Task by using wireshark.

anffre707
timer Asked: Nov 27th, 2015

Question Description

Hey

please open the attachment and  only do 5.2(Capture Traffic) and 5.3 (Packet Inspection)

please do not do thought questions.

lab3.pdf 

Thank you 


lab3.pdf

Unformatted Attachment Preview

Me E« yiew So Capture analyze sattelKs Help Bit a* a at tf P S X S S ' ^ * http [F: HTTP/1.1 200 OK [TCP segment of GET /global/en/i http > 24121 [F: 24121 > http [AI HTTPA-1 304 NO , HTTPA.l 304 NO' j L>J Frame 1 (66 bytes on wire, 66 bytes captured) Ethernet II, Src: Micro-st_52 :74 : 3 5 (00:13:d3:52:74 :35), Dst:Hew1ettP_71:bf :0f (C internet Protocol, Src: 155.97.243.202 (155.97.243.202), Dst:65. 55.21.250 (65. 5 5 . Transmission control Protocol, src Port; 24119 (24119), ost Port: http C80), Seq: : 0000 ~] Source 290645476 300872140 0 Update list of packets in real time 0 Hide capture info dialog [3 Enable MAC name resolution ,, >F 1 EH Enable network name resolution D ...after Help | " Time - Buffer size: ! 1 220619094 23 0 619624 24 0 622996 250623034 26 0 640693 27 0 640750 E3 [Capture Filter: I ' tcp port 80 and host www.microsoft.ee Capture File(s) 322605263 332618986 D Use multiple files ' 0 Name Resolution Stop Capture... ': D ... after 0 D ...after [ 00 If 29 71 bf Of 00 13 15 fa :0020 00 34 Oa 9c 40 00 80 06 0010 5e 37 00 50 6d 94 d3 52 74 35 08 00 45 00 09 cb 9b 61 f3 ca 41 37 d7 02 00 00 00 00 80 02 . . )q. . . . 4 . . IB .Rt5..E. a..A7 , ..A7.Pm V | O'R«altekRTL8139/810x Family Fast Ethernet NIC Figure 5-6: Capture filter to include www.microsoft.com. Packets. 34 Displayed 34 Marked fproffe- Default Figure 5-7: Captured packets. 13. Click Capture and Options. 14. Enter "tcp port 80 and host www.microsoft.com" in the box next to Capture Filter. (See Figure 56.) Click Start. Open a Web browser and go to www.Google.com. (You shouldn't pick up any packets.) Go to www.Microsoft.com in your Web browser. (You should pick up several packets.) Click Capture and Stop. Take a screenshot. (See Figure 5-7.) 15. 16. 17. 18. 19. File Capture Interface: ILocal ! v 1 RealtekRTL8139/810x Family Fast Ethernet NIC Edit View Jo Capture SKHttftitt p*7] IP address: 155.97.243.202 Analyze Statistics '-* El X »2 ei> Tetephony_ Tools Help C ife ^F HL Buffer size: ; 1 Time £! megabyte(s) bytes [Capture Filter: | ! tcp port 80 and host www.microsoft.eem and src port 80 [^ j Display Options File: Browse. H Update list of packets in t eal time 0 » Expression... Clear. Apply Filter No. . Source Protocol Destination Info u?J IIL.H ieyrneni. ui [TCP segment of HTTP/1. 1 200 OK http > 24013 [A( HTTP/1.1 304 NO' http > 24015 [A! [TCP segment of [TCP segment of [TCP segment of [TCP segment of f HTTPA-1 200 OK ! d Capture packets in promiscuous mode, 1 1 Capture packets in pcap-ng format (experimental) CH Lj"* each packet to i : Capture File(s) j D Use multiple files Automatic scrolling In live capture 64. .31.252 64.4.31.252 44 0.881139 45 0.881180 64. 64. 64. 64. 64. 64. 64. 64. 64. 34 0.478941 35 0.528130 36 0.528158 37 0.530202 38 0 . 5 3 5 4 3 8 39 0 . 5 3 5 5 4 5 40 0 . 5 3 5 6 5 7 410.535786 42 0 . 5 3 5 8 2 0 .31.252 .31.252 .31.252 .31.252 .31.252 .31.252 .31.252 .31.252 .31.252 155 97 2 3.202 155 97 2 3.202 155 97 2 3 . 2 0 2 155 97 2 3.202 155 97 2 3.202 155 97 243.202 155 97 2 4 3 . 2 0 2 15597243.202 155 97 2 4 3 . 2 0 2 155 97 243.202 155 97 243.202 HTTP TCP HTTP TCP TCP TCP TCP TCP HTTP TCP [TCP segment of ! I HTTP/XML HTTPA-1 200 OK PI Hide capture info dialog t Frame 1 (60 bytes on wire, 60 bytes captured) t! Ethernet II, src: HewT ett P_71 : bf : Of (00:lf :29:71:bfOf), : Name Resolution 0 Stop Capture . . , D ...after a Transmission control Protocol, Src Port: http (80), Enable MAC name resolution Dst: Micro-St_52:74:35 (C Dst Port : D Enable network name resolution D ...after 0 D... after Enable transport name resolution 00 28 76 a3 40 00 32 06 0010 00 13 d3 52 74 35 00 If 0000 Help [ Start j | . . . Rt 5 .. )qV.:.E. .(v.e.2 . . .e. . . .a 29 71 bf Of 08 00 45 00 e3 00 40 04 If fc 9b 61 T 0030 [ fd 5C e8 91 00 00 00 00 i + 5&v . P . \3 (24013), Seq: ' 00 00 00 00 Cancel O RealtekRTL8139/810xFairtlyFastahernetNIC.., i PacketsMS Displayed; 45 Marked Figure 5-8: Capture filter to include "src port 80." Profile: Default Figure 5-9: Captured packets from one source IP. 20. Click Capture and Options. 21. Enter "tcp port 80 and host www.microsoft.com and src port 80" in the box next to Capture Filter. (See Figure 5-8.) 22. Click Start. 132 P a ^ e 23. Go to www.Microsoft.com in your Web browser. (You should pick up several packets with the same source IP.) 24. Click Capture and Stop. 25. Take a screenshot. (See Figure 5-9.) Capture File Edit View Filter IP address: 155,97.243.202 H M 8i Interface: Local v Realtek RTLS139/310X Family Fast Ethernet NIC [^J .e Buffer size: 1 ^ , ,. £ megabyte(s) bytes Display Options | [Browse... | r£] yp^g |i5l:of pacKets In real time £o Capture Analyze Statistics X Si da Telephony '- look Help r ;\ Q ^ ^ ^ u - 155 155 155 155 97.243. 202 155 97.243. 202 155 97.243. 202 0.001527 0.001980 0.002356 0.003673 2 3 4 5 Oest nation Sour ce T,me 155 155 155 155 155 11 0.075365 101.201 101.201 101.201 101.201 155 155 155 155 10 10 10 10 101. 101. 101. 97 97 97 97 3 3 3 3 Expression... Protocol 201.10 201.10 201.10 2 2 2 2 202 202 202 202 DNS DNS DNS DNS DNS DNS DNS Clear Apply Info Standard query ,: standard query ,; standard query , standard Standard standard standard query query query query 12 0.081577 Hide capture info dialog 14 - Quer les ^ Name: c.m icroso ft . com ddress) Type: A ( c l a s s : IN fOxOO 01) Enable MAC name resolution v * D Enable network name resolution 0000 after Enable transport name resolution 0010 0030 ~*|P at * •" 0.005060 0.007405 0.007476 0.007585 7 8 9 10 No. . [ 1 Capture packets in pcap-ng fc rmat (experimental) ! ! ymft each packet to Capture File(s) File: D Use multiple files 1 0 Name Resolution 0 Stop Capture... D .-after CH 0 1 00 If 29 71bf Of 00 13 00 3d 75 e8 00 00 80 11 13 11 52 74 35 08 C 0 45 00 ?h 9b 61 f3 c a 9b 65 . .)q .=u R t 5 . .E. + a ..e KtXfl»«• 00 00 00 00 '. '" ~] I Start 11 Cancel ] Pac O Query Name (dns.qry.na Figure 5-10: Capture filter for port 53. 26. 27. 28. 29. 30. 31. 32. 