RH342 - ch07s06

Bookmark this page

Guided Exercise: Inspecting Network Traffic

Install Wireshark and use it to capture, filter, and inspect network packets. You also use tcpdump to perform similar functions in a textual environment.

Outcomes

You should be able to capture, filter, and inspect network packets with Wireshark and tcpdump.

As the student user on the workstation machine, use the lab command to prepare your system for this exercise.

[student@workstation ~]$ lab start network-traffic

Instructions

As the student user on the workstation system, switch to the root user.

[student@workstation ~]$ sudo -i
[sudo] password for student: student
[root@sworkstation ~]#

Install the Wireshark package.

[root@workstation ~]# yum install wireshark
...output omitted...
Is this ok [y/N]: y
...output omitted...
Complete!

Open Wireshark and configure it to capture packets on all network interfaces.
1. As the root user, open Wireshark to run as a background process.
```
[root@workstation ~]# wireshark &
```
2. On the Welcome to Wireshark page, in the upper right of the Capture section, select All interfaces shown from the list.
3. In the center of the Capture section, click any from the interfaces list.
4. From the Capture menu, click Start, or type Ctrl+E to start the packet capture.
As the root user on the workstation machine, open a terminal window and generate network traffic.
1. Use the ping command to send ICMP requests to servera.
```
[root@workstation ~]# ping -c 5 servera.lab.example.com
```
2. Use the chronyc ntpdata command to generate NTP traffic that is specific to the classroom server.
```
[root@workstation ~]# chronyd -Q 'server classroom.example.com iburst'
```
3. Open Firefox and browse http://materials.example.com to generate HTTP network traffic.
4. From the Capture menu, click Stop, or type Ctrl+E, to stop the packet capture.
Perform simple filter and inspection routines on the captured network traffic.
1. Filter the packets for ICMP traffic. In the Apply a display filter field, type icmp. Press Enter. From the middle pane, click any of the right-pointing arrows to inspect the different packet header and data values.
2. Filter the packets for NTP traffic. In the Apply a display filter field, type ntp. Press Enter.
3. Filter the packets for HTTP traffic. In the Apply a display filter field, type http. Press Enter. From the top pane, right-click any of the HTTP packets, and then select Follow > TCP Stream to display the stream content in a more readable format. Messages from the HTTP client are displayed in red. Responses from the HTTP server are displayed in blue.
Save the captured packet data for later analysis.
1. From the File menu, click Save, or type Ctrl+S to open the Save Capture File As window. From the Look in list, select the root user's home directory. In the File name field, type practice. Leave Wireshark/… - pcapng as the selected type in the Save As field. Click Save.
  Confirm that the practice.pcapng data file exists.
```
[root@workstation ~]# ls practice*
practice.pcapng
[root@workstation ~]# file practice*
practice.pcapng: pcap-ng capture file - version 1.0
```
2. Close Wireshark. From the File menu, click Quit.
As the student user on the workstation machine, open another terminal window. Open the preconfigured rh342-practice.tcpdump capture file in Wireshark.
1. As the student user on the workstation machine, open Wireshark from the desktop. Click Activities in the upper left of the desktop. In the Type to search field, in the top center of the desktop, type wireshark. Click Wireshark.
2. Open the capture file. From the File menu, click Open, or type Ctrl+O to open the Open Capture File window. Browse and select the rh342-practice.tcpdump file. Click Open.
3. Filter the captured data so that only SMTP packets are displayed. In the Apply a display filter field, type smtp. Press Enter.
4. Inspect the content of the network packets. In the middle pane, click any of the right-pointing triangles to expand different parts of the network packet.
5. In the top pane, right-click any packet in the SMTP exchange, and then select Follow > TCP Stream to display the stream content in a more readable format. Messages from the SMTP server are displayed in blue and messages from the SMTP client are displayed in red.
  You should see text that reads "GOLD RING HAS BEEN CAUGHT", which is the first line in the body of the mail message.
6. Close Wireshark. From the File menu, click Quit.

