• Warning: Do not import any library. If you want, you can only import struct.
• Please download and untar pcap.tar.
• Copy lab03.py from the previous lab into lab04.py

[10pts] Part 1: Using Wireshark

In particular, give screenshots of the following (in the lab report):

• The ICMP packet for activity item 2.
• The DNS packet for activity item 3.
• The TCP stream for activity item 4.

[30pts] Part 2: Extract Ethernet and IP Headers

>>> data = open("two.pcap", "rb").read()
>>> import lab04
>>> lab04.showpkts_IP(data)
Dst-MAC= 00:00:00:00:00:00
Src-MAC= 00:00:00:00:00:00
IHL= 5
Total Length= 84
Src-IP= 127.0.0.1
Dst-IP= 127.0.0.1
data:
08 00 49 80 00 01 00 01  68 35 ba 60 00 00 00 00
cb 14 02 00 00 00 00 00  10 11 12 13 14 15 16 17
18 19 1a 1b 1c 1d 1e 1f  20 21 22 23 24 25 26 27
28 29 2a 2b 2c 2d 2e 2f  30 31 32 33 34 35 36 37

Dst-MAC= 00:00:00:00:00:00
Src-MAC= 00:00:00:00:00:00
IHL= 5
Total Length= 84
Src-IP= 127.0.0.1
Dst-IP= 127.0.0.1
data:
00 00 51 80 00 01 00 01  68 35 ba 60 00 00 00 00
cb 14 02 00 00 00 00 00  10 11 12 13 14 15 16 17
18 19 1a 1b 1c 1d 1e 1f  20 21 22 23 24 25 26 27
28 29 2a 2b 2c 2d 2e 2f  30 31 32 33 34 35 36 37

>>>

Notes

[30pts] Part 3: Extracting TCP Payloads

Tips

• As shown below in the sample run, implement a function showpkts_TCP. The function takes two IP addresses that works as a filter. That is, show the TCP payloads that belong to the TCP connections between two IP addresses.
• If a packet contains no TCP payload (such as SYN), simple ignore the packet.
• You need to refer to "Protocol" field in the IP header to see if the given packet is TCP. TCP protocol number is 6.
• Extracting "Data Offset" field needs care. It's 4 bits! You need to do bit manipulation. Also, if data offset is 5, then it means 5 lines (i.e., 5*4 = 20 bytes) after which the payload appears. In other words, the TCP header is 20 bytes long, after which the data (i.e., TCP payload) follows.
• Try to match your work with Wireshark to see if your work is correct.

  How to follow a TCP stream in Wireshark

  See the "Using Wireshark" Activity in the notes on OSI 7 Layers and PCAP Analysis II.

>>> data = open("tcp.pcap", "rb").read()
>>> import lab04
>>> lab04.showpkts_TCP(data, "192.168.172.4", "192.168.172.5")
192.168.172.4(36780) ->  192.168.172.5(8000) :
   b'Alice: Hello, Bob\n'
192.168.172.5(8000) ->  192.168.172.4(36780) :
   b'Bob: Hello, Alice\n'
192.168.172.5(8000) ->  192.168.172.4(36780) :
   b"Bob: What's up?\n"
192.168.172.4(36780) ->  192.168.172.5(8000) :
   b'Alice: Just wondering if you know Diffie-Hellman.\n'
192.168.172.5(8000) ->  192.168.172.4(36780) :
   b"Bob: Aha! It's (g^x)^y = (g^y)^x!\n"
192.168.172.4(36780) ->  192.168.172.5(8000) :
   b"Alice: That's the main point!\n"
192.168.172.4(36780) ->  192.168.172.5(8000) :
   b'       Good bye!\n'
192.168.172.5(55372) ->  192.168.172.4(9000) :
   b'R: Hmmm... If N is pq, then phi(N) is (p-1)(q-1)\n'
192.168.172.4(9000) ->  192.168.172.5(55372) :
   b'S: So? What do you want to say?\n'
192.168.172.5(55372) ->  192.168.172.4(9000) :
   b'R: My point is m^x mod N is the same as m^(x mod phi(N)) mod N\n'
192.168.172.4(9000) ->  192.168.172.5(55372) :
   b'S: Oh, then, you if you now the inverse of x, you can simply recover m?\n'
192.168.172.4(9000) ->  192.168.172.5(55372) :
   b"   That's cool!\n"
192.168.172.5(55372) ->  192.168.172.4(9000) :
   b'R: Btw, where is A?\n'
>>>

[20pts] Part 4: Reading Assignment

1. Click here to download chapter 2 of the following book:

   Security Engineering, 3rd ed. by Ross Anderson

2. Read the following:
   • 2.2.2 China - 2.2.5 Attribution
   (Eventually, we will finish reading the whole chapter. Expect further reading assignments in later labs.)
3. In the lab report, give a brief summary of what you read.
   • Length of summary: about one page.
   • The quality of writing will matter.

[10pts] Lab Report and Submission

• Explanation of the important part of your code.
• The writing quality of your explanation will matter.

~/bin/submit -c=IT430 -p=lab04 lab04.py lab04_report.docx