33. Figure 5-11: Captured DNS packets. Click Capture and Options. Enter "port 53" in the box next to Capture Filter. (See Figure 5-10.) Click Start. Go to www.Microsoft.com in your Web browser. (You should pick up several packets colored blue by default. These are DNS requests.) Click Capture and Stop. Click on the first row. Highlight the Microsoft entry in the Packet Contents pane. Take a screenshot. (See Figure 5-11.) In this project you learned how to 1) capture packets going to a specific port, 2) capture traffic addressed to a specific host (or IP address), 3) capture only the source/destination port, and 4) capture DNS traffic. For a list of the possible ports you can specify you can go to the following link: http://wiki.wireshark.org/PortReference. By filtering only Web traffic (port 80) there was much less information to capture. There was even less traffic if you specified a particular Web site. You can even look at only one side of the conversation by specifying a source or destination port. Wireshark's wiki (http://wiki.wireshark.org/FrontPage) has a lot of information about how to capture specific kinds of traffic and even provides some sample captures. THOUGHT QUESTIONS 1. 2. 3. 4. Why does your computer send so many packets? Why not send just one really big packet? What do SYN, ACK, FIN, GET mean? Can you capture all of the packets for an entire network? Can Wireshark automatically resolve the IP address into host names? P a e e i 133 5.3 PACKET INSPECTION In the prior project you learned how to capture specific types of traffic. In this project you will look at the parts of a packet. Each packet comes with a lot of information that the end user never sees. Each packet has 1) both source and destination IP addresses, 2) both source and destination MAC addresses, 3) a TTL, and 4) both source and destination port numbers. In addition, they also have information about window size, IP version, timings, sequence numbers, etc. Understanding the contents of a packet helps you understand how TCP/IP (and the Internet) works in the real world. Each field in a packet serves a purpose. There are also different types of packets (UDP, ICMP, etc.) that perform different functions. You will also walk through a TCP connection in this project. Understanding these fundamental components is critical to becoming a good network administrator. 1. With Wireshark open click Capture and Options. 2. If you haven't already done so, select your Network Interface Card (NIC) in the Interface dropdown menu at the top of the screen. 3. Enter "tcp port 80" in the box next to Capture Filter. (See Figure 5-12.) Capture Interface: ; Realtek RTL3139/81CK Family Fast Ethernet NIC (Microsoft's Ps fjj[] IP address: 155.97.243.201 Buffei e: 1 :£i megabyte(s) 1^1 Capture packets in proi This wizard helps you to create shortcuts to local or network programs, files, folders, computers, or Internet addresses. Type the location of the item: [D Limit each packet to \| Capture File(s) Display Options File: PI ypdate list of packets in real time Click Next to continue O Use multiple files 0 Automatic scrolling in live capture (3 Hide capture info dialog Name Resolution 0 Enable MAC name resolution [ 1 Enable network name resolution 0 Enable transport name resolution J | I Cancel Figure 5-12: Configuring Wireshark to capture port 80 packets. 4. 5. 6. 7. 8. 9. 10. Njext> I [ Cancel Figure 5-13: Captured packets for www.Google.com. Close ALL other programs you currently have open except your word processing program. Right-click anywhere on your desktop. Select New and Shortcut. Enter "www.Google.com". (See Figure 5-13.) Click Next. Enter "Google" for the name. (See Figure 5-14.) Click Finish. 134 P a t i e < Back Finish _ Edit View it View £o Capture Analyze Stati Telephony lools tJelp at & # ,^ a x s 1 0.000000 2 0.024056 3 0.024108 155.97 74.125 155.97 5 u.049793 6 0.059043 7 0.059087 8 0.059114 9 0.059128 11 0.158304 tp [ACK] Seq-649 155.97.243.202 Cancel Figure 5-14: Naming the shortcut. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. Fife Figure 5-15: GET request showing Google's hostname. Close all other Web browsers. (This will reduce the number of packets you capture.) Go back to Wireshark and click Start. Double-click the Google shortcut on your desktop. Wait for the page to load. Close your Web browser. Go back to Wireshark and click Stop. Click on the line that has Get in the Info field. (In this example it was the 4th packet. See Figure 515.) In the Packet Details pane (the middle pane) click on the line labeled "Ethernet II." Click on the line labeled "Source." Take a screenshot. (See Figure 5-16.) Open a command prompt by clicking Start and Run. Type CMD Type ipconfig /all Take a screenshot. (Notice that the MAC and IP addresses are the same as those shown in the Wireshark capture. In this case the MAC address was 00-13-D3-52-74-35. See Figure 5-17.) Go &&&&>$ Capture Analyze Statist s I'HSCpgfta Telephony 's , lools Help '•> 0, ? ,2 Filler T Bid Expression... Protocol Q Q. Q, Clear 26929 > http 155.97 243 202 Info Source No. . Time 1 0.000000 Destination 74.125 155.103 mfUfmctmaxsiafti BBmE£Stti$S12 74.125 155.139 74.125 155.103 155.97 2 3 202 155.97 155.97 155.97 74.125 74.125 74.125 74.125 155.97 155 155 1 5 2 3 103 103 103 202 TCP MESij3H 243.202 243.202 243.202 155.103 TCP TCP TCP TCP HTTP TCP HTTP 26929 > http http > 26929 [TCP [TCP » Apply 155.97 243 202 3 0.024108 BBEBSEEHsBtiBI 5 0.049793 6 0.059043 7 0.059087 8 0.059114 10 0.144161 t Frame 4 (702 bytes on wire, 702 bytes captured) -. Ethernet II, Src: Mlcro-st_52 :74 :35 (00:13 :d3 : 52 : [Sj [A; [A segment segment 26929 > http I "' of of [A HTTP/1.1 200 OK 26930 > http [S GET /CS1?V=3&S- 7 4 : 3 5 ) , Dst: HewlettP_71:ti i * Destination: Hew! ett P_71 : bf : Of (00:lf :29:71:bf of) : Type: IP (0x0 800) I> 0000 00 If 29 71 hf nf !iTiBilHBB9HI 80 00 d3 C6 00 00 47 45 31 2e 31 Od Oa 48 6f :0030 02 bO db 4b 40 00 80 06 :0010 0040 fftKBffl °8 o° a? eta 9b 61 f3 ca 5 00 a 7d . . )q . . r- S 50 /l.l :g11 54 20 2f 20 48 54 73 74 3a 20 77 77 2f 4 7 :e Packets: 26 Displayed: 2... 0 Source Hardware Addres (eth.src), 6 bytes a"}] GE T / .HO St HTTP WWW v Profile: Default Figure 5-17: DOS prompt showing MAC addresses. Figure 5-16: Source MAC address on a packet. P a g e 135 25. In the Packet Details pane (the middle pane) click on the line labeled "Hypertext Transfer Protocol." Click on the line labeled "Cookie." Take a screenshot. (See Figure 5-18.) In the File menu click Analyze and Follow TCP Stream. Take a screenshot. (See Figure 5-19.) 26. 27. 28. 29. View So £«*ife £naly« Statistics Tetaphony^ loo & m •! i--< s * a is ^ ' - ' 1 0.000000 74.125.155.138 155.97.243.202 Figure 5-18: Cookie within a packet. Figure 5-19: Contents of a TCP stream. Note: In the next part of this project you are going to identify the three parts of a TCP transaction. You will identify 1) connection establishment, 2) data transfer and acknowledgement, and 3) connection termination. You will identify these parts of the TCP process by looking in the Info column of the capture you just performed. 30. In the File menu click View and Packet Details. (This should make the middle pane disappear.) 31. In the File menu click View and Packet Bytes. (This should make the bottom pane disappear.) 