Assignment

Introduction

In this assignment you will use several network tools to look at the protocols and data exchanged between network components. We will be only scratching the surface of the usefulness of these tools but the intent is for you to recognize the tools and understand how they can be useful for troubleshooting as well as simply understanding what is going on in your networks. You will consider the inherent danger of having such tools available indiscriminately and analyze how the information they make available could have information security implications in an enterprise or even for you as an individual.

For this assignment you will need to acquire a network sniffer (also called a packet sniffer). We describe the use of Wireshark which is freely available for MS Windows and provides a GUI. You may use another sniffer if you prefer.

Activities and Deliverables

You are required to perform Task A, B, and C. Submit a short paper which describes your experiences with the tasks performed and includes the answers to questions posed for the individual tasks. Each task is described below.

Task A: Using a Sniffer

Obtain a packet sniffer and install it on your home system. The instructions below have been written presuming that Wireshark has been your choice. Wireshark has a Windows-friendly interface and supports immediate translation of a large, but not exhaustive, set of protocols and interfaces. It is available for free download athttp://www.wireshark.org/. Before installing Wireshark, be sure you read and understand the licensing restrictions. Do not install the program on a computer that does not belong to you without express permission. Sniffers are considered "information assurance" vulnerabilities by most organizations. The tasks posed in this assignment are not questionable uses of the product but some security personnel will consider unapproved installation of a sniffer self-evident of improper activities.

Capture packets in your sniffer. If you need to choose an interface, choose the one through which you receive your Internet connection. Stop after a few packets are received (you may not be able to stop before more than 100, depending on how you are connected to the Internet). If using a command-line sniffer such as tcpdump you will need to specify the number of packets to stop after, and five or ten is sufficient. If using Wireshark, you will likely have to start the sniffer ("Capture" + "Interfaces" + start button for your selected interface) and then stop it ("Capture" + "Stop" or control-E) almost immediately if you are on a shared interface; ten packets collected is sufficient. In most cases, you will see a variety of packets including ARP and UDP. You may also see TCP and other types of packets if you are on a shared interface.

Save two or three UDP packets into a file. This can be done using copy-and-paste if necessary. Wireshark provides the ability to do this from its "File" + "SaveAs" drop-down menu options. You may have to filter or otherwise select the packets you save depending on the tool you chose.

Clear the capture buffer ("File" + "Close" + "Continue without saving" in Wireshark) or restart the sniffer and this time capture only TCP packets.

While the capture is running, point your browser to http://www.umuc.edu/and start it. Then, relatively quickly, stop the capture in thesniffer. You should see several TCP packets captured and should now save two or three of the lengthier ones into a file. You now have your real live packet data to analyze.

Include the saved packets in your submission, preferably as a text file embedded in your submission at the end. Alternatively the packets could be attached as a ".TXT" file or a Wireshark/tcpdump capture file (".CAP").

Provide a paragraph or two describing the ethical use of a packet sniffer. What are its legitimate uses? What should it not be used for? Explain your reasoning.

Task B: Address Resolution (ARP and Ping)

Note: You may be unable to do these actions from work but should be able to do them from home and on Polaris or Nova. Some network administrators block ping at the border routers. Others disable commands because of information assurance concerns.

Collect the current contents of the ARP table and save it in a file. The command "arp -a" will accomplish this on both Windows and Unix systems.

Start up your sniffer and engage the capture. You want to capture ARP packets.

Use the "ping" command to resolve a known address that is available on the networks but is not likely to have already been inserted in the ARP table. On your home system this should be easy because the table will be short and you'll know what sites you've visited recently. On Polaris or Nova it may take a little more work and investigation and a Web page like Google probably will already be in the table.

Stop your sniffer.

Capture the current contents of the ARP table again into a different file.

Locate two "ARP" packets in what your sniffer captured. If there are more, try to locate at least one that corresponds to what was "ping"ed. Put these into a separate file or paste them into your paper and include them with your submission.

Include a paragraph or two in your final submission on the advisability of having the ARP tool available without restrictions on all workstations of an enterprise's network. Explain your reasoning.

TASK C - Simple Encryption

The ciphertext below (which is related to this course) is an example of encryption using a monoalphabetic substitution cipher.

W K H F R X U V H W L W O H L V F P L V 7 6 8 F R P S X W H U Q H W Z R U N L Q J

What is the plaintext for this?

What key was used?