PCAP!). Log into the PC and send a ping from the PC to one of the newly configured devices. Answer the following questions: 11. (5 points) What are the source and destination MAC addresses of the first ping sent out of

the NUC? 12. (10 points) Was an ARP request made before sending this packet? (Spoiler: Yes). What are

the fields in the ARP request that enables the destination host to identify the request and send a reply?

13. (5 points) Who is the manufacturer of the Ethernet adapter for both the source and destination Ethernet adapters. Use (and annotate a screenshot of) the document at http://standards-oui.ieee.org/oui.txt to determine this, don't just rely on Wireshark.

Start a new Wireshark capture (save your PCAP!). Send a ping from the PC to 2.0.0.1. Answer the following questions: 14. (10 points) Trace all the frames for this ping to be delivered to the destination. Specifically

identify the MAC address changes that apply at each hop. The network diagram from Lab 3 will be really useful.

15. (10 points) Take a look at the first frame sent from the PC which contains the ping. What is the IP address in the encapsulated packet? Is the MAC address of the frame on the same interface as the IP address? If not, describe how the sending computer knew what this MAC address should be.

16. (10 points) You have seen how ARP is used to determine the destination MAC address for an outgoing packet. Generalize a rule for the destination MAC address of the frame when the destination IP address is in the same subnet as well as when it is not in the same subnet.

PAGE OF VERSION 1.013 5

LAB 4: DATA LINK LAYER

Start a new Wireshark capture (save your PCAP!). The arp command:

arp -s InetAddr EtherAddr

allows you to manually add an entry to the ARP cache that resolves the IP address InetAddr to the physical address EtherAddr. What would happen if, when you manually added an entry, you entered the correct IP address, but the wrong Ethernet address for that remote interface? 17. (10 points) Try it and report on your findings. Use any host of the DHCPd hosts from the

previous question.

Obligatory Security-Related Section18. (10 points) Our attacker from Lab 1 is back and is not happy that he couldn’t spoof the DNS

reply for cool.com. • Turn on Lab 1 using the power switch and give it a few seconds. • Visit cool.com to be sure it works (Use the Lab1 browser or Incognito mode, we don’t want

the DNS to get cached) • Make sure you’re Wireshark capture is on for the next step • Run the python script (using powershell) located at

C:\Users\Public\Documents\Lab4\start_super_spoofer.py • Visit cool.com again.

Unlike Lab 1 why do you think the attacker did not have to deal with a race condition, i.e. why did the real DNS server never reply? You do not need to mention anything about the DNS spoof, we know you’re an expert on that already.

Analysis19. (15 points) For this section, you don't need to use the testbed. Download the Lab4_Final.pcap file from the course website. This file is a Wireshark capture file with some interesting data in it. Open it in Wireshark and take a look. There are only 8 packets here, so this shouldn’t take too long to examine them and figure out what is going on. For each of the packets, write a short description of what the purpose of the packet is. Back your assertion up with data from the packet. List anything else interesting in the packet. I’m not looking for a straight recital of what the packet contents are, I’m looking for the deeper meaning behind the packet. So, don’t say “This is a UDP packet sent to port 67.” Instead say “This is the DHCP OFFER message from the server. You can see the XID field is the same as the DHCP DISCOVER message...”

PAGE OF VERSION 1.014 5

LAB 4: DATA LINK LAYER

Course EvaluationsI value your honest and critical evaluation of the course. While I’d love for your experience in the course to have been absolutely perfect in every way, I know realistically that didn’t happen. Please help me improve the course and the experience for future students by filling out a course evaluation. While the numbers in the course evaluation are helpful, the really good information that will help me improve the most is to be found in comments. If there is any question on the course evaluation that you have not given me perfect marks for, please leave me a comment explaining what I could do to improve and earn perfect marks. If you attach the printout from the end of the evaluation to this lab, proving that you filled out a course evaluation for this course (but without your answers, obviously), then you will receive extra credit worth 25% of a lab grade. I'm looking for the page that shows this image. If you also attach the following signed statement, you will receive an additional 25% extra credit. Obviously, your signature indicates that the statement is true. Don't sign if you didn't provide a useful evaluation according to the definition above.

I have provided a useful course evaluation. For each question on the course evaluation, I either gave perfect marks or left a helpful comment explaining what could be done to improve the course to that point.

signed name and date

Turn-inWrite a report of your interactions and answering the questions. Make sure to include enough details to ensure we understand that you understand what is going on. For instance, screenshots should probably be annotated to show where a number came from -- don't assume that because you know how to read a Wireshark screen that we know that you know it. Our graders will not make that assumption. So, prove it to us by describing/annotating every value you find.Turn in your answers in a single PDF file and submit it to the Lab4 “Assignment” on Gradescope.Mark the pages according to the question. Students who fail to mark a question correctly will lose all the points for that question.

PAGE OF VERSION 1.015 5