32. Maximize the Wireshark window so you can clearly see the column labeled Info. 33. Click on the row that has the first [SYN] occurrence in the Info column. (In this case it was row 1 in the list. It may be farther down in your list of captured packets.) 34. Take a screenshot. (See Figure 5-20.) 136 File Edit View Go Capture Analyze Statistics Telephony Tools Help Filter: Expression.., Clear Apply No. - Time 2 0.024056 3 0.024108 4 0.025727 5 0.049793 6 0.059043 7 0.059087 8 0.059114 9 0.059128 10 0.144161 11 0.158304 12 0.168459 13 0.168505 14 0.168729 15 0.192S17 16 0.192978 17 0.221706 18 0.262909 19 0.345198 20 0.447716 21 3 . 2 6 0 6 2 7 22 3.260718 23 3 . 2 8 4 6 2 8 24 3.284668 2 5 3.2S4694 26 3.284707 155.97.243.202 74.125.155.103 74.125.155.103 155.97.243.202 155.97.243.202 155.97.243.202 74.125.155.103 155.97.243.202 74.125.155.139 74.125.155.103 155.97.243.202 74.125.155.139 74.125.155.139 155.97.243.202 155. 9 7 . 2 4 3 . 2 0 2 155.97.243.202 155.97.243.202 74.125.155.139 74.125.155.103 74.125.155.139 74.125.155.103 155.97.243.202 74.125.155.139 155.97.243.202 74.125.155.103 74.125.155.103 155.97.243.202 155.97.243.202 74.125.155.103 74.125.155.103 74.125.155.103 155.97.243.202 74.125.155.103 155.97.243.202 155.97.243.202 74.125.155.139 155.97.243.202 155.97.243.202 74.125.155.139 74.125.155.139 74.125.155.103 74.125.155.103 155.97.243.202 155.97.243.202 155.97.243.202 155.97.243.202 74.125.155.139 155.97.243.202 74.125.155.103 155.97.243.202 Destination Source JO Me: "C:\DOCUME~l\HP_ADM~l\LOCALS~l\Te...' Protocol TCP TCP HTTP TCP TCP TCP TCP HTTP TCP HTTP TCP TCP HTTP TCP HTTP TCP HTTP TCP TCP TCP TCP TCP TCP TCP TCP Info http > 26929 [SYN, ACK] Seq-0 Ack=l win 26929 > http [ACK] Seq=l Ack=l win=6553 GET / HTTP/1.1 http > 26929 [ACK] Seq=l Ack=649 win=70 [TCP segment of a reassembled PDLQ [TCP segment of a reassembled PDU] 26929 > http [ACK] Seq-649 Ack=2761 win HTTP/1.1 200 OK (text/html) 26930 > http [SYN] seq=0 W i n = 6 5 5 3 5 Len= GET /csi?v=3&s=webhp&action=&srt=254&e= http > 26930 [SYN, ACK] seq-0 Ack=l win 26930 > http [ACK] Seq=l Ack-1 W i n = 6 5 5 3 GET /generate_204 HTTP/1.1 http > 26930 [ACK] Seq-1 Ack-612 win=69 HTTP/1.1 204 NO content http > 26929 [ACK] seq=3466 Ack=1386 Wi HTTP/1.1 204 No content 26930 > http [ACK] seq=612 Ack=147 win= 26929 > http [ACK] Seq-1386 Ack=3702 Wi , 26930 > http [FIN, ACK] Seq-612 Ack=147 26929 > http [FIN, ACK] seq=1386 A c k - 3 7 http > 26930 [FIN, ACK] Seq=147 Ack=613 26930 > http [ACK] Seq=613 Ack=148 Win= http > 26929 [FIN, ACK] Seq=3702 Ack=13 26929 > http [ACK] seq=1387 Ack-3703 Wi v Profile: Default Packets: 26 Displayed: 26 Marked: 0 Dropped: 0 Figure 5-20: Captured SYN packet. 35. Double-click on the next row that has the first [SYN, ACK] occurrence in the Info column. (In this case it was row 2. See Figure 5-21.) 36. Expand the tree for Transmission Control Protocol. 37. Expand the tree for [SEQ/ACK analysis]. 38. Highlight the row that indicates that this [SYN, ACK] packet is an acknowledgement to the prior packet. 39. Take a screenshot. (See Figure 5-22.) 91 W 4< ft « r1 H K © & ' s :•< -> o,< ?F 2, Fifcer: - 74.125 74.125 155 103 74.125 1 5 103 5 0. 049793 6 0.059043 7 0. 059087 155.97.243.202 1 0.000000 74.125.155.103 74.125 1 5 103 155.97 2 3 202 155.97 18 0.262909 19 0.345198 20 0.447716 155.97 155.97 74.125 155.97 155.97 74.125 74.125 10 11 12 13 14 15 16 0.144161 0.158304 0.168459 0.168505 0.168729 0.192817 0.192978 2 1 2 2 3 5 3 3 SiQ Q Q. Q. E 81 B » Expression,., Cleat Apply TCP 103 74.125 1 5 103 25 3.284694 HTTP . + Frame 2 (66 bytes on wire, 66 bytes captured) . t, Ethernet II, Src: Hewlett P_71:bf :0f (00:lf :29:71:bf :0f), Dst : Microa Internet Protocol, Src: 74.125.155.103 (74.125.155.103), Dst: 155.97 Source port: http (80) Destination port: 26929 (^6929) 26929 > http [STN] Seq-0 w GET / HTTP/1.1 ' : 155.97 243 202 155.97 2 3 202 103 202 139 202 202 74.125 155.97 74.125 74.125 1 2 1 1 TCP TCP TCP 5 103 3 202 5 139 5 139 15 5 .9 7 243 202 74.125 155 139 [TCP segment of a reassemb [TCP segment of a reassemb 26929 > http [ACK] Seq-649 ! http > 26930 [SYN. ACK] Se> 26930 > http [ACK] Seq-1 A. GET /generate_204 HTTP/1.1 TCP TCP HTTP GET /cs1?v-34s-webhp4act 1oi: , HTTP HTTP TCP ' HTTP/1.1 204 No Content 26930 > http [ACK] Seq-612 sequence number: 0 (relative sequence number) Acknowledgement number: 1 (relative ack number) Header length: 32 bytes a Flags: 0x12 (SYN, ACK) window s i z e : 5720 * checksum: OxlbfS [validation disabled] a options: (12 bytes) i-i [SEQ/ACK analysis] [The RTT to ACK the i O fit-cAooajwE-iw AOM-HLOCAI Te 155.97 243 202 TCP http > 26929 [FIN, Packets: 26 Displayed: 26 Maritad: 0 Droppe . 0000 0010 0020 0030 ACK] Se. segment w a s : 0 . 0 2 4 0 5 6 0 0 0 seconds] | ':» 00 00 f3 16 13 34 ca 58 d3 c3 00 Ib 52 d2 50 f5 74 00 69 00 35 00 31 00 00 31 fe 02 If 06 Ic 04 ! ProMe: Default 29 50 Oc 05 71 el 4b 64 bf 4a c6 01 Of 7d 2c 01 08 9b 8d 04 00 67 dp 02 45 9b 80 01 00 61 12 03 > . . . Rt 5 . . )q .4....1. P. ...Pnl.. . K .X d:v "B * Figure 5-22: Noting the acknowledgement (ACK) to a segment. Figure 5-21: Captured SYN/ACK packet. 40. Double-click on the next row that has an [ACK] occurrence after the [SYN, ACK] packet in the Info column. (In this case it was row 3. See Figure 5-23.) 41. Expand the tree for Transmission Control Protocol. 42. Expand the tree for [SEQ/ACK analysis]. 43. Highlight the row that indicates that this [ACK] packet is an acknowledgement to the prior [SYN, ACK] packet you just looked at. 44. Take a screenshot. (This was the 3-way opening. See Figure 5-24.) P a « e | 137 & w a a« Ics Tetephorrjf loot belt i •- [—n ^ ^ i ui *• ta3 £ 3. n|QS Q. GJ. GI. Q WEI * Source Deshnarjoo » Expression... Cleat Apply Protocol Info 1 0.000000 4 5 6 7 8 9 0.025727 0.049793 0.059043 0.059087 0.059114 0.059128 74.125.1 5.103 74.125.1 5.103 155.97.2 3 . 2 0 2 155.97.243.202 155.97.243.202 [TCP segment of [TCP secjnent of TCP TCP GET / HTTP http > 26929 [SYN, ACK] TCP 155.97.243 74.125.155 103 1 5 5 . 9 7 . 2 4 3 202 24 3.284668 25 3.284694 26 3.284707 TCP 74.125.155.139 155.97.243.202 155.97.243.202 0 0.447716 1 3.260627 2 3.260718 TCP HTTP 155.97.243.202 155.97.243.202 74.125.1 5.103 74.125.1 5.103 7 0.221706 8 0.262909 155.97.243.202 74.125.1 5.139 5 0.192817 155.97.2 3.202 74.125.1 5.139 155.97.2 3.202 11 0.158304 12 0.168459 3 0.168505 74.125.155.139 74.125.155.103 Q. Fte: •C:\DOCUME~HHP_AOM~HIOCAL5~1 Se. HTTPA.l a reassemb i a reassemb http > 26930 [ACK] S6q-l A TCP http > 26930 [SYN, ACK] Sei 26930 > http [ACK] seq-l A ' TCP TCP TCP Packets: 26 Displayed: 26 Marked: ODroppe. i http > 26929 [ACK] seq-346i HTTPA.l 204 No content 9 iti Frame 3 (54 bytes on wire, 54 bytes captured) tti Ethernet II, src: Micro-st_52 :74 :35 (00:13 :d3 :52 :74 . - 3 5 ) , Dst: Hewle ffi Internet Protocol, Src: 155.97.243.202 (155.97.243.202), Dst: 74. i; B Transmission Control Protocol, Src Port: 26929 (26929), Dst Port: fj source port: 26929 (26929) Destination port: http (SO) [stream index: 0] Sequence number: 1 (relative sequence number) Acknowledgement number: 1 (relative ack number) Header length: 20 bytes ±1 Flags : 0x10 (ACK) window size: 65536 (scaled) ±1 checksum: Oxf2cd [validation disabled] d [SEQ/ACK analysis] [The RTT to ACK the segment was: 0.000052000 seconds] 26930 > http [FIN, ACK] Sei 26929 > http [ACK] Sfiq-138 v) ! !QOOO 0010 0020 0030 00 00 9b 80 If 28 67 00 29 db 69 f2 71 4a 31 Cd bf 40 00 00 »i Of 00 13 00 80 06 50 c6 2c 00 1 d3 52 74 35 08 00 45 66 aa 74 9b 61 f3 ca 4a 7d 8d de fe Ic Oc 4c 50 10 !