This document provides instructions for a lab exercise using Wireshark to analyze network protocols and trace files. The instructions include opening specific trace files, applying display filters in Wireshark, examining packet details, answering questions based on observations, and performing basic statistical analysis of the trace files. The goal is to help students learn how to use Wireshark and examine various network protocols including HTTP, ICMP, TCP, and DNS.
1. UCCN1003 Data Communications and Networks
Lab 08: Wireshark Analysis of Protocols â Trace Files
Instructions:
1. Read the âIntroductionâ section for the background
2. Perform all the lab exercises, starting with exercise 1
3. Follow all the steps.
4. Record the results in all italic bold actions.
5. Paste your screen captures on a Word Document and save it.
6. Answer all the questions in italic and in blanks based on the observation of the results.
7. Write your answer in the same Word Document.
8. Please follow the sequence of the exercises, and donât skip any step.
9. Please try your best to understand the steps of this lab.
Introduction to Wireshark
In this lab, you will learn how to use Wireshark to examine packets captured by a NIC and then
save as a file, known as trace file.
Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting,
analysis, software and communications protocol development, and education. Originally named
Ethereal, in May 2006 the project was renamed Wireshark due to trademark issues.
A network packet analyzer will capture network packets and display the packet data as detailed
as possible. You could think of a network packet analyzer as a measuring device used to examine
what's going on inside a network cable, just like a voltmeter is used by an electrician to examine
what's going on inside an electric cable.
Here are some examples that people use Wireshark for:
âą network administrators use it to troubleshoot network problems
âą network security engineers use it to examine security problems
âą developers use it to debug protocol implementations
âą people use it to learn network protocol internals
Exercise 1: Getting familiar with the âPaneâ of Wireshark
Wireshark's (v1.2.10) main window consists of parts that are commonly known from many other
GUI programs.
âą The menu is used to start actions.
1
2. âą The main toolbar provides quick access to frequently used items from the menu.
âą The filter toolbar provides a way to directly manipulate the currently used display filter.
âą The packet list pane displays a summary of each packet captured. By clicking on packets
in this pane you control what is displayed in the other two panes.
âą The packet details pane displays the packet selected in the packet list pane in more detail.
âą The packet bytes pane displays the data from the packet selected in the packet list pane,
and highlights the field selected in the packet details pane.
âą The status bar shows some detailed information about the current program state and the
captured data.
Menu
Main Toolbar
Filter Toolbar
Packet List
Pane
Packet Detail
Pane
Packet Bytes
Pane
Status Bar
2
3. 1. Go to âmenuâ => âFileâ => âopenâ Lab_08_Ex1.pcap.
2. Refer to the âstatus barâ and answer the following question:
a. What is the total number of packets (or frames) in this file?
_________________________________________________ (318)
b. What is the number of packets being displayed?
_________________________________________________ (318)
3. In the âPacket List Paneâ, click on frame âNo. 5â. A grey bar will highlight the selected
frame, as shown in the following figure. Answer the following question:
a. What is the highest layer protocol in this frame?
_________________________________________________ (ICMP)
b. What is the destination IP address in this frame?
_________________________________________________ (192.168.1.3)
4. Refer to the âPacket Detail Paneâ of the same frame No. 5, and answer the following
question:
a. What is the size (in bytes) of this frame?
_________________________________________________ (70 bytes)
3
4. b. What is the source MAC address of 192.168.1.1?
_________________________________________________ (00:1e:40:9a:b5:13)
5. Click on the â+â sign next to âInternet Control Message Protocolâ, and more information
is shown. Answer the following question:
a. What are the values of the Type and Code of the ICMP?
_________________________________________________ (Type = 3, Code = 0)
b. Based on this ICMP message (and the frame), which IP address (192.168.1.1 and
192.168.1.3) is more likely to be the router?
_________________________________________________ (192.168.1.1)
c. Refer to the ICMP again, what is the value of socket (IP:port) that is unreachable?
_________________________________________________ (192.33.4.12:53)
d. What is the IP address of this âWireshark-installedâ PC?
_________________________________________________ (192.168.1.3)
6. Refer to the âPacket Bytes Paneâ of the same frame No. 5, and answer the following
question:
a. Double click on the value âc0 a8â (last two bytes of the second line), and refer to
âPacket Detail Paneâ. Which field do these numbers belong to?
_________________________________________________ (destination of IP)
b. Double click on the value â89 c8â (5th and 6th bytes of the third line), and refer to
âPacket Detail Paneâ. Which field do these numbers belong to?
4
5. _________________________________________________ (checksum of ICMP)
Exercise 2: Display Filter
A very common problem when you launch Wireshark with the default settings is that you will
get too much information on the screen and thus will not find the information you are looking
for.
