Lab 3: Address Resolution

This lab examines the nature of address resolution and also introduces the NetXRay protocol analyser. NetSim is used to ensure familiarity with the essential concepts of ARP, and NetXRay is used to examine ARP in action.

The NetSim exercise simulates the behaviour of a Local Area Network in software. In contrast the NetXRay exercise captures traffic from the network and presents it in a format that allows us to analyse the actual frames of traffic on the network.

NetSim exercise

In this week's NetSim lab you will use names instead of MAC addresses to send and receive messages. Because you are using names to identify other computers these names now need to be unique - at least within a lab session.

1. (((LaunchNetSimLesson2)))
2. Bring up a computer and name it - install one network card. Notice that the NetSim window title now says "Lesson 2" - new features will be available.
3. Connect this network card to the network for your half of the room - "left" and "right" as last week. If you find later on that there is too much traffic on the network you are on then get togther with a smaller group of students to setup a separate network - simply using a different name will create a new network.
4. Before trying to communicate with anyone else look at the ARP cache on your machine using Edit Tables/Dump Address Translation Table. Notice that at this stage the ARP cache is empty.
5. Today you will be using Action/Computer to communicate with other nodes. This means that the destination node name must be put in the Destination Node box in the computer section of the screen.
6. Put the name of another network card (if the computer is called "john" then its network card is named "john1") into the destination node box and then use the Action/Computer/Resolve to send an ARP request to the named station. Look at the packets in the display window and identify the MAC address of the remote node.
7. Dump the ARP cache again and notice the new entry.
8. QUESTION: How long does an entry persist in the ARP cache in this simulation
9. You can use the Ping and Chat buttons in the Action/Computer menu to have specific exchanges with other computers. Notice that there may or may not be an ARP involved - at either end.
10. See how many entries you can acquire in your ARP cache.

Live ping exercise (ie. not simulated ping as used in NetSim)

1. (((Lab3Setup)))
2. Bring up a DOS box on your machine.
3. Have a look at your ARP cache with arp -a.
4. Use ping <ip address> to contact the IP number of (((AnotherIPAddress)))
5. Re-examine your ARP cache. On the whiteboard fill in the hardware address of the machine you pinged (or should that be "pung").
6. Answer this QUESTION: What changes occurred due to your use of ping Why
7. How long does an entry persist in the real ARP cache

NetXRay exercise

NetXRay is a protocol analyser. The function of a protocol analyser is to capture and display network traffic in a readable format. NetXRay also allows the user to specify particular type of traffic to be captured, (eg. Include all broadcast traffic from other machines). Using NetXRay filtering allows detailed analysis of particular network traffic.
You are now going to use NetXRay to watch ARP in action. Essentially, this involves repeating the previous exercise while filtering for ARP queries and replies. Choose an IP address to ping that is not already in your ARP cache ( why ) Alternatively you can use arp -d <internet address> to clear a specific entry from your cache.

Open Net-Xray. Select the second adapter ( NIC ) for monitoring - there really is only one NIC in your computer but NetXRay is a little confused at this stage.
Notice the splash screen that explains the restrictions in this demo version. The main limitation that affects what you need to do is the "Capture packets" restriction. With a maximum display of 5 packets you are going to need to learn how to build filters in order to view particular packets.
The screen below shows the initial view of NetXRay and illustrates the main windows:

Dashboard - Shows an overall view of the traffic volumes that your node is "seeing". Computers in our labs are plugged into hubs that restrict the packets on each blue computer cable. The only packets that are allowed down the cable are those that your computer is meant to be seeing - where the destination MAC address is either "broadcast" or the MAC address of your NIC. This means that you cannot "snoop" other computers packets.
The three dials on the dashboard show a count of packets received, a percentage load on the network and a count of errors (damaged packets ) received.
Host Table - Lists more details about the traffic that NetXRay is seeing. You can see the source MAC address of 5 stations ( a demo version restriction ) in this table.
Capture - Contols the packet capturing abilities of NetXRay. Works like a little tape recorder. The "play" button starts a capture and the stop button ends it. As soon as there are packets in the "buffer" the second "End and View" button becomes active.
Perform a trial capture and view the buffer - this will bring up a new window.
Capture Buffer Window - This is where you will be spending most of your time so the illustration below shows this window in more detail:

The contents of a capture buffer can be saved as a *.cap file - change the directory for the save to your own home directory and give the file a name that will help you to identify it.
Examine the packet list of this preliminary capture and look at the Destination MAC Address column. Almost all of the packets are Broadcasts. Try looking at the decode of one of the packets and locate the broadcast MAC address at the top of the packet. Click on this address and notice the highlight that appears in the lower, raw data window. Is this data in the position in the frame that you would expect
The next step is to create a capture filter in order that the 5 packets displayed will be the ones that you need to study. In the Capture window, click on the wand; this brings up the Filter Settings window which is shown below.

There are three types of filter that can be defined. To picture what these filters are about imagine that you are standing in the middle of a busy airport and eavesdropping on the converstions around you.
Address - Packets to or from ( or not to or from ) certain addresses will be captured. In the airport this means you will only listen to what certain people are saying to each other.
Advanced - Packets containing only a specified protocol will be captured. In the airport this means you will only listen to conversations in a particular language
Data Pattern - Only packets containing, or not containing, certain data will be captured. In the airport this means that you will only listen to conversations containing a certain word.
From the Advanced Filter card, choose IP ARP. This selects the sort of packets you wish to include in your filter. Click OK
If you are using a shared copy of NetXRay ( that is stored on a server ) you may see an error this point because the file storing your filter settings is shared by everyone and has been made Read-Only
Select Capture/Start from the menu or press the play button. Notice that now far fewer packets are being captured - this is the effect of the filter.
In a DOS window, ping your selected target machine.
From NetXRay select Capture/EndAndView. Have a play with what you see… It is possible that all you will see is 5 broadcasts ( because other students are doing the exercise at the same time as you ) If this is the case you need to repeat your ping and capture with the following in mind:
You must ping an address that is not in your ARP cache otherwise there will be no need for an ARP exchange.
Synchronise your ping and your capture - in the DOS window type the ping command but do not hit enter - start the capture - immediately hit enter in the DOS window.
QUESTION: Something is wrong with the information decoding of the Destination Hardware Address between the raw data in the lower window and the information presented in the middle window. Can you figure out what NetXRay is doing wrong Hint: look at the consistency of data field sizes.
Use the captured packets to discover the hardware address of the machine you pinged and confirm that what you have captured makes sense in terms of how you have understood ARP.