Capture and display network traffic, which requires root user access.

As the student user on the workstation machine, log in to the serverb machine and switch to the root user.

[student@workstation ~]$ ssh student@serverb
...output omitted...
[student@serverb ~]$ sudo -i
[sudo] password for student: student
[root@serverb ~]#

Verify that the tcpdump package is installed.

[root@serverb ~]# rpm -q tcpdump
tcpdump-4.9.3-1.el8.x86_64

Start the tcpdump utility on the serverb machine so that it captures network traffic for the servera machine.

[root@serverb ~]# tcpdump 'ip host servera'
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

From a separate terminal window, log in as the student user on the servera machine.
```
[student@workstation ~]$ ssh student@servera
[student@servera ~]$
```

Generate ICMP network traffic that is addressed to the serverb machine.

[student@servera ~]$ ping -c 3 serverb
PING serverb.lab.example.com (172.25.250.11) 56(84) bytes of data.
64 bytes from serverb.lab.example.com (172.25.250.11): icmp_seq=1 ttl=64 time=0.060 ms
64 bytes from serverb.lab.example.com (172.25.250.11): icmp_seq=2 ttl=64 time=0.052 ms
64 bytes from serverb.lab.example.com (172.25.250.11): icmp_seq=3 ttl=64 time=0.055 ms

--- serverb.lab.example.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2047ms
rtt min/avg/max/mdev = 0.052/0.055/0.060/0.009 ms

From the serverb terminal window, view the tcpdump output that is displayed on the serverb machine.

22:53:20.038855 IP servera.lab.example.com > serverb.lab.example.com: ICMP echo request, id 1610, seq 1, length 64
22:53:20.038963 IP serverb.lab.example.com > servera.lab.example.com: ICMP echo reply, id 1610, seq 1, length 64
22:53:21.045671 IP servera.lab.example.com > serverb.lab.example.com: ICMP echo request, id 1610, seq 2, length 64
22:53:21.045736 IP serverb.lab.example.com > servera.lab.example.com: ICMP echo reply, id 1610, seq 2, length 64
22:53:22.069693 IP servera.lab.example.com > serverb.lab.example.com: ICMP echo request, id 1610, seq 3, length 64
22:53:22.069752 IP serverb.lab.example.com > servera.lab.example.com: ICMP echo reply, id 1610, seq 3, length 64

End the tcpdump packet capture on the serverb machine.

Ctrl+C
6 packets captured
6 packets received by filter
0 packets dropped by kernel

Capture incoming network traffic for a specific port. Save the captured packets to a file for later analysis.
1. Start the tcpdump utility on the serverb machine so that it captures HTTP traffic. Save the captured network packets to the http-test.tcpdump file.
```
[root@serverb ~]# tcpdump -w http-test.tcpdump 'port 80'
dropped privs to tcpdump
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
```
2. In the servera terminal window, display the web content from the serverb machine.
```
[student@servera ~]$ curl http://serverb.lab.example.com
SERVERB is providing web content.
```
3. In the serverb terminal window, interrupt the tcpdump utility to stop the packet capture.
```
Ctrl+C
12 packets captured
12 packets received by filter
0 packets dropped by kernel
```

Display the captured network traffic.

In the serverb terminal window, use the tcpdump utility to display the captured network traffic. If -r FILENAME is the only option, then only packet header information is displayed by default.

