Wireshark Exercises. Homework Assignments Using the Wireshark Packet Analyzer

Similar documents
Lab 1: Packet Sniffing and Wireshark

BASIC ANALYSIS OF TCP/IP NETWORKS

Hands-on Network Traffic Analysis Cyber Defense Boot Camp

Lab - Using Wireshark to View Network Traffic

Lab Conducting a Network Capture with Wireshark

Introduction to Network Security Lab 1 - Wireshark

Modern snoop lab lite version

Network Forensics Network Traffic Analysis

Introduction on Low level Network tools

DNS (Domain Name System) is the system & protocol that translates domain names to IP addresses.

Wireshark Quick-Start Guide. Instructions on Using the Wireshark Packet Analyzer

This Lecture. The Internet and Sockets. The Start If everyone just sends a small packet of data, they can all use the line at the same.

Analyzing 6LoWPAN/ZigBeeIP networks with the Perytons Protocol Analyzer May, 2012

Lab - Observing DNS Resolution

Protocol Data Units and Encapsulation

Lab Exercise SSL/TLS. Objective. Step 1: Open a Trace. Step 2: Inspect the Trace

EKT 332/4 COMPUTER NETWORK

1. LAB SNIFFING LAB ID: 10

EXPLORER. TFT Filter CONFIGURATION

ShadowControl ShadowStream

Network setup and troubleshooting

Configuring Network Address Translation (NAT)

Spam Marshall SpamWall Step-by-Step Installation Guide for Exchange 5.5

LESSON Networking Fundamentals. Understand TCP/IP

Protocols. Packets. What's in an IP packet

1 You will need the following items to get started:

Setting Up Scan to SMB on TaskALFA series MFP s.

DMZ Network Visibility with Wireshark June 15, 2010

DNS Basics. DNS Basics

Connecting your Virtual Machine to the Internet. BT Cloud Compute. The power to build your own cloud solutions to serve your specific business needs

Configuring Security for FTP Traffic

Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0

Final for ECE374 05/06/13 Solution!!

The OSI model has seven layers. The principles that were applied to arrive at the seven layers can be briefly summarized as follows:

Implementing Network Address Translation and Port Redirection in epipe

Lecture 28: Internet Protocols

1 Introduction: Network Applications

Step-by-Step Configuration

Snoopy. Objective: Equipment Needed. Background. Procedure. Due Date: Nov 1 Points: 25 Points

Ethereal: Getting Started

EINTE LAB EXERCISES LAB EXERCISE #5 - SIP PROTOCOL

Lab VI Capturing and monitoring the network traffic

Understanding TCP/IP. Introduction. What is an Architectural Model? APPENDIX

iseries TCP/IP routing and workload balancing

COMP 3331/9331: Computer Networks and Applications. Lab Exercise 3: TCP and UDP (Solutions)

Network Technologies

Network Security: Workshop. Dr. Anat Bremler-Barr. Assignment #2 Analyze dump files Solution Taken from

Solution of Exercise Sheet 5

Wireshark Lab: Assignment 1w (Optional)

Application-Centric Analysis Helps Maximize the Value of Wireshark

Lab - Observing DNS Resolution

Snare for Firefox Snare Agent for the Firefox Browser

The following multiple-choice post-course assessment will evaluate your knowledge of the skills and concepts taught in Internet Business Associate.

CPS221 Lecture: Layered Network Architecture

USING MYWEBSQL FIGURE 1: FIRST AUTHENTICATION LAYER (ENTER YOUR REGULAR SIMMONS USERNAME AND PASSWORD)

Computer Networking LAB 2 HTTP

Ethereal Lab: DNS. 1. nslookup

Networking Test 4 Study Guide

Lab Exercise SSL/TLS. Objective. Requirements. Step 1: Capture a Trace

Dynamic DNS How-To Guide

DNS Resolving using nslookup

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme

CCNA Discovery Networking for Homes and Small Businesses Student Packet Tracer Lab Manual

Wireshark Tutorial. Figure 1: Packet sniffer structure

Transport and Network Layer

Connect the Host to attach to Fast Ethernet switch port Fa0/2. Configure the host as shown in the topology diagram above.

Network Probe User Guide

SSL VPN Portal Options

TCP/IP Networking An Example

Guardian Digital WebTool Firewall HOWTO. by Pete O Hara

DEPLOYMENT GUIDE Version 1.1. Deploying the BIG-IP LTM v10 with Citrix Presentation Server 4.5

The OSI and TCP/IP Models. Lesson 2

Network Security: Workshop

First Midterm for ECE374 03/09/12 Solution!!