>'! )q .(.39... .. , . gil. P. , .' '> |v" Profile: Oefaot Figure 5-23: Captured ACK packet. Figure 5-24: Acknowledgement (ACK) to the 3-way opening. 45. Double-click on the next row that has an [ACK] occurrence after the GET request in the Info column. (In this case it was row 5. See Figure 5-25.) 46. Expand the tree for Transmission Control Protocol. 47. Expand the tree for [SEQ/ACK analysis]. 48. Highlight the row that indicates that this [ACK] packet is an acknowledgement to the prior GET request. (In this case it was frame 4.) 49. Take a screenshot. (This is an acknowledgement of a data transfer. See Figure 5-26.) [f * ^d;04979374^?±1^5.1031^i!?7^B!i^re^ftpv> 26929 [liCK]... ^S^j E«e Ed* iie* 50 61 M W JH • Capture Analyze Statistic Telephony Tools Help Si Si S ;a fe H « & a 3fi... Clear. Apply Wo 155.97.243.202 74.125.155.139 3 3 284628 155.97.243.202 74.125.155.139 74.125.155.103 155.97.243.202 155.97.243.202 8 0 262909 9 0 345198 0 0 447716 74.125.155.139 74.125.155.103 155.97.243.202 155.97.243.202 10 0 144161 11 0 158304 TCP TCP 155.97.243.202 74.125.155.103 74.125.155.103 155.97.243.202 6 0 059043 7 0 059087 8 0 059114 TCP TCP 155.97.243.202 74.125.155.103 74.125.155.103 155.97.243.202 1 0 000000 2 0 024056 3 0 024108 " 1 http > 26929 [SYN, ACK] Sei 26929 > http [ACK] Seq-l A.] HTTP TCP TCP TCP 155.97.243.202 74.125.155.103 74.125.155.103 155.97.243.202 TCP j [TCP segment of a reassemb 26929 > http [ACK] Seq-649 26930 > http [SYN] seq-0 w GET /cs1'v-3&5-webhp&act1oi TCP HTTP http > 26930 [SYN, 25 3 234694 26 3 284707 © Fte:X:\DCX:UME~nHP_ftDM~l\I.OCALS~lUe 1 ACK] Sei Frame 5 (60 bytes on wire, 60 bytes captured) i Ethernet II, Src: Hew1ettP_71:bf :0f (00:lf :29:71:bf :0f ), Dst: Micr Internet Protocol, S r c : 74.125.155.103 (74.125.155.103), Dst: 155.; Transmission Control protocol, src Port: http (80), ost Port: 2692 ; Source port: http (80) Destination port: 26929 (26929) [Stream index: 0] Sequence number: 1 (relative sequence number) Acknowledgement number: 649 (relative ack number) Header length: 20 bytes IB Fl ags : 0x10 (ACK) window size: 7040 (scaled) is Checksum: Ox6fd8 [validation disabled] a [SEQ/ACK analysis] HTTPA.l 204 No Content 26930 > http [ACK] seq-612 26929 > http [ACK] seq-138' 26929 > http [FIN, ACK] Sei http > 26930 [FIN, ACK] Sei [The ; 0000 ^0010 0020 '0030 i http > 26929 [FIN, ACK] Sei 26929 > http [ACK] Seq-138 'packets: 26 Displayed: 26 Marked: 0 Droppe . 00 00 f3 00 13 28 ca 6e RTT to d3 c3 00 6f 52 d3 50 d8 ACK the segment was: 0.024066000 seconds] 74 00 69 00 35 00 31 00 00 31 fe 00 If 06 Ic 00 29 50 Oc 00 71 ec 4c 00 bf 4a c6 00 Of 08 00 45 00 7d 9b 67 9b 61 2c 90 66 50 10 00 . . . Rt 5 . . .(....1. , t ...Pil.. ' ', .no |vj ProHe: Default Figure 5-25: Captured ACK packet. Figure 5-26: Acknowledgement (ACK) to the data transfer. 50. Double-click on the row that has the first [FIN/ACK] occurrence in the Info column with your IP address as the source. (In this case it was row 21. See Figure 5-27.) Expand the tree for Transmission Control Protocol. Expand the tree for [SEQ/ACK analysis]. Highlight the row that indicates that this is a [FIN, ACK] packet. Take a screenshot. (This was the first part of the connection termination. See Figure 5-28.) 51. 52. 53. 54. 138 P a s z e SK U U 91 * Fter: - Espresso... Clear Apply Protocol Ma 0 SYNJ 5eq-0 W1n-6553! ACK] 025727 55.97.243.202 TCP TCP HTTP TCP 202 103 202 139 HTTP 74.125 155 103 GET / 05911.) 059128 144161 158304 4.125.155.103 5.97.243.202 .125.155.103 5.97.243.202 155.97 243 74.125 155 155.97.243 74.125.155 Seq-1 «Ck-l W1| HTTP/1. ACK] 0 0 0 0 [TCP segment 26929 > http HTTP/1.1 200 26930 > http Seq-1 Ack-649 \ a ATK] Seq-649 Ack-271 K (text/html) SYN] Seq-0 w1n-6553l * Ethernet II, Src: Micro-St_52 :74 : 3 5 (00:13 :d3 : 52 :74 : 3 5 ) , D« .* Internet Protocol, src: 1 5 5 . 9 7 . 2 4 3 . 2 0 2 (155. 97. 243. 202), D< i a Transmission Control Protocol, src Port: 26930 (26930), Dst source port: 26930 (26930) Destination port: http (80) reassembled PDU [Stream index: 1] sequence number: 612 (relative sequence number) Acknowledgement number: 147 (relative ack number) Header length: 20 bytes ' : s Flaigs: Oxii CFIN, ACK) 204 HTTP/1.1 ACK] 5eq-l Ack-612 \: 1 192978 0 221706 .125.155.139 .125.155.103 1 5 5 . 9 7 . 2 4 3 202 155.97.2 3 202 HTTP TCP HTTP/1.1 204 http > 26929 window size: 6 5 3 9 0 (scaled) a checksum: Oxblcb [validation disabled] ;ACK] seq-3466 Ack-i: 1 24 3 284668 25 3 284694 26 3 284707 5.97.243.202 1~l\LOCAL5~l\Te. ACK] Seq-3702 1 FIN, Seq-1386 Ack-3i ACK] sis iiiiP^1^™ I- 74.125.155 Packets . 26 Displayed Default Figure 5-28: FIN/ACK segment from your computer. Figure 5-27: Captured FIN/ACK packet from your computer. 55. Double-click on the row that has the first [FIN, ACK] occurrence in the Info column with your IP address as the destination. (In this case it was row 23. See Figure 5-29.) 56. Expand the tree for Transmission Control Protocol. 57. Expand the tree for [SEQ/ACK analysis]. 58. Highlight the row that indicates that this is a [FIN, ACK] packet and an acknowledgement to the first [FIN, ACK]. 59. Take a screenshot. (This was the second part of the connection termination. See Figure 5-30.) 50 Captue « Analyze Telephony loots tjefc nK .000000 .024056 .024108 .049793 .059043 '.059087 '. 059114 '.059128 55.103 55.103 55.103 155.9 155.9 155.9 [ACK] seq-1 «ck-649 i of a reassembled PDU [ACK] Seq-649 Ack-27i t/html) 553 &s-webhp&act-1 on-Asr 1.168459 .168505 1.168729 .192978 .221706 .262909 .345198 .447716 1 3.260627 [SYN, ACK] Seq-0 Ack [ACK] Seq-1 ACk-1 Wl !_204 HTTP/1.1 [ACK] Seq-1 Ack-612 4 . 1 2 5 . 1 5.103 55.9 3.202 5 5 . 9 7 . 2 3.202 155.97 74.125 74.125 [ACK] Ethernet II, Src: HewlettP_71:bf:0f (00:lf:29:71:bf:Qf), Dst: Mi< internet Protocol, Src: 74.125.155.139 (74.125.155.139), Dst: 15 : ;~ Transmission control Protocol, Src Port: http (80), Dst Port: 26' source port: http (80) Destination port: 26930 (26930) [stream index: 1] sequence number: 147 (relative sequence number) Acknowledgement number: 613 (relative ack number) Header length: 20 bytes ±i flags: Qxll (FIN, ACK) window size: 6976 (scaled) til checksum: 0x3115 [validation disabled] [SEQ/ACK analysis] FThis is an ACK to the segment in frame: 211 [The RTT to ACK the segment was: 0.024001000 seconds] ;i, Seq-1386 Ack-31 00 00 ?3 10 13 28 ca 6d d3 cd 00 31 52 76 50 15 74 00 69 00 35 00 32 00 00 31 d7 00 It 06 fe 00 29 47 15 00 71 25 6d 00 Of 4a 3a 00 Ot 08 7d 9b 71 00 Packets: 26 Displayed:', Figure 5-30: FIN/ACK segment from the Web server. Figure 5-29: Captured FIN/ACK packet from the Web server. THOUGHT Q U E S T I O N S 1. 