Too much information kills the information. Instead of showing all the display traffic, you may
use the filter toolbar to display the data selectively.
That's why filters are important, they will help us to target the packets/frames that you are
looking for.
âą Capture filters: Used to select the data to record in the logs. They are defined before
starting the capture.
âą Display filters: Used to search inside the captured logs. They can be modified while data
is captured.
So when should I use the capture or the display filter?
The goals of the two filters are different.
âą The capture filter is used as a first large filter to limit the size of captured data to avoid
generating a log too big.
âą The display filter is much more powerful (and complex); it will permit you to search
exactly the data you want. In this exercise, we focus only display filter.
The display filter follows certain syntax. If the filter syntax is correct, it will be highlighted in
green, otherwise if there is a syntax mistake it will be highlighted in red.
1. In the âFilter Toolbarâ, type âhttpâ as shown in the following figure and click âApplyâ at
the far right of the âFilter Toolbarâ.
a. What is the number of packets being displayed? (Please refer to the status bar)
_________________________________________________ (23)
5
6. 2. In the âFilter Toolbarâ, click âClearâ. Type âicmpâ this time and then click âApplyâ.
After answering the question, please click on âClearâ again.
a. What is the number of packets being displayed now? (Please refer to the status
bar)
_________________________________________________ (46)
3. The above table shows the âlogical expressionâ of the âFilter Toolbarâ. Let's take an
example with the following display filter: âdns || arpâ. This means displaying packet with
protocol dns or arp. Please remember to click âApplyâ.
4. For more specific and complex filter conditions, we can use the âExpressionâ of âFilter
Toolbarâ. For example, if we want to look for the IP address of the web server in the
trace file, we can form the following filter expression: tcp.srcport == 80. Click on
âExpressionâ. Scroll down until you see TCP. Click on â+â next to TCP to expand all the
options. Click on âtcp.srcportâ. Click on â==â, and then key in â80â in value. Click âOkâ.
6
7. a. What is the IP address of the web server?
_________________________________________________ (128.42.182.20)
b. Using the similar concept illustrated above, what is the IP address of the DNS
server? (Hint: use UDP source port equal to 53)
_________________________________________________ (202.188.0.133)
5. The following feature is also useful to filter on the vendor identifier part (OUI) of the
MAC address. Thus you may restrict the display to only packets from a specific device
manufacturer, (e.g. for Unispher machines only): eth.src[0:3] == 00:90:1a. The notation
stands for the first 3 bytes of the source MAC address. The [0:3] means 3 bytes starting
offset 0 (in bytes).
6. Displays the packets with destination IP address not equals to 60.53.75.52 and source IP
address not equal to 128.42.182.20. After viewing, click âClearâ.
7
8. Exercise 3: Basic Statistics of the Trace File
Wireshark provides a lot of different statistics which can
be consulted if you click on the "statistics" field on the top
of the screen.
1. In the âmenuâ, click on âStatisticsâ and then âSummaryâ. After answering the question,
close the âSummaryâ dialog box.
a. What is the âaverage bytes per secondâ?
_________________________________________________ (987.404)
2. In the âFilter Toolbarâ, enter âhttpâ, and then click âApplyâ. After that, click on
âStatisticsâ and then âSummaryâ. After answering the question, close the âSummaryâ
dialog box and clear the filter.
a. What is the âaverage bytes per secondâ of the displayed packets?
_________________________________________________ (195.165)
b. What is the âaverage packets per secondâ of the displayed packets?
_________________________________________________ (0.272)
3. Click on âStatisticsâ and then âProtocol Hierarchyâ. The protocol hierarchy shows a
dissection per OSI layer of the displayed data. After answering the question, close the
dialog box.
a. How many packets contain âpoint-to-point protocolâ?
_________________________________________________ (259)
8
9. b. How many percents of packets belong to TCP (Transmission Control Protocol)
traffic?
_________________________________________________ (66.98%)
c. How many bytes for Compuserve GIF?
_________________________________________________ (2584)
4. Click on âStatisticsâ and then âConversationsâ. If you use TCP/IP suite application or
protocol, you should find four active tabs for Ethernet, IP, TCP and UDP conversations.
A "conversation" represents the traffic between two hosts. The number in the tab after the
protocol indicates the number of conversations. After answering the question, close the
dialog box.
a. Click on the âEthernetâ tab. How many MAC addresses are there in the trace file?
_________________________________________________ (2)
b. Click on âIPv4â tab. How many bytes have been sent from 60.53.75.52 to
128.42.182.20?
