Networking 101

Copyright Priscilla Oppenheimer

Lab 10 Introduction to Wireshark

Explore traffic on the lab network

1. Log into a Linux machine.
2. Start a Terminal (Console) session by clicking on the Console icon. (The icon looks like a screen with a shell in it).
3. Run Wireshark by typing Wireshark.
4. Start a Capture of live network traffic.
1. Pull down the Capture menu and select Start.
2. Click OK.
3. Capture packets for a couple minutes.
4. Click on Stop
5. The upper window in Wireshark is called the Summary Window. It shows one line per packet, and includes summarized information about the addresses and highest-layer protocol present in each packet.
6. List some of the protocols that are present in the lab network. For example, you may see Spanning Tree Protocol (STP) packets. What else do you see?

 

 

 

 

7. Look at a packet in detail.
8. In the Display menu, select Expand All.
9. Highlight a packet in the Summary Window. What type of packet is it? (What does the Protocol column say for the packet?)

 

10. The middle window in Wireshark shows each packet in detail. The middle window is called the Detail Window. For the packet you highlighted, scroll through the Detail Window to see all the layers (packet headers) for that packet.
11. List all the protocol layers (packet headers) that are present. For example, if you chose a Yellow Pages YPSERV packet, you might list Ethernet II, Internet Protocol (IP), User Datagram Protocol (UDP), Remote Procedure Call (RPC), and Yellow Pages Services).

Set a filter to look at just your own traffic

1. Determine the MAC (hardware) address of the Ethernet Network Interface Card (NIC) in the machine that you are using.
1. Open another Terminal session by clicking on the Terminal icon.
2. Type ifconfig.
3. What is your hardware address, which ifconfig calls a HWaddr?
2. Set up a Capture Filter in Wireshark.
1. Go back to Wireshark by clicking on Wireshark in the Task Bar at the bottom of your screen.
2. Pull down the Edit menu and select Capture Filter.
3. In the Filter Name field, type a name for your filter, for example, This PC.
4. In the Filter String field, type your filter.
1. The syntax is ether host, followed by your Ethernet address.
2. For example, ether host 00:00:0e:d5:c7:e7.
5. Click on New.
6. Click on Save.
7. Click on Close.

Capture traffic when you access a Web site

1. Open a Web browser.
1. Click on the icon for the Mozilla Web Browser. The icon looks like the earth with a mouse wrapped around it.
2. Go back to Wireshark by clicking on Wireshark in the Task Bar.
3. Pull down the Capture menu and select Start.
4. Click on the Filter button and select the filter that you created.
5. Click on OK to confirm selection of your filter and then click on OK to start the capture.
6. Go back to Mozilla and go to your favorite Web site.
7. After your favorite Web site downloads, click on the Wireshark Capture item in the Task Bar. (While capturing, you will have two Wireshark items in the Task Bar. Make sure to get the one that brings up the Wireshark Capture window that has the Stop button.)
8. Click Stop to stop the capture and display the packets you captured.

Examine traffic related to accessing a Web site

1. Examine the Summary Window in Wireshark. What protocols were used during the time you captured network traffic while accessing a Web site?

 

2. Highlight the packet where your machine asked the DNS server for the IP address for the Web server. If you can't find such a packet, ask for help. Examine the packet in the Detail Window. What is the Ethernet Source Address for this packet?

 

3. Find the response from the DNS server, which is probably the next packet. Examine the packet in the Detail Window. In the DNS layer of the packet, find the Answer section. What is the IP address of the Web server, according to the DNS server?

 

4. Examine the DNS response packet in more detail. What protocols run below DNS? In other words, what packet headers do you see in addition to DNS for this packet?

 

5. Find the TCP SYN packet your machine sent to establish a connection with the Web server. What protocols run below TCP? In other words, what packet headers do you see in addition to TCP?

 

6. At the IP layer in the TCP SYN packet, what is the IP Destination Address?

 

7. Find the first HTTP packet that your machine sent to get the initial data from the Web site. (You should see an HTTP GET command in the HTTP header.) In the IP header of this packet, what is the Total Length?

 

8. In the TCP header of this packet, what is the Sequence Number?

 

9. Find the next packet that your machine sent. What is the TCP Sequence Number of that packet? Explain where that number comes from. Why is it so much bigger than the Sequence Number of the previous packet from your machine? What does the IP Total Length have to do with the equation?

 

10. Examine some more packets to and from the Web server. Looking at the bottom window in Wireshark, see if you can find some HTML tags that the Web server uses. List a few HTML tags that the Web server uses.

More exploration: Examine packets and protocols for another application

1. Run FTP, Ping, Traceroute, E-Mail, Telnet, or any application of your choice. Using Wireshark, capture the traffic that your machine sends and receives while you run the application.
1. The instructor will be especially impressed if you use the Linux command line to run your application of choice, rather than depending on a Graphical User Interface. :-)
2. If you use the Linux command line, list the commands you had to type. (This might be easy for Ping and Traceroute, but not so easy for FTP or E-Mail.) Ask for help if you need it.

 

 

 

3. Briefly describe or list the packets and protocols that the application uses to get its job done.