2. 3. 4. Did the packets you captured have a TTL listed? Why? Why do packets have both IP addresses and MAC addresses on them? Which packet had the html code for Google's page (Hint: 200)? What do all the letters and numbers in the bottom pane represent? 139 5.4 CONTENTS OF A PACKET (CAPTURE AN EMAIL) In this project you will capture a packet and look at its contents. You will use Wireshark to capture packets containing an email message. You will send an email to a generic Hotmail.com account and capture it as it's going over the network. Then you will look at the contents of the email without opening it in an email client. Most email traffic has traditionally not been encrypted. However, many providers are starting to make encrypted email an option for their users. A packet sniffer allows you to look at the contents of many different types of packets. 1. With Wireshark open click Capture and Options. 2. If you haven't already done so, select your Network Interface Card (NIC) in the Interface dropdown menu at the top of the screen. (Your NIC will undoubtedly have a different name.) 3. Enter "tcp port 80" in the box next to Capture Filter. (See Figure 5-31.) Capture Interface: File , Realtek RTL8I39/810* Family Fast Ethernet NIC Buffersize: 1 -C megabyte(s) Edit View History (Microsoft's Ps \ \P address: 155.97.213.201 iHI " C ^&*W . - .. - 1 1 . Bookmarks ttj £* Windows Live* ' Tools Help htl-p-y/mail live com/defai* aspv>»3=wagn Home Profile People Mall Photos • [G|* More » MSN' J !. El rantiire nj^kgts 'n yfnrni'-.r-i miremode (vrTlmit each packet to : ^^N. ; bytes t IPI l^rajhotmail.c D Sort by \ your &-rrai/ f> 0 m«;carje Source 155.97.243.201 155.99.22.200 155.97.243.201 155.97.243.201 a!55-99-22-200.deploy 155.97.243.201 155.97.243.201 64.233.167.147 155.97.243.201 155.97.243.201 1616.040456 155.97.243.201 1416.040408 64.233.167.147 12 16.040354 BiQ Destination Protocol 155.99.22.200 HTTP 155.97.243.201 HTTP 155.99.22.200 TCP al55-99-22-200.deploy HTTP 155.97.243.201 HTTP a!55-99-22-200.deploy TCP 64.233.167.147 TCP 155.97.243.201 TCP 64.233.167.147 TCP GET /guest/rush! 1mb/rushSLIC'E/New750x470/750tax HTTP/1.1 304 Not Modified 1nformatlk-lm > http [ACK] Seq-696 Ack-160 w1n« GET /gue5t/rushl1mb/rushSLIDE/New750x470/750tv.' HTTPA-1 304 Not Modified 1nformat1k-lm > http [ACK] seq-1387 Ack-319 wiri e1con-slp > http [SYN] seq-0 w1n-65535 Len-0 MS http > eicon-slp [SYN, ACK] Seq-0 Ack-1 wln-572 http > eicon-slp [ACK] seq-1 Ack-918 w1n-7336 u [TCP segment of a reassembled PDU] TCP 64. 2 3 3 . 1 6 7 . 1 4 7 elcon-slp > http [ACK] seq-918 Ack-1381 w1n-655 e1con-slp > http [ACK] seq-918 Ack-2953 win-655 GET /1ntl/en ALL/imaaes/loao.a1f HTTP/I.1 I GET / HTTP/I.IV\ [truncated] Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application Accept-Language: en-us\r\ UA-CPU: x86\r\ Accept-Encoding: gzip, deflate\r\ [truncated] user-Agent: Mozilla/4.0 (compatible; MSIE 7.0; window: NT 5.1; Mozilla/4.0 (compatible; MSIE 6 . 0 ; windo'! Host: www.google.com\r\ connection: Keep-Alive\r\ cookie: PREF=ID«c7fdc9el74534f7b:TB=2:TM=1209657598:LM»1209657598 S-hI9qaIzGrxcui3XO; NID=10-eoKAADljz4CwM8lEQUwnwe \r\ CLR 3.0 . 0 4 5 0 6 . 3 0; infop ath.2; . NET CLR 3 . 0 . 0 4 5 0 6.648; . NET CLR 3.5.2102 2 ) . . 5 U'iliWiflJ>lll^i*'ll Mconriec tic ep-Alive . . c o o k i e : PREF=I D-c7fdc9 e!74534f 7b:TB=2: TM-12096 5 7 5 9 8 : L M 3d^68 49 =1209657 5 9 8 : S = h I 40 Marked: 0 Dropped: 0 Profile: Default Figure 5-5: Viewing the contents of a packet. 4. Close ALL other programs you currently have open except your word processing program (Microsoft Word, OpenOffice Writer, etc.). 5. Click Start. 6. Open a Web browser and go to www.Google.com. 7. Click Capture and Stop. 8. Scroll down until you see a line that has GET / HTTP/1.1. (You may have to try more than one until you get to the www.Google.com packet.) 9. Select that row. 10. In the bottom pane you will see a bunch of numbers to the left. (It's the contents of the packet in hexadecimal.) Just to the right you will see the contents of the packet in a column. 11. Select the text www.Google.com. 12. Take a screenshot. (See Figure 5-5.) P a g e j 131 Capture Fife £dit tfew £o Capture Analyze Statistics Telephony Tools tlelp Filler: j IP address: 155,97.243.202 • w w a i a c ^ B i x e M ^ > * *> w a p|a| Interface: Local i v l RealtekRTLS 139/81 Ox Family Fast Ethernet NIC [^ ) 1 ' [ | Capture packets in pcap-ng format (experimental) D Limit each packet to ! • File: No. - £i megabyte(s) bytes Display Options I [firowse. jj Automatic scrolling in live capture 1 . it a it n Enable transport name resolution j Start j | Cancel Destination 155.97.243.202 65.55.21.250 155.97.243.202 155.97.243.202 65.55.21.250 155.97.243.202 65.55.21.250 155.97.243.202 65.55.21.250 65.55.21.250 . . Expression.. Protocol 65.55.21.250 155.97.243.202 65.55.21.250 65.55.21.250 155.97.243.202 65.55.21.250 155.97.243.202 65.55.21.250 155.97.243.202 155.97.243.202 > TCP HTTP TCP HTTP TCP TCP HTTP TCP TCP HTTP Q. q. Q ED dear Apply Info i" 24121 > http [F: HTTP/1.1 200 OK [TCP segment of GET /global/en/i http > 24121 [F: 24121 > http [AI HTTPA-1 304 NO , HTTPA.l 304 NO' j L>J Frame 1 (66 bytes on wire, 66 bytes captured) Ethernet II, Src: Micro-st_52 :74 : 3 5 (00:13:d3:52:74 :35), Dst:Hew1ettP_71:bf :0f (C internet Protocol, Src: 155.97.243.202 (155.97.243.202), Dst:65. 55.21.250 (65. 5 5 . Transmission control Protocol, src Port; 24119 (24119), ost Port: http C80), Seq: : 0000 ~] Source 290645476 300872140 0 Update list of packets in real time 0 Hide capture info dialog [3 Enable MAC name resolution ,, >F 1 EH Enable network name resolution D ...after Help | " Time - Buffer size: ! 1 220619094 23 0 619624 24 0 622996 250623034 26 0 640693 27 0 640750 E3 [Capture Filter: I ' tcp port 80 and host www.microsoft.ee Capture File(s) 322605263 332618986 D Use multiple files ' 0 Name Resolution Stop Capture... ': D ... after 0 D ...after [ 00 If 29 71 bf Of 00 13 15 fa :0020 00 34 Oa 9c 40 00 80 06 0010 5e 37 00 50 6d 94 d3 52 74 35 08 00 45 00 09 cb 9b 61 f3 ca 41 37 d7 02 00 00 00 00 80 02 . . )q. . . . 4 . . IB .Rt5..E. a..A7 , ..A7.Pm V | O'R«altekRTL8139/810x Family Fast Ethernet NIC Figure 5-6: Capture filter to include www.microsoft.com. Packets. 34 Displayed 34 Marked fproffe- Default Figure 5-7: Captured packets. 13. Click Capture and Options. 