EEGR410: Introduction to Networks Project one: Using the Wireshark Packet Analyzer Fall 2017 Objective: To learn how protocols and layering are represented in packets. They are key concepts for structuring networks that are covered in the text (chapter 2)  The trace for used for this project can be downloaded from Project 1 folder (“Exercise One.pcap”). Requirements Wireshark: This project uses the Wireshark software tool to examine a packet trace. A packet trace is a record of traffic at a location on the network, as if a snapshot was taken of all the bits that passed across a particular wire. The packet trace records a timestamp for each packet, along with the bits that make up the packet, from the lower-layer headers to the higher-layer contents. Wireshark runs on most operating systems, including Windows, Mac and Linux. It provides a graphical UI that shows the sequence of packets and the meaning of the bits when interpreted as protocol headers and data. It color-codes packets by their type, and has various ways to filter and analyze packets to let you investigate the behavior of network protocols. Wireshark is widely used to troubleshoot networks. You can download it from www.wireshark.org for your personal computer. It is an ideal packet analyzer since it is stable, has a large user base and well-documented support that includes a user-guide (http://www.wireshark.org/docs/wsug_html_chunked), and a detailed FAQ, rich functionality that includes the capability to analyze hundreds of protocols, and a well-designed user interface. It operates in computers using Ethernet, serial (PPP and SLIP), 802.11 wireless LANs, and many other link-layer technologies (if the OS on which it is running allows Wireshark to do so). A quick help guide to Wireshark display filters is here: http://openmaniak.com/wireshark_filters.php Wireshark is a core tool for any wireless ‘man in the middle’ or similar snooping attack. It is simply indispensable for those who wish to examine packets being transferred over a network – good or bad….. Wireshark & Packet Sniffing Background The basic tool for observing the messages exchanged between executing protocol entities is called a packet sniffer. As the name suggests, a packet sniffer captures (“sniffs”) messages being sent/received from/by your computer; it will also typically store and/or display the contents of the various protocol fields in these captured messages. A packet sniffer itself is passive. It observes messages being sent and received by applications and protocols running on your computer, but never sends packets itself. Similarly, received packets are never explicitly addressed to the packet sniffer. Instead, a packet sniffer receives a copy of packets that are sent/received from/by application and protocols executing on your machine. Figure 1 shows the structure of a packet sniffer. At the right of Figure 1 are the protocols (in this case, Internet protocols) and applications (such as a web browser or ftp client) that normally run on your computer. The packet sniffer, shown within the dashed rectangle in Figure 1 is an addition to the usual software in your computer, and consists of two parts. The packet capture library receives a copy of every link-layer frame that is sent from or received by your computer. Messages exchanged by higher layer protocols such as HTTP, FTP, TCP, UDP, DNS, or IP all are eventually encapsulated in link-layer frames that are transmitted over physical media such as an Ethernet cable. In Figure 1, the assumed physical media is an Ethernet, and so all upper-layer protocols are eventually encapsulated within an Ethernet frame. Capturing all link-layer frames thus gives you all messages sent/received from/by all protocols and applications executing in your computer. The second component of a packet sniffer is the packet analyzer, which displays the contents of all fields within a protocol message. In order to do so, the packet analyzer must “understand” the structure of all messages exchanged by protocols. For example, suppose we are interested in displaying the various fields in messages exchanged by the HTTP protocol in Figure 1. The packet analyzer understands the format of Ethernet frames, and so can identify the IP datagram within an Ethernet frame. It also understands the IP datagram format, so that it can extract the TCP segment within the IP datagram. Finally, it understands the TCP segment structure, so it can extract the HTTP message contained in the TCP segment. Finally, it understands the HTTP protocol and so, for example, knows that the first bytes of an HTTP message will contain the string “GET,” “POST,” or “HEAD,” 1. Exercise One Open “Wireshark”, and then use the “File” menu and the “Open” command to open the file “Exercise One.pcap”. You should see 26 packets listed. This wireshark capture consists of a web page fetch; we know that the protocol layers being used are as shown below in Figure 2. That is, HTTP is the application layer web protocol used to fetch URLs. Like many Internet applications, it runs on top of the TCP/IP transport and network layer protocols. Figure 2: Protocol stack for a web fetch This set of packets describes a ‘conversation’ between a user’s client and a central server. This entire conversation happens automatically, after a user types something and hits enter. Look at the packets to answer the following questions in relation to this conversation. In answering the following questions, use brief descriptions. For example, “In frame X, the client requests a web page, and in frame Y, the server delivers the content of the page.” a) List the different protocols that appear in the protocol column in the unfiltered packetlisting window? b) What is the IP address of the client/source that initiates the conversation? c) What is the MAC address of the client/source that initiates the conversation? d) What is the Internet address of the www.google.com ? e) In one sentence describe what the user was doing (Reading email? Accessing a web page? FTP? Other?). f) Type in “http” (without the quotes, and in lower case – all protocol names are in lower case in Wireshark) into the display filter specification window at the top of the main Wireshark window. Then select Apply (to the right of where you entered “http”). This will cause only HTTP message to be displayed in the packet-listing window -What is happening in frame 6? g) The HTTP GET message that was sent from your computer to the www.google.com HTTP server should be shown among the first few http message shown in the packet-listing window. When you select the HTTP GET message, the Ethernet frame, IP datagram, TCP segment, and HTTP message header information will be displayed in the packet-header window. Recall that the HTTP GET message that is sent to the www.google.com web server is contained within a TCP segment, which is contained (encapsulated) in an IP datagram, which is encapsulated in an Ethernet frame. If this process of encapsulation isn’t quite clear yet, review the material covered in the corresponding material covered in the textbook (chapter 2). By clicking on the expansion buttons (+ or -) to the left side of the packet details window, you can minimize or maximize the amount of Frame, Ethernet, Internet Protocol, and Transmission Control Protocol information displayed. Maximize the amount information displayed about the HTTP protocol. (Note: in particular, the minimized amount of protocol information for all protocols except HTTP, and the maximized amount of protocol information for HTTP in the packet-header window). -Examine Protocol layer structure of the HTTP GET packet that shows the position and size in bytes of the TCP, IP and Ethernet protocol headers? h) How long did it take from when the HTTP GET message was sent until the HTTP OK reply was received? (By default, the value of the Time column in the packet listing window is the amount of time, in seconds, since Wireshark tracing began. To display the Time field in timeof-day format, select the Wireshark “View” pull down menu, then select “Time Display Format”, then select “Time-of-day”. You can also have a look at of “statistics”->flow graph) Hint: difference between HTTP GET and HTTP OK reply
Purchase answer to see full attachment