[root@serverb ~]# tcpdump -r http-test.tcpdump
reading from file http-test.tcpdump, link-type EN10MB (Ethernet)
dropped privs to tcpdump
20:42:16.374181 IP servera.lab.example.com.60408 > serverb.lab.example.com.http: Flags [S], seq 2599241697, win 29200, options [mss 1460,sackOK,TS val 3400465832 ecr 0,nop,wscale 7], length 0
20:42:16.374284 IP serverb.lab.example.com.http > servera.lab.example.com.60408: Flags [R.], seq 0, ack 2599241698, win 0, length 0
20:43:31.505131 IP servera.lab.example.com.60412 > serverb.lab.example.com.http: Flags [S], seq 3593487441, win 29200, options [mss 1460,sackOK,TS val 3400540964 ecr 0,nop,wscale 7], length 0
20:43:31.505208 IP serverb.lab.example.com.http > servera.lab.example.com.60412: Flags [S.], seq 1455608366, ack 3593487442, win 28960, options [mss 1460,sackOK,TS val 1722155038 ecr 3400540964,nop,wscale 7], length 0
...output omitted...

Display incoming packets that originate only from the servera machine. Display the packets in hexadecimal format.

[root@serverb ~]# tcpdump -x -r http-test.tcpdump 'src servera'
reading from file http-test.tcpdump, link-type EN10MB (Ethernet)
dropped privs to tcpdump
20:42:16.374181 IP servera.lab.example.com.60408 > serverb.lab.example.com.http: Flags [S], seq 2599241697, win 29200, options [mss 1460,sackOK,TS val 3400465832 ecr 0,nop,wscale 7], length 0
	0x0000:  4500 003c 8b66 4000 4006 630c ac19 fa0a
	0x0010:  ac19 fa0b ebf8 0050 9aed 47e1 0000 0000
	0x0020:  a002 7210 f236 0000 0204 05b4 0402 080a
	0x0030:  caae fda8 0000 0000 0103 0307
20:43:31.505131 IP servera.lab.example.com.60412 > serverb.lab.example.com.http: Flags [S], seq 3593487441, win 29200, options [mss 1460,sackOK,TS val 3400540964 ecr 0,nop,wscale 7], length 0
	0x0000:  4500 003c d7e6 4000 4006 168c ac19 fa0a
	0x0010:  ac19 fa0b ebfc 0050 d630 4451 0000 0000
	0x0020:  a002 7210 4c78 0000 0204 05b4 0402 080a
	0x0030:  cab0 2324 0000 0000 0103 0307
...output omitted...

Display incoming packets that originate only from the servera machine. Display the packets in hexadecimal and ASCII formats.

[root@serverb ~]# tcpdump -X -r http-test.tcpdump 'src servera'
reading from file http-test.tcpdump, link-type EN10MB (Ethernet)
dropped privs to tcpdump
20:42:16.374181 IP servera.lab.example.com.60408 > serverb.lab.example.com.http: Flags [S], seq 2599241697, win 29200, options [mss 1460,sackOK,TS val 3400465832 ecr 0,nop,wscale 7], length 0
	0x0000:  4500 003c 8b66 4000 4006 630c ac19 fa0a  E..<.f@.@.c.....
	0x0010:  ac19 fa0b ebf8 0050 9aed 47e1 0000 0000  .......P..G.....
	0x0020:  a002 7210 f236 0000 0204 05b4 0402 080a  ..r..6..........
	0x0030:  caae fda8 0000 0000 0103 0307            ............
20:43:31.505131 IP servera.lab.example.com.60412 > serverb.lab.example.com.http: Flags [S], seq 3593487441, win 29200, options [mss 1460,sackOK,TS val 3400540964 ecr 0,nop,wscale 7], length 0
	0x0000:  4500 003c d7e6 4000 4006 168c ac19 fa0a  E..<..@.@.......
	0x0010:  ac19 fa0b ebfc 0050 d630 4451 0000 0000  .......P.0DQ....
	0x0020:  a002 7210 4c78 0000 0204 05b4 0402 080a  ..r.Lx..........
	0x0030:  cab0 2324 0000 0000 0103 0307            ..$........
20:43:31.505357 IP servera.lab.example.com.60412 > serverb.lab.example.com.http: Flags [.], ack 1455608367, win 229, options [nop,nop,TS val 3400540964 ecr 1722155038], length 0
	0x0000:  4500 0034 d7e7 4000 4006 1693 ac19 fa0a  E..4..@.@.......
	0x0010:  ac19 fa0b ebfc 0050 d630 4452 56c2 d22f  .......P.0DRV../
	0x0020:  8010 00e5 4c70 0000 0101 080a cab0 2324  ....Lp........$
	0x0030:  66a6 001e                                f...
20:43:31.505391 IP servera.lab.example.com.60412 > serverb.lab.example.com.http: Flags [P.], seq 0:87, ack 1, win 229, options [nop,nop,TS val 3400540964 ecr 1722155038], length 87: HTTP: GET / HTTP/1.1
	0x0000:  4500 008b d7e8 4000 4006 163b ac19 fa0a  E.....@.@..;....
	0x0010:  ac19 fa0b ebfc 0050 d630 4452 56c2 d22f  .......P.0DRV../
	0x0020:  8018 00e5 4cc7 0000 0101 080a cab0 2324  ....L.........#$
	0x0030:  66a6 001e 4745 5420 2f20 4854 5450 2f31  f...GET./.HTTP/1
	0x0040:  2e31 0d0a 486f 7374 3a20 7365 7276 6572  .1..Host:.server
	0x0050:  622e 6c61 622e 6578 616d 706c 652e 636f  b.lab.example.co
	0x0060:  6d0d 0a55 7365 722d 4167 656e 743a 2063  m..User-Agent:.c
	0x0070:  7572 6c2f 372e 3631 2e31 0d0a 4163 6365  url/7.61.1..Acce
	0x0080:  7074 3a20 2a2f 2a0d 0a0d 0a              pt:./....
...output omitted...