14. Enter "tcp port 80 and host www.microsoft.com" in the box next to Capture Filter. (See Figure 56.) Click Start. Open a Web browser and go to www.Google.com. (You shouldn't pick up any packets.) Go to www.Microsoft.com in your Web browser. (You should pick up several packets.) Click Capture and Stop. Take a screenshot. (See Figure 5-7.) 15. 16. 17. 18. 19. File Capture Interface: ILocal ! v 1 RealtekRTL8139/810x Family Fast Ethernet NIC Edit View Jo Capture SKHttftitt p*7] IP address: 155.97.243.202 Analyze Statistics '-* El X »2 ei> Tetephony_ Tools Help C ife ^F HL Buffer size: ; 1 Time £! megabyte(s) bytes [Capture Filter: | ! tcp port 80 and host www.microsoft.eem and src port 80 [^ j Display Options File: Browse. H Update list of packets in t eal time 0 » Expression... Clear. Apply Filter No. . Source Protocol Destination Info u?J IIL.H ieyrneni. ui [TCP segment of HTTP/1. 1 200 OK http > 24013 [A( HTTP/1.1 304 NO' http > 24015 [A! [TCP segment of [TCP segment of [TCP segment of [TCP segment of f HTTPA-1 200 OK ! d Capture packets in promiscuous mode, 1 1 Capture packets in pcap-ng format (experimental) CH Lj"* each packet to i : Capture File(s) j D Use multiple files Automatic scrolling In live capture 64. .31.252 64.4.31.252 44 0.881139 45 0.881180 64. 64. 64. 64. 64. 64. 64. 64. 64. 34 0.478941 35 0.528130 36 0.528158 37 0.530202 38 0 . 5 3 5 4 3 8 39 0 . 5 3 5 5 4 5 40 0 . 5 3 5 6 5 7 410.535786 42 0 . 5 3 5 8 2 0 .31.252 .31.252 .31.252 .31.252 .31.252 .31.252 .31.252 .31.252 .31.252 155 97 2 3.202 155 97 2 3.202 155 97 2 3 . 2 0 2 155 97 2 3.202 155 97 2 3.202 155 97 243.202 155 97 2 4 3 . 2 0 2 15597243.202 155 97 2 4 3 . 2 0 2 155 97 243.202 155 97 243.202 HTTP TCP HTTP TCP TCP TCP TCP TCP HTTP TCP [TCP segment of ! I HTTP/XML HTTPA-1 200 OK PI Hide capture info dialog t Frame 1 (60 bytes on wire, 60 bytes captured) t! Ethernet II, src: HewT ett P_71 : bf : Of (00:lf :29:71:bfOf), : Name Resolution 0 Stop Capture . . , D ...after a Transmission control Protocol, Src Port: http (80), Enable MAC name resolution Dst: Micro-St_52:74:35 (C Dst Port : D Enable network name resolution D ...after 0 D... after Enable transport name resolution 00 28 76 a3 40 00 32 06 0010 00 13 d3 52 74 35 00 If 0000 Help [ Start j | . . . Rt 5 .. )qV.:.E. .(v.e.2 . . .e. . . .a 29 71 bf Of 08 00 45 00 e3 00 40 04 If fc 9b 61 T 0030 [ fd 5C e8 91 00 00 00 00 i + 5&v . P . \3 (24013), Seq: ' 00 00 00 00 Cancel O RealtekRTL8139/810xFairtlyFastahernetNIC.., i PacketsMS Displayed; 45 Marked Figure 5-8: Capture filter to include "src port 80." Profile: Default Figure 5-9: Captured packets from one source IP. 20. Click Capture and Options. 21. Enter "tcp port 80 and host www.microsoft.com and src port 80" in the box next to Capture Filter. (See Figure 5-8.) 22. Click Start. 132 P a ^ e 23. Go to www.Microsoft.com in your Web browser. (You should pick up several packets with the same source IP.) 24. Click Capture and Stop. 25. Take a screenshot. (See Figure 5-9.) Capture File Edit View Filter IP address: 155,97.243.202 H M 8i Interface: Local v Realtek RTLS139/310X Family Fast Ethernet NIC [^J .e Buffer size: 1 ^ , ,. £ megabyte(s) bytes Display Options | [Browse... | r£] yp^g |i5l:of pacKets In real time £o Capture Analyze Statistics X Si da Telephony '- look Help r ;\ Q ^ ^ ^ u - 155 155 155 155 97.243. 202 155 97.243. 202 155 97.243. 202 0.001527 0.001980 0.002356 0.003673 2 3 4 5 Oest nation Sour ce T,me 155 155 155 155 155 11 0.075365 101.201 101.201 101.201 101.201 155 155 155 155 10 10 10 10 101. 101. 101. 97 97 97 97 3 3 3 3 Expression... Protocol 201.10 201.10 201.10 2 2 2 2 202 202 202 202 DNS DNS DNS DNS DNS DNS DNS Clear Apply Info Standard query ,: standard query ,; standard query , standard Standard standard standard query query query query 12 0.081577 Hide capture info dialog 14 - Quer les ^ Name: c.m icroso ft . com ddress) Type: A ( c l a s s : IN fOxOO 01) Enable MAC name resolution v * D Enable network name resolution 0000 after Enable transport name resolution 0010 0030 ~*|P at * •" 0.005060 0.007405 0.007476 0.007585 7 8 9 10 No. . [ 1 Capture packets in pcap-ng fc rmat (experimental) ! ! ymft each packet to Capture File(s) File: D Use multiple files 1 0 Name Resolution 0 Stop Capture... D .-after CH 0 1 00 If 29 71bf Of 00 13 00 3d 75 e8 00 00 80 11 13 11 52 74 35 08 C 0 45 00 ?h 9b 61 f3 c a 9b 65 . .)q .=u R t 5 . .E. + a ..e KtXfl»«• 00 00 00 00 '. '" ~] I Start 11 Cancel ] Pac O Query Name (dns.qry.na Figure 5-10: Capture filter for port 53. 26. 27. 28. 29. 30. 31. 32. 33. Figure 5-11: Captured DNS packets. Click Capture and Options. Enter "port 53" in the box next to Capture Filter. (See Figure 5-10.) Click Start. Go to www.Microsoft.com in your Web browser. (You should pick up several packets colored blue by default. These are DNS requests.) Click Capture and Stop. Click on the first row. Highlight the Microsoft entry in the Packet Contents pane. Take a screenshot. (See Figure 5-11.) In this project you learned how to 1) capture packets going to a specific port, 2) capture traffic addressed to a specific host (or IP address), 3) capture only the source/destination port, and 4) capture DNS traffic. For a list of the possible ports you can specify you can go to the following link: http://wiki.wireshark.org/PortReference. By filtering only Web traffic (port 80) there was much less information to capture. There was even less traffic if you specified a particular Web site. You can even look at only one side of the conversation by specifying a source or destination port. Wireshark's wiki (http://wiki.wireshark.org/FrontPage) has a lot of information about how to capture specific kinds of traffic and even provides some sample captures. THOUGHT QUESTIONS 1. 2. 3. 4. Why does your computer send so many packets? Why not send just one really big packet? What do SYN, ACK, FIN, GET mean? Can you capture all of the packets for an entire network? Can Wireshark automatically resolve the IP address into host names? P a e e i 133 5.3 PACKET INSPECTION In the prior project you learned how to capture specific types of traffic. In this project you will look at the parts of a packet. Each packet comes with a lot of information that the end user never sees. Each packet has 1) both source and destination IP addresses, 2) both source and destination MAC addresses, 3) a TTL, and 4) both source and destination port numbers. In addition, they also have information about window size, IP version, timings, sequence numbers, etc. Understanding the contents of a packet helps you understand how TCP/IP (and the Internet) works in the real world. Each field in a packet serves a purpose. There are also different types of packets (UDP, ICMP, etc.) that perform different functions. You will also walk through a TCP connection in this project. Understanding these fundamental components is critical to becoming a good network administrator. 1. With Wireshark open click Capture and Options. 