Hello, I would like to know , if the examples are done in packet tracer and then you use wireshark?
Hello Ivonne
Most of Rene’s labs on the site are performed using Cisco Modeling Labs (CML) or Cisco Virtual Internet Routing Lab (VIRL), which is CML’s predecessor. Wireshark is used in conjunction with these emulators. In some rarer cases, where an emulator cannot fulfill the requirements of a lab, he may use real equipment, but not too often.
Cisco’s Packet Tracer is incompatible with Wireshark, so you cannot capture packets from a topology that you have created in Packet Tracer. However, Packet Tracer itself does have a utility to capture and display the content of packets as they go through the network.
I hope this has been helpful!
Laz
Hello, everyone!
Regarding security. I’ve read that ICMP pings can be used as an attack tool such as ICMP Flood where the attacker attempts to quickly generate as many pings as possible in an attempt to overwhelm the destination device. However, Google also says that for this reason, ICMP should be disabled.
But how are we supposed to verify basic connectivity in cases like troubleshooting if we disable pings or configure our devices not to respond to them?
Thank you.
David
Hello David
Indeed, ICMP can be leveraged for various attacks including ping flood, ping of death, ICMP smurf attacks, ICMP redirect attacks, and various others. Most of these are DoS attacks. In any case, they all exploit ICMP’s fundamental mechanisms and features for malicious purposes.
There are various ways to deal with these, but arguably the most effective (and simplest to employ) is to disable responses to ICMP completely. You will often see this approach on routers that are found on the Internet. If you have done a traceroute to a destination on the Internet, you will see that some hops along the way don’t respond. This is because they have been configured not to respond to ICMP messages for security reasons.
Now this solution is not always preferable for the reasons you stated in your post. Ping and traceroute are valuable utilities for troubleshooting networks. So there are two primary approaches:
- If you choose to disable ICMP completely, then you must use other methods to troubleshoot. This can include using tools like:
- traceroute with TCP or UDP - On Linux for example, the
traceroutecommand by default uses UDP, not ICMP. You can usetraceroute -Twhich will conduct a “traceroute-like procedure” using TCP instead.
*TCP and UDP port scans can also be used to determine if devices are active and listening to those particular ports - On a local network, you can use ARP to find the MAC address associated with a particular IP address, and thus you can also identify which devices are currently active on the local network.
- Monitoring tools - Using SNMP, Netflow, or other network monitoring tools and protocols, you can determine device connectivity without using ICMP.
- Other options include using DNS queries, SSH, Telnet, and application-level health checks.
- traceroute with TCP or UDP - On Linux for example, the
- The other approach is to not disable ICMP but to implement strategies that will help mitigate the risks associated with ICMP while still maintaining its benefits. THis approach can include:
- Selectively filtering ICMP traffic based on ICMP message types and geographical blocking of particular IP addresses
- Rate limiting ICMP packets to avoid DoS attacks
- Actively monitor ICMP traffic on the network to preemptively deal with attacks
There is no single best solution for all cases, it should be examined on a case by case basis. Disabling ICMP completely is easiest, but if you need ping and traceroute for troubleshooting (as well as for other possible features) then the alternative is to mitigate any such attacks as described above.
I hope this has been helpful!
Laz