_________________________________________________ (13377)
9
10. c. Click on the âTCPâ tab. What is the dominant application layer protocol (or
service) for the TCP traffic? (Hint: Port B)
_________________________________________________ (HTTP)
d. Click on the âUDPâ tab. What is the dominant application layer protocol (or
service) for the UDP traffic? (Hint: Port B)
_________________________________________________ (DNS)
5. Click on âStatisticsâ and then âEndpointsâ. The endpoints provide statistics about
received and transmitted data on a per machine base. The number after the protocol
indicates the number of endpoints. After answering the question, close the dialog box.
a. Click on the âIPv4â tab. How many bytes are received for IP = 192.5.5.241?
_________________________________________________ (280)
b. Click on the âUDPâ tab. How many bytes are transmitted by IP = 202.188.0.133?
_________________________________________________ (254)
6. Click on âStatisticsâ and then âIO Graphsâ. Basic graphics can be obtained under the "IO
graphs" section. Multiple graphics can be added in the same window on a per display
filter base. Key in âudpâ, âdnsâ, and âicmpâ in the filter box as shown in the following
figure. You can display the graph line by clicking on âGraph xâ button (works like a
toggle).
10
11. Exercise 4 : Expert Info
Wireshark provides âExpert Infoâ in which certain errors and anomaly can be highlighted in the
network. It is rather useful for troubleshooting the network.
1. In the âmenuâ, click on âAnalysisâ and then âExpert Info Compositeâ. After answering
the question, close the dialog box.
a. What are the warnings? (Hint: âWarningsâ tab, Summary)
_________________________________________________ (Previous segment lost)
b. How many type of Chats and what is the packet count? (Hint: Just look at the
âChatâ tab)
_________________________________________________ (19, 62)
Exercise 5 : Basic HTTP GET/Response Interaction
With the introductory exercise in Wireshark, weâre now ready to use Wireshark to investigate
protocols in operation. In this exercise, weâll explore several aspects of the HTTP.
1. Letâs begin our exploration of HTTP by opening âLab08_Ex5.pcapâ.
11
12. 2. Type âhttpâ in the âFilter Toolboxâ window and click âApplyâ. The Packet Listing Pane
should show the HTTP messages that were captured: the GET message and the response
message from the server to your browser. The Packet-Detail Pane shows details of the
selected message (in this case the HTTP GET message, which is highlighted in the
Packet-List Pane).
3. Highlight the line with HTTP GET /ethereal-labs/HTTP-ethereal-file1.html
4. Click on the â+â next to âHypertext Transfer Protocolâ. By looking at the information in
the HTTP header, answer the following questions:
a. Is your browser running HTTP version 1.0 or 1.1?
_________________________________________________ (HTTP 1.1)
b. What languages (if any) does your browser indicate that it can accept from the
web server?
_________________________________________________ (en â US, en)
c. What is the name of the âhostâ?
_________________________________________________ (gaia.cs.umass.edu)
5. Highlight the line with HTTP HTTP/1.1 200 OK
6. Click on the â+â next to âHypertext Transfer Protocolâ. By looking at the information in
the HTTP header, answer the following questions:
a. What is the status code returned from the server to your browser?
_________________________________________________ (200 OK)
b. What is the âServerâ type of the web page?
_________________________________________________ (Apache/2.0.52
(CentOS))
c. How many bytes of content are being returned to your browser?
_________________________________________________ (126 bytes)
d. What is contained in the âLine-based text data: text/htmlâ?
12
13. _________________________________________________ (Congratulations.
You've downloaded the file nâŠ.)
Exercise 6 : Retrieving Longer HTTP Document
In this exercise, weâll see what happens when we download a longer HTML file.
1. Open âLab08_Ex6.pcapâ with Wireshark.
2. Type âhttp || tcpâ in the âFilter Toolboxâ window and click âApplyâ.
3. Highlight the line with HTTP HTTP/1.1 200 OK. (Frame 12). Answer the following
questions:
a. What is the content length of the text file? (The text can be displayed by clicking
the â+â next to âLine-based text data: text/htmlâ)
_________________________________________________ (4500)
b. How many segments have been reassembled?
_________________________________________________ (5)
c. What is the size (total bytes) of the reassembled segments?
_________________________________________________ (4810 bytes)
d. What is the size of the HTTP Header?
_________________________________________________ (4810-4500 = 310
bytes.)
e. What is the maximum size of the TCP segment?
_________________________________________________ (1440 bytes.)
4. Right click on any TCP âframeâ, and then choose âFollow TCP Streamâ.
13
14. 5. The following dialog box should appear.
6. Highlight the content beginning with <html> until </html>. After the highlight, right
click on the content to âcopyâ it. (Hint: the blue portion without the HTTP header)
14
15. 7. Open Notepad and paste the âcopiedâ content on it.
8. Save the file as âtry.htmlâ.
9. Use a web browser to open the âtry.htmlâ, and you should see the âBill of Rightsâ in
browser format.
15