Home‎ > ‎CIS 140NA‎ > ‎

Lab 4: Remote Captures

The purpose of this lab is for you to perform a remote capture and merge.

In order to debug some problems you might need to capture packets from multiple places. Sometimes routers and firewalls change packets and those changes cause problems. In this lab you will capture packets on your home or lab computer and on Opus. You will then merge the two captures so you can compare packets side-by-side. You will need your Opus username and password, as well as a tool to transfer files. 

You have an account on the computer 'opus.cis.cabrillo.edu'. The username and password are based on your name and your student ID. If you don't remember them go to Lab 1 to see how they're derived. IMPORTANT: When you login to Opus do not put "cislab\" before your username! Once you can login to Opus you will need a utility to transfer files between Opus and your computer. On Windows you can use PuTTY or Filezilla. If you download FileZilla be sure to opt out of the SPYWARE that gets added by SourceForge. On a Mac or Linux you already have the "scp" program installed. To login to Opus from the Linux or Mac command line use the following command:

ssh -p 2220 <your-user-name>@opus.cis.cabrillo.edu

If you're logging in with PuTTY be sure you specify port 2220, it's not the default (22 is). 

Capture Packets
You will be capturing in two places. On your home or lab computer you can begin a capture the usual way. On Opus you will capture using the following command:

/home/cis140/bin/dump-web ~/opuscapture.pcapng

This capture into the file "opuscapture.pcapng". The capture will run until you type Ctrl-C on the command line. It only captures packets between your home computer and Opus. With both captures running direct your web browser to the following link:

The Opus landing page is simple and will load fast. Once it's loaded you can stop both captures. 

Download the Opus Capture
In order to view the packets captures on Opus you'll need to transfer the capture file to your computer. On Mac or Linux you can download the capture file with the following command: 

scp -P 2220 <your-user-name>@opus.cis.cabrillo.edu:opuscapture.pcapng . 

On Windows replace "scp" with "pscp.exe" if you're using PuTTY. If you're using Filezilla refer to its manual. The command will copy the file into the current directory. Be sure you know where that is. 

Merge Packets
You should have two capture files, one you got on your computer and one that came from opus. Trim the files so that they contain the same TCP session as seen from both sides and save the trimmed captures. Merge the two captures together. You should see every packet twice, however the packet pairs may seem shifted in time because your computer's clock and Opus's clock are not coordinated. You will use the 'editcap' tool to fix this. 

How to Determine the Time Offset 
Recall the TCP three way handshake: 

SYN -------> 
        <------ SYN/ACK
ACK ------->

The SYN comes from your computer and the SYN/ACK comes from Opus. Adjust the time so that the SYN that Opus sees happens after the SYN is sent from your computer but before Opus sends the SYN/ACK back. This is only an estimate but if you get the estimate correctly the three way handshake should be like this in Wireshark's packet display: 

1: Your Capture: You -> Opus : SYN
2: Opus Capture: You -> Opus : SYN
3: Opus Capture: Opus -> You : SYN/ACK 
4: Your Capture: Opus -> You : SYN/ACK
5: Your Capture: You -> Opus : ACK
6: Opus Capture: You -> Opus : ACK

You captures are now aligned. Save your merged capture. Turn your merged capture with the answer to the following questions: 
  1. What was the time difference between your computer and Opus?  
  2. What was the exact command (with arguments) you used to modify the time stamps? 
  3. How many different IP addresses are in you capture? Why? 
Turn In
  1. Your merged and aligned packet capture
  2. The answers to the questions
Submit your homework on Canvas.

  • 10 points for the capture
  • 10 points for correct answers