CIT 361 RSS feeds and podcasts by Ed Nickel are licensed
under a Creative Commons Attribution 3.0 United States License
based on a work at http://cot.gbcnv.edu/~ed/class/syllabi.html.

CIT 361: Week 11
Monitoring Network Data Traffic

To automatically receive new feeds and podcasts you can copy this link: http://cot.gbcnv.edu/~ed/class/cit361/cit361.xml to your RSS reader. If you prefer getting the new feeds manually you can read these files directly as you are reading this one.

There is no podcast for this week but there is a video linked below in this lesson file. In addition, we are not strictly speaking getting the lesson from the book. Instead we will be learning network data traffic monitoring using a hands-on approach. Several times in previous lessons I have suggested you try some of the labs using Wireshark but this time you will do so as part of the lesson. You can obtain this very useful program at no cost from the Wireshark download page and learn to use some of its many features using the documentation and on-line tutorials found on Wireshark's documentation page.

Other than the specific labs assigned below the major portion of this lesson consists of the Introduction to Wireshark video. I originally had planned to create a video tutorial on using this software myself, but when I saw the new video created by Gerald Combs, Wireshark's main developer, I decided to link it instead. There are four videos about this powerful network analysis tool linked on the main documentation page but the 6 minute introductory video covers everything we need for this lesson.

There are only two things not mentioned in the video that yo need to know. The first is how to install the program which, as advanced students in computer technology you are probably well aware of by now so I will not go into these details but please feel free to post questions in this week's discussion if anything should go wrong as you install this software. The second is how to generate some data traffic so you can capture something to analyze. If you follow the steps below you should be able to capture sufficient traffic to work with for our purposes.

  1. Start Wireshark and select the network interface from which you wish to capture data
  2. Start capturing data, see the video linked above for details concerning steps 1, 2, and 5.
  3. Open your web browser and browse to a website you have not visited recently, if you cannot think of a new web page to view, click on Wikipedia then type Wireshark in the search box and tap the enter key or enter some other topic you have not researched recently.
  4. Click on an "external" link to some other website from the first page you view; external links are found in a section so labeled near the bottom of most Wikipedia articles.
  5. After following a few links and browsing the Web a bit, stop Wireshark's capture and save the captured data in a file on your computer.
  6. Now you are ready to do some of the traffic analysis operations described in the video and in the exercises listed below.

Review your captured data just as you saw in the video. Look at the DNS traffic, of which there should be several sections since I asked you to browse to websites you have not visited recently and click on external links you found there. As you should remember from early lessons this semester, the reason I asked you to visit web sites you have not recently viewed is to ensure there would be new data to capture. Since DNS data can be held in the ARP table in your computer's memory, if you had re-visited a website you just saw you probably would not get any new DNS traffic. In addition, a recently visited site could still have its web pages and images in your browser's cache so no new data traffic would be generated via the network interface card.

If you do an ipconfig (ifconfig in Linux) command in your computer's "command prompt" or "terminal" window then you can find out what IP address your computer is using. You should notice that all data packets captured by Wireshark have your computer's IP address as either the source or destination IP. There are two reasons for this, first, I did not ask you to set your NIC to "promiscuous mode" and, second, even if you had set the NIC to promiscuous mode there is a very good chance you would not seen any traffic other than your own because you are probably connected via either a switch or a router which would only send your traffic to you without special instructions.

For your assignment, you should analyze your captured data and take note of the DNS lookups required to view the web pages. Pick one page to review more thoroughly and note how many packets were required to download that page into your browser. Note any "bad packets" that you received and how many there were, probably zero. Review the exercises at the end of the chapters on ICMP and DNS (chapters 4 & 7) then try to complete some of those labs. How would the captured traffic differ if others on a small network shared your computer's Internet connection? Write up your notes on the activities asked for in this paragraph and answer the previous question using a word processor then attach both your notes and your captured data to the assignment in this week's "Assignment Drop Box" and submit it for my review.

As always, post your comments, ideas, and questions in the current discussion. If you are having any problems completing the assignment you can also post those problems and question in the discussion for me or your classmates to help you resolve.