Copy the captured HTTP data to the workstation machine for further analysis. Use Wireshark on the workstation machine to view the captured HTTP network traffic. Follow the TCP stream to view the HTTP exchange in a more readable format.
```
[root@serverb ~]# scp http-test.tcpdump student@workstation:
...output omitted...
student@workstation's password: student
http-test.tcpdump                             100% 1395     1.5MB/s   00:00
```

Return to workstation as the student user.

[root@serverb ~]# exit
[student@serverb ~]$ exit
[student@workstation ~]$

Finish

On the workstation machine, use the lab command to complete this exercise. This is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish network-traffic

Discuss Red Hat Enterprise Linux Diagnostics and Troubleshooting

Go to community

Welcome to the Red Hat Enterprise Linux Diagnostics and Troubleshooting (RH342) group!

cschunke

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Enterprise Linux Diagnostics and Troubleshooting! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH342.Read more about Red Hat Enterprise Linux Diagnostics and Troubleshooting here.

445

Revision: rh342-8.4-6dd89bd

Click Create to build all of the virtual machines needed for the classroom lab environment. This may take several minutes to complete. Once created the environment can then be stopped and restarted to pause your experience.
When a lab is created, click Start to run all of the virtual machines in the classroom.
Click Stop to stop all the virtual machines from running. This will not delete your lab.
If you Delete your lab, you will remove all of the virtual machines in your classroom and lose all of your progress.

Virtual machine actions

Click Start to power on the virtual machine.
Click Shutdown to gracefully shut down the virtual machine, preserving disk contents.
Click Power off to forcefully shut down the virtual machine, while still preserving disk contents.
Click Open console to connect to the system console of the virtual machine in a new browser.

Auto-stop timer

The Red Hat Learning Subscription entitles you to set allotment of lab time.
To help conserving your allotted time, the lab environment uses automatic timers to stop or destroy your lab environment when the timer expires.

Click the Auto-stop button [+] to extend the time you would like to spend with the labs.
Click the Auto-destroy button [+] to add day(s) to the auto-destroy timer.

Auto-stop has a maximum of 11 hours, and auto-destroy has a maximum of 14 days.
Be careful to keep the timers set while you are working, so that your environment doesn't shut down unexpectedly.
We also suggest not to set the auto-timers unnecessarily high, which could waste your lab time allotment