LAB 4 Contents I. Objective................................................................................................................................................ 1 II. Getting started ...................................................................................................................................... 2 III. The basic HTTP GET/response interaction ........................................................................................ 2 1. Retrieve HTML file ............................................................................................................................. 2 2. Retrieving Long Documents .............................................................................................................. 3 IV. DNS .................................................................................................................................................... 4 I. Objective 1. Wireshark packet capture 2. HTTP get/response 3. DNS • The report: only PDF format is accepted 1 II. Getting started Figure 1 Structure of Pakcet Sniffer Figure 1 shows the structure of a packet sniffer. At its right you have the protocols (in this case, Internet protocols) and applications (such as a web browser or email client) that normally run on your computer. The packet sniffer, shown within the dashed rectangle is an addition to the usual software in your computer, and consists of two parts: 1) The packet capture library and 2) the packet analyzer. The first receives a copy of every link-layer frame that is sent from or received by your computer over a given interface (link layer, such as Ethernet or WiFi). Recall that messages exchanged by higher layer protocols such as HTTP, FTP, TCP, UDP, DNS, or IP all are eventually encapsulated in link-layer frames that are transmitted over physical media such as an Ethernet cable or a WiFi interface. Capturing all link-layer frames thus gives you all messages sent/received across the monitored link from/by all protocols and applications executing in your computer. The packet analyzer displays the contents of all fields within a protocol message. It must “understand” the structure of all messages exchanged by protocols. III. The basic HTTP GET/response interaction 1. Retrieve HTML file We begin our exploration of HTTP by downloading a very simple HTML file 1. Start up your web browser (Mozilla, Chrome, etc) . 2. Start up the Wireshark and enter “http” (without the quotation marks) in the display-filterspecification window. 3. Wait a bit more than one minute (we’ll see why shortly), and then begin Wireshark packet capture. 4. Enter the following to your browser http://networktests.000webhostapp.com/HTTP-wireshark-file1.html Your browser should display the very simple, one-line HTML file. 5. Stop Wireshark packet capture. 2 Your Wireshark window should look similar to the window shown in Figure 2 Figure 2 Wireshark packet capture Q1) Is your browser running HTTP version 1.0 or 1.1? What version of HTTP is the server running? Q2) What languages (if any) does your browser indicate that it can accept to the server? Q3) What is the IP address of your computer? Of the 000webhostapp.com server? Q4) What is the status code returned from the server to your browser? Q5) When (hour and date) was the HTML file that you are retrieving has been received? Q6) How many bytes of content are being returned to your browser? Q7) By inspecting the raw data in the packet content window, do you see any headers within the data that are not displayed in the packet-listing window? If so, name one. 2. Retrieving Long Documents Most web browsers perform object caching and thus perform a conditional GET when retrieving an HTTP object. Before performing the steps below, make sure your browser’s cache is empty. (To do this under Firefox, select Tools->Clear Recent History and check the Cache box, or for Internet Explorer, select Tools>Internet Options->Delete File; these actions will remove cached files from your browser’s cache.) Please do the same if your navigator is Chrome or IE, then follow the steps bellow: 1. Start up your web browser, and make sure your browser’s cache is cleared, as discussed above. 2. Start up the Wireshark packet sniffer 3. Enter the following URL into your browser http://networktests.000webhostapp.com/US_Bill_Rights.html 4. Your browser should display the rather lengthy US Bill of Rights. 5. Stop Wireshark packet capture, and enter “http” in the display-filter-specification window, so that only captured HTTP messages will be displayed. Do the same for “tcp”. In the packet-listing window, you should see your HTTP GET message, followed by a multiple-packet TCP response to your HTTP GET request. Answer the following questions: 3 Q8) How many HTTP GET request messages did your browser send? Which packet number in the trace contains the GET message for the US Bill or Rights? Q9) Which packet number in the trace contains the status code and phrase associated with the response to the HTTP GET request? Q10) What is the status code and phrase in the response? Q11) How many data-containing TCP segments were needed to carry the single HTTP response and the text of the Bill of Rights? IV. DNS The Domain Name System (DNS) translates hostnames to IP addresses. In this part, you will take a closer look at the client side of DNS. Recall that the client’s role in the DNS is to send a query to its local DNS server, and receives a response back. 1. nslookup nslookup tool or command line is available in most Linux/Unix and Windows. To run nslookup in Linux/Unix, you just type the nslookup command on the command line. The same for Windows, open the Command Prompt cmd and run nslookup. Figure 3 Screenshot of the result of nslookup This command is saying “please send me the IP address for the host www.ece.fr”. As shown in the screenshot, the response from this command provides two pieces of information: (1) the name and IP address of the DNS server that provides the answer; and (2) the answer itself, which is the host name and IP address of www.ece.fr. Q12) Explain briefly the second command line nslookup –type=NS ece. Q13) Run nslookup to obtain the IP address of google web server for .fr, .de and .com. Comment the obtained result? 4 2. Tracing DNS In this part, you capture the DNS packets that are generated by ordinary Web-surfing activity. Please follow these steps: 1) If you are on Windows, use ipconfig to empty the DNS cache in your host. 2) Open your browser and empty your browser cache. 3) Open Wireshark and enter “ip.addr == your_IP_address” into the filter, where you obtain your_IP_address with ipconfig (or ifconfig on Linux). This filter removes all packets that neither originate nor are destined to your host. 4) Start packet capture in Wireshark. 5) With your browser, visit the Web page: http://www.ece.fr 6) Stop packet capture. Q14) Use your “ipconfig/all” (windows) to get more information about your network. If you are on Linux you can use the command line “nmcli dev list” Q15) Locate the DNS query and response messages for www.ece.fr . To filter the query and response add in your filter the expression (dns.qry.name contains www.ece.fr ). Are these messages sent over UDP or TCP? Q16) What is the destination port for the DNS query message? What is the source port of DNS response message? Q17) To what IP address is the DNS query message sent? Use ipconfig to determine the IP address of your local DNS server. Are these two IP addresses the same? Use the result of ipconfig/all to answer. Q18) Examine the DNS query message. What “Type” of DNS query is it? Does the query message contain any “answers”? Q19) Examine the DNS response message. How many “answers” are provided? What do each of these answers contain? Q20) Consider the subsequent TCP SYN packet sent by your host. Does the destination IP address of the SYN packet correspond to any of the IP addresses provided in the DNS response message? Propose a filter expression to capture only SYN packets. 5
Purchase answer to see full attachment