2. If you haven't already done so, select your Network Interface Card (NIC) in the Interface dropdown menu at the top of the screen. 3. Enter "tcp port 80" in the box next to Capture Filter. (See Figure 5-12.) Capture Interface: ; Realtek RTL3139/81CK Family Fast Ethernet NIC (Microsoft's Ps fjj[] IP address: 155.97.243.201 Buffei e: 1 :£i megabyte(s) 1^1 Capture packets in proi This wizard helps you to create shortcuts to local or network programs, files, folders, computers, or Internet addresses. Type the location of the item: [D Limit each packet to \| Capture File(s) Display Options File: PI ypdate list of packets in real time Click Next to continue O Use multiple files 0 Automatic scrolling in live capture (3 Hide capture info dialog Name Resolution 0 Enable MAC name resolution [ 1 Enable network name resolution 0 Enable transport name resolution J | I Cancel Figure 5-12: Configuring Wireshark to capture port 80 packets. 4. 5. 6. 7. 8. 9. 10. Njext> I [ Cancel Figure 5-13: Captured packets for www.Google.com. Close ALL other programs you currently have open except your word processing program. Right-click anywhere on your desktop. Select New and Shortcut. Enter "www.Google.com". (See Figure 5-13.) Click Next. Enter "Google" for the name. (See Figure 5-14.) Click Finish. 134 P a t i e < Back Finish _ Edit View it View £o Capture Analyze Stati Telephony lools tJelp at & # ,^ a x s 1 0.000000 2 0.024056 3 0.024108 155.97 74.125 155.97 5 u.049793 6 0.059043 7 0.059087 8 0.059114 9 0.059128 11 0.158304 tp [ACK] Seq-649 155.97.243.202 Cancel Figure 5-14: Naming the shortcut. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. Fife Figure 5-15: GET request showing Google's hostname. Close all other Web browsers. (This will reduce the number of packets you capture.) Go back to Wireshark and click Start. Double-click the Google shortcut on your desktop. Wait for the page to load. Close your Web browser. Go back to Wireshark and click Stop. Click on the line that has Get in the Info field. (In this example it was the 4th packet. See Figure 515.) In the Packet Details pane (the middle pane) click on the line labeled "Ethernet II." Click on the line labeled "Source." Take a screenshot. (See Figure 5-16.) Open a command prompt by clicking Start and Run. Type CMD Type ipconfig /all Take a screenshot. (Notice that the MAC and IP addresses are the same as those shown in the Wireshark capture. In this case the MAC address was 00-13-D3-52-74-35. See Figure 5-17.) Go &&&&>$ Capture Analyze Statist s I'HSCpgfta Telephony 's , lools Help '•> 0, ? ,2 Filler T Bid Expression... Protocol Q Q. Q, Clear 26929 > http 155.97 243 202 Info Source No. . Time 1 0.000000 Destination 74.125 155.103 mfUfmctmaxsiafti BBmE£Stti$S12 74.125 155.139 74.125 155.103 155.97 2 3 202 155.97 155.97 155.97 74.125 74.125 74.125 74.125 155.97 155 155 1 5 2 3 103 103 103 202 TCP MESij3H 243.202 243.202 243.202 155.103 TCP TCP TCP TCP HTTP TCP HTTP 26929 > http http > 26929 [TCP [TCP » Apply 155.97 243 202 3 0.024108 BBEBSEEHsBtiBI 5 0.049793 6 0.059043 7 0.059087 8 0.059114 10 0.144161 t Frame 4 (702 bytes on wire, 702 bytes captured) -. Ethernet II, Src: Mlcro-st_52 :74 :35 (00:13 :d3 : 52 : [Sj [A; [A segment segment 26929 > http I "' of of [A HTTP/1.1 200 OK 26930 > http [S GET /CS1?V=3&S- 7 4 : 3 5 ) , Dst: HewlettP_71:ti i * Destination: Hew! ett P_71 : bf : Of (00:lf :29:71:bf of) : Type: IP (0x0 800) I> 0000 00 If 29 71 hf nf !iTiBilHBB9HI 80 00 d3 C6 00 00 47 45 31 2e 31 Od Oa 48 6f :0030 02 bO db 4b 40 00 80 06 :0010 0040 fftKBffl °8 o° a? eta 9b 61 f3 ca 5 00 a 7d . . )q . . r- S 50 /l.l :g11 54 20 2f 20 48 54 73 74 3a 20 77 77 2f 4 7 :e Packets: 26 Displayed: 2... 0 Source Hardware Addres (eth.src), 6 bytes a"}] GE T / .HO St HTTP WWW v Profile: Default Figure 5-17: DOS prompt showing MAC addresses. Figure 5-16: Source MAC address on a packet. P a g e 135 25. In the Packet Details pane (the middle pane) click on the line labeled "Hypertext Transfer Protocol." Click on the line labeled "Cookie." Take a screenshot. (See Figure 5-18.) In the File menu click Analyze and Follow TCP Stream. Take a screenshot. (See Figure 5-19.) 26. 27. 28. 29. View So £«*ife £naly« Statistics Tetaphony^ loo & m •! i--< s * a is ^ ' - ' 1 0.000000 74.125.155.138 155.97.243.202 Figure 5-18: Cookie within a packet. Figure 5-19: Contents of a TCP stream. Note: In the next part of this project you are going to identify the three parts of a TCP transaction. You will identify 1) connection establishment, 2) data transfer and acknowledgement, and 3) connection termination. You will identify these parts of the TCP process by looking in the Info column of the capture you just performed. 30. In the File menu click View and Packet Details. (This should make the middle pane disappear.) 31. In the File menu click View and Packet Bytes. (This should make the bottom pane disappear.) 32. Maximize the Wireshark window so you can clearly see the column labeled Info. 33. Click on the row that has the first [SYN] occurrence in the Info column. (In this case it was row 1 in the list. It may be farther down in your list of captured packets.) 34. Take a screenshot. (See Figure 5-20.) 136 File Edit View Go Capture Analyze Statistics Telephony Tools Help Filter: Expression.., Clear Apply No. - Time 2 0.024056 3 0.024108 4 0.025727 5 0.049793 6 0.059043 7 0.059087 8 0.059114 9 0.059128 10 0.144161 11 0.158304 12 0.168459 13 0.168505 14 0.168729 15 0.192S17 16 0.192978 17 0.221706 18 0.262909 19 0.345198 20 0.447716 21 3 . 2 6 0 6 2 7 22 3.260718 23 3 . 2 8 4 6 2 8 24 3.284668 2 5 3.2S4694 26 3.284707 155.97.243.202 74.125.155.103 74.125.155.103 155.97.243.202 155.97.243.202 155.97.243.202 74.125.155.103 155.97.243.202 74.125.155.139 74.125.155.103 155.97.243.202 74.125.155.139 74.125.155.139 155.97.243.202 155. 9 7 . 2 4 3 . 2 0 2 155.97.243.202 155.97.243.202 74.125.155.139 74.125.155.103 74.125.155.139 74.125.155.103 155.97.243.202 74.125.155.139 155.97.243.202 74.125.155.103 74.125.155.103 155.97.243.202 155.97.243.202 74.125.155.103 74.125.155.103 74.125.155.103 155.97.243.202 74.125.155.103 155.97.243.202 155.97.243.202 74.125.155.139 155.97.243.202 155.97.243.202 74.125.155.139 74.125.155.139 74.125.155.103 74.125.155.103 155.97.243.202 155.97.243.202 155.97.243.202 155.97.243.202 74.125.155.139 155.97.243.202 74.125.155.103 155.97.243.202 Destination Source JO Me: "C:\DOCUME~l\HP_ADM~l\LOCALS~l\Te...' Protocol TCP TCP HTTP TCP TCP TCP TCP HTTP TCP HTTP TCP TCP HTTP TCP HTTP TCP HTTP TCP TCP TCP TCP TCP TCP TCP TCP Info http > 26929 [SYN, ACK] Seq-0 Ack=l win 26929 > http [ACK] Seq=l Ack=l win=6553 GET / HTTP/1.1 http > 26929 [ACK] Seq=l Ack=649 win=70 [TCP segment of a reassembled PDLQ [TCP segment of a reassembled PDU] 26929 > http [ACK] Seq-649 Ack=2761 win HTTP/1.1 200 OK (text/html) 26930 > http [SYN] seq=0 W i n = 6 5 5 3 5 Len= GET /csi?v=3&s=webhp&action=&srt=254&e= http > 26930 [SYN, ACK] seq-0 Ack=l win 26930 > http [ACK] Seq=l Ack-1 W i n = 6 5 5 3 GET /generate_204 HTTP/1.1 http > 26930 [ACK] Seq-1 Ack-612 win=69 HTTP/1.1 204 NO content http > 26929 [ACK] seq=3466 Ack=1386 Wi HTTP/1.1 204 No content 26930 > http [ACK] seq=612 Ack=147 win= 26929 > http [ACK] Seq-1386 Ack=3702 Wi , 26930 > http [FIN, ACK] Seq-612 Ack=147 26929 > http [FIN, ACK] seq=1386 A c k - 3 7 http > 26930 [FIN, ACK] Seq=147 Ack=613 26930 > http [ACK] Seq=613 Ack=148 Win= http > 26929 [FIN, ACK] Seq=3702 Ack=13 26929 > http [ACK] seq=1387 Ack-3703 Wi v Profile: Default Packets: 26 Displayed: 26 Marked: 0 Dropped: 0 Figure 5-20: Captured SYN packet. 