File Sharing. Peter Lo. CP582 Peter Lo

F-Secure Messaging Security Gateway. Deployment Guide

Wireshark Lab: HTTP. 1. The Basic HTTP GET/response interaction

Chapter 6 Virtual Private Networking Using SSL Connections

Objectives of Lecture. Network Architecture. Protocols. Contents

Chapter 5 Customizing Your Network Settings

Lab 3.4.2: Managing a Web Server

idatafax Troubleshooting

M2M Series Routers. Port Forwarding / DMZ Setup

Remote Desktop In OpenSUSE 10.3

Introducing the Microsoft IIS deployment guide

Wireshark Tutorial INTRODUCTION

Lab 2. CS-335a. Fall 2012 Computer Science Department. Manolis Surligas

Transport Layer Protocols

FTP e TFTP. File transfer protocols PSA1

Cape Girardeau Career Center CISCO Networking Academy Bill Link, Instructor. 2.,,,, and are key services that ISPs can provide to all customers.

Note! The problem set consists of two parts: Part I: The problem specifications pages Part II: The answer pages

TCP/IP and the Internet

The OSI & Internet layering models

SME- Mail to SMS & MMS Gateway with NowSMS Quick Start Guide

Basic Networking Concepts. 1. Introduction 2. Protocols 3. Protocol Layers 4. Network Interconnection/Internet

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Internet Control Protocols Reading: Chapter 3

Ethernet. Ethernet. Network Devices

Troubleshooting TCP/IP Networks with Wireshark

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

Transcription:

Wireshark Exercises Homework Assignments Using the Wireshark Packet Analyzer June 30, 2008

Table of Contents I) Exercise One... 3 II) Exercise Two... 4 III) Exercise Three... 6 IV) Exercise Four... 7 V) Exercise Five... 8

I) Exercise One Open Wireshark, then use the File menu and the Open command to open the file Exercise One.pcap. You should see 26 packets listed. This set of packets describes a conversation between a user s client and a central server. This entire conversation happens automatically, after a user types something and hits enter. Look at the packets to answer the following questions in relation to this conversation. In answering the following questions, use brief descriptions. For example, In frame X, the client requests a web page, and in frame Y, the server delivers the content of the page. Hint: See the accompanying document titled the QuickStart Guide Look under the appendix describing Hits Versus Page Views. Hint: a favicon.ico is a small graphic that can be used as an icon to identify a web page. In the following graphic the colorful G to the left is a favicon.ico. a) What is the IP address of the client that initiates the conversation? a) Use the first two packets to identify the server that is going to be contacted. List the common name, and three IP addresses that can be used for the server. b) What is happening in frames 3, 4, and 5? c) What is happening in frames 6 and 7? d) Ignore frame eight. However, for your information, frame eight is used to manage flow control. e) What is happening in frames nine and ten? How are these two frames related? f) What happens in packet 11? g) After the initial set of packets is received, the client sends out a new request in packet 12. This occurs automatically without any action by the user. Why does this occur? See the first hint to the left. h) What is occurring in packets 13 through 22? i) Explain what happens in packets 23 through 26. See the second hint to the left. j) In one sentence describe what the user was doing (Reading email? Accessing a web page? FTP? Other?). 3

Review: The TCP/IP network does not know how to route using names, such as www.yahoo.com. It only knows how to route using IP addresses. Therefore, a common name (CNAME), such as www.yahoo.com must be translated to an IP address, like 216.109.117.106 before your computer can request a web page. Your computer uses a DNS request to lookup a CNAME and it gets back a set of IP addresses (a primary address and one or more backup addresses) that can be used to contact the server. Hint: See the accompanying document titled the QuickStart Guide Look under the appendix describing Hits Versus Page Views. II) Exercise Two Open Wireshark, then use the File menu and the Open command to open the file Exercise Two.pcap. You should see 176 packets listed. a) In the first few packets, the client machine is looking up the common name (cname) of a web site to find its IP address. What is the cname of this web site? Give two IP addresses for this web site. b) How many packets/frames does it take to receive the web page (the answer to the first http get request only)? c) Does this web site use gzip to compress its data for sending? Does it write cookies? In order to answer these questions, look under the payload for the reassembled packet that represents the web page. This will be the last packet from question b above. Look to see if it has Content-Encoding set to gzip, and to see if it has a Set-Cookie to write a cookie. d) What is happening in packets 26 and 27? Does every component of a web page have to come from the same server? See the Hint to the left. e) In packet 37 we see another DNS query, this time for us.i1.yimg.com. Why does the client need to ask for this IP address? Didn t we just get this address in packet 26? (This is a trick question; carefully compare the two common names in packet 26 and 37.) f) In packet 42 we see a HTTP Get statement, and in packet 48 a new HTTP Get statement. Why didn t the system need another DNS request before the second get statement? Click on packet 42 and look in the middle window. Expand the line titled Hypertext Transfer Protocol and read the Host: line. Compare that line to the Host: line for packet 48. g) Examine packet 139. It is one segment of a PDU that is reassembled with several other segments in packet 160. Look at packets 141, 142, and 143. Are these three packets also part of packet 160? What happens if a set of packets that are supposed to be reassembled do not arrive in a continuous stream or do not arrive in the proper order? h) Return to examine frames 141 and 142. Both of these are graphics (GIF files) from the same source IP address. How does the client know which graphic to match up to each get statement? Hint: Click on each 4

and look in the middle window for the heading line that starts with Transmission Control Protocol. What difference do you see in the heading lines for the two files? Return to the original Get statements. Can you see the same difference in the Get statements? 5

III) Exercise Three Open Wireshark, then use the File menu and the Open command to open the file Exercise Three.pcap. You should see 22 packets listed. These packets represent two different requests for web pages. Packets 1-7 involve the request for the web page www.yahoo.com. Packets 8-22 involve the request for the web page my.usf.edu. a) Compare the destination port in the TCP packet in frame 3 with the destination port in the TCP packet in frame 12. What difference do you see? What does this tell you about the difference in the two requests? The following table compares the two requests for web pages. For example, row i) shows that frames 1-2 and frames 8-9 represent the DNS lookups for each of the web requests. Row www.yahoo.com my.usf.com Brief Explanation of Activity frames frames i) 1-2 8-9 DNS Request to find IP address for common name & DNS Response ii) 3-5 10-12 Three-way handshake iii) -- 13-20 iv) 6 21 Get request for web page v) 7 22 First packet from web server with web page content. b) Explain what is happening in row iii above. Why are there no frames listed for yahoo in row iii"? c) Look at the Info column on frame 6. It says: GET / HTTP / 1.1. What is the corresponding Info field for the my.usf.com web request (frame 21)? Why doesn t it read the same as in frame 6? 6

First, you must decide on a web site to visit. Pick a web site, such as www.yahoo.com, or www.cnn.com that you haven t visited yet today. If you pick one that you recently visited, your system may not need to send out a DNS request, since the IP address may be cached (saved temporarily) on your machine. For this exercise, we would prefer to have a DNS request as part of the detail of transactions. IV) Exercise Four In this exercise, you are going to capture live traffic from your computer. Open up Wireshark and use the Capture menu to save live traffic. The Wireshark QuickStart guide distributed with these exercises contains more instructions on using Wireshark. Start capturing data, visit a live web site using your standard Internet browser, and stop capturing data. If you have a large amount of network traffic, the relevant data may be hidden among a lot of broadcast messages. To focus on just the key frames, you can set a display filter like this. For the IP number enter the IP number of your client machine. Type it as shown (ip.addr==your.ip.address) in the graphic above. Then click on Apply. Using an approach similar to the approach in Exercise One, describe the set of frames that you captured. For this description think of this as a conversation every discussion starts with a question and follows with an answer. For example, two of the frames will contain the DNS request for an IP address for the web site, and the DNS answer with the IP number. Remember that some answers may take several frames if they need to be reassembled from segmented packets. 7

V) Exercise Five In this exercise, you are going to capture live traffic from your email service. Begin by opening up your email service and preparing an email from you to yourself you can use a subject line of Homework and a body of Homework if you chose. Don t hit the send button yet. Open up Wireshark, go to the Capture menu and tell it to Start capturing data. Now return to your email service and hit the send button. After the email is sent, tell Wireshark to Stop capturing data. Look in the protocol column and see what protocol your email server uses. There are several choices. a. If you use a local client, and your email server does not support secure communications, then you might see something like SMTP. SMTP is an application running on top of TCP. Wireshark will recognize SMTP and report that the packet is in SMTP format. b. If you use a local client, and your email server does support secure communications, then you might only see TCP. Since communications are secure, Wireshark will not be able to break the encryption. It will not recognize the format of the TCP payload; therefore, it will simply report a TCP message and show the encrypted data. c. If you use a web browser to access email through a regular http:// web address, you will see commands that look like you are using web forms. For example, you might see a HTTP Post command. d. If you use a secure web page (https://), you will see TCP with an encrypted payload, similar to item 2) above. However, the process of setting up the encryption will look different since setting up a secure web page is different from setting up a secure email connection. What protocol did your system use? Even if your system does not use a secure protocol for sending and receiving email, it might use a secure protocol for the login. In this case, an eavesdropper on the internet would not be able to see your login, but they would be able to see all of the emails you send and receive. 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information