35. Double-click on the next row that has the first [SYN, ACK] occurrence in the Info column. (In this case it was row 2. See Figure 5-21.) 36. Expand the tree for Transmission Control Protocol. 37. Expand the tree for [SEQ/ACK analysis]. 38. Highlight the row that indicates that this [SYN, ACK] packet is an acknowledgement to the prior packet. 39. Take a screenshot. (See Figure 5-22.) 91 W 4< ft « r1 H K © & ' s :•< -> o,< ?F 2, Fifcer: - 74.125 74.125 155 103 74.125 1 5 103 5 0. 049793 6 0.059043 7 0. 059087 155.97.243.202 1 0.000000 74.125.155.103 74.125 1 5 103 155.97 2 3 202 155.97 18 0.262909 19 0.345198 20 0.447716 155.97 155.97 74.125 155.97 155.97 74.125 74.125 10 11 12 13 14 15 16 0.144161 0.158304 0.168459 0.168505 0.168729 0.192817 0.192978 2 1 2 2 3 5 3 3 SiQ Q Q. Q. E 81 B » Expression,., Cleat Apply TCP 103 74.125 1 5 103 25 3.284694 HTTP . + Frame 2 (66 bytes on wire, 66 bytes captured) . t, Ethernet II, Src: Hewlett P_71:bf :0f (00:lf :29:71:bf :0f), Dst : Microa Internet Protocol, Src: 74.125.155.103 (74.125.155.103), Dst: 155.97 Source port: http (80) Destination port: 26929 (^6929) 26929 > http [STN] Seq-0 w GET / HTTP/1.1 ' : 155.97 243 202 155.97 2 3 202 103 202 139 202 202 74.125 155.97 74.125 74.125 1 2 1 1 TCP TCP TCP 5 103 3 202 5 139 5 139 15 5 .9 7 243 202 74.125 155 139 [TCP segment of a reassemb [TCP segment of a reassemb 26929 > http [ACK] Seq-649 ! http > 26930 [SYN. ACK] Se> 26930 > http [ACK] Seq-1 A. GET /generate_204 HTTP/1.1 TCP TCP HTTP GET /cs1?v-34s-webhp4act 1oi: , HTTP HTTP TCP ' HTTP/1.1 204 No Content 26930 > http [ACK] Seq-612 sequence number: 0 (relative sequence number) Acknowledgement number: 1 (relative ack number) Header length: 32 bytes a Flags: 0x12 (SYN, ACK) window s i z e : 5720 * checksum: OxlbfS [validation disabled] a options: (12 bytes) i-i [SEQ/ACK analysis] [The RTT to ACK the i O fit-cAooajwE-iw AOM-HLOCAI Te 155.97 243 202 TCP http > 26929 [FIN, Packets: 26 Displayed: 26 Maritad: 0 Droppe . 0000 0010 0020 0030 ACK] Se. segment w a s : 0 . 0 2 4 0 5 6 0 0 0 seconds] | ':» 00 00 f3 16 13 34 ca 58 d3 c3 00 Ib 52 d2 50 f5 74 00 69 00 35 00 31 00 00 31 fe 02 If 06 Ic 04 ! ProMe: Default 29 50 Oc 05 71 el 4b 64 bf 4a c6 01 Of 7d 2c 01 08 9b 8d 04 00 67 dp 02 45 9b 80 01 00 61 12 03 > . . . Rt 5 . . )q .4....1. P. ...Pnl.. . K .X d:v "B * Figure 5-22: Noting the acknowledgement (ACK) to a segment. Figure 5-21: Captured SYN/ACK packet. 40. Double-click on the next row that has an [ACK] occurrence after the [SYN, ACK] packet in the Info column. (In this case it was row 3. See Figure 5-23.) 41. Expand the tree for Transmission Control Protocol. 42. Expand the tree for [SEQ/ACK analysis]. 43. Highlight the row that indicates that this [ACK] packet is an acknowledgement to the prior [SYN, ACK] packet you just looked at. 44. Take a screenshot. (This was the 3-way opening. See Figure 5-24.) P a « e | 137 & w a a« Ics Tetephorrjf loot belt i •- [—n ^ ^ i ui *• ta3 £ 3. n|QS Q. GJ. GI. Q WEI * Source Deshnarjoo » Expression... Cleat Apply Protocol Info 1 0.000000 4 5 6 7 8 9 0.025727 0.049793 0.059043 0.059087 0.059114 0.059128 74.125.1 5.103 74.125.1 5.103 155.97.2 3 . 2 0 2 155.97.243.202 155.97.243.202 [TCP segment of [TCP secjnent of TCP TCP GET / HTTP http > 26929 [SYN, ACK] TCP 155.97.243 74.125.155 103 1 5 5 . 9 7 . 2 4 3 202 24 3.284668 25 3.284694 26 3.284707 TCP 74.125.155.139 155.97.243.202 155.97.243.202 0 0.447716 1 3.260627 2 3.260718 TCP HTTP 155.97.243.202 155.97.243.202 74.125.1 5.103 74.125.1 5.103 7 0.221706 8 0.262909 155.97.243.202 74.125.1 5.139 5 0.192817 155.97.2 3.202 74.125.1 5.139 155.97.2 3.202 11 0.158304 12 0.168459 3 0.168505 74.125.155.139 74.125.155.103 Q. Fte: •C:\DOCUME~HHP_AOM~HIOCAL5~1 Se. HTTPA.l a reassemb i a reassemb http > 26930 [ACK] S6q-l A TCP http > 26930 [SYN, ACK] Sei 26930 > http [ACK] seq-l A ' TCP TCP TCP Packets: 26 Displayed: 26 Marked: ODroppe. i http > 26929 [ACK] seq-346i HTTPA.l 204 No content 9 iti Frame 3 (54 bytes on wire, 54 bytes captured) tti Ethernet II, src: Micro-st_52 :74 :35 (00:13 :d3 :52 :74 . - 3 5 ) , Dst: Hewle ffi Internet Protocol, Src: 155.97.243.202 (155.97.243.202), Dst: 74. i; B Transmission Control Protocol, Src Port: 26929 (26929), Dst Port: fj source port: 26929 (26929) Destination port: http (SO) [stream index: 0] Sequence number: 1 (relative sequence number) Acknowledgement number: 1 (relative ack number) Header length: 20 bytes ±1 Flags : 0x10 (ACK) window size: 65536 (scaled) ±1 checksum: Oxf2cd [validation disabled] d [SEQ/ACK analysis] [The RTT to ACK the segment was: 0.000052000 seconds] 26930 > http [FIN, ACK] Sei 26929 > http [ACK] Sfiq-138 v) ! !QOOO 0010 0020 0030 00 00 9b 80 If 28 67 00 29 db 69 f2 71 4a 31 Cd bf 40 00 00 »i Of 00 13 00 80 06 50 c6 2c 00 1 d3 52 74 35 08 00 45 66 aa 74 9b 61 f3 ca 4a 7d 8d de fe Ic Oc 4c 50 10 !>'! )q .(.39... .. , . gil. P. , .' '> |v" Profile: Oefaot Figure 5-23: Captured ACK packet. Figure 5-24: Acknowledgement (ACK) to the 3-way opening. 45. Double-click on the next row that has an [ACK] occurrence after the GET request in the Info column. (In this case it was row 5. See Figure 5-25.) 46. Expand the tree for Transmission Control Protocol. 47. Expand the tree for [SEQ/ACK analysis]. 48. Highlight the row that indicates that this [ACK] packet is an acknowledgement to the prior GET request. (In this case it was frame 4.) 49. Take a screenshot. (This is an acknowledgement of a data transfer. See Figure 5-26.) [f * ^d;04979374^?±1^5.1031^i!?7^B!i^re^ftpv> 26929 [liCK]... ^S^j E«e Ed* iie* 50 61 M W JH • Capture Analyze Statistic Telephony Tools Help Si Si S ;a fe H « & a 3fi... Clear. Apply Wo 155.97.243.202 74.125.155.139 3 3 284628 155.97.243.202 74.125.155.139 74.125.155.103 155.97.243.202 155.97.243.202 8 0 262909 9 0 345198 0 0 447716 74.125.155.139 74.125.155.103 155.97.243.202 155.97.243.202 10 0 144161 11 0 158304 TCP TCP 155.97.243.202 74.125.155.103 74.125.155.103 155.97.243.202 6 0 059043 7 0 059087 8 0 059114 TCP TCP 155.97.243.202 74.125.155.103 74.125.155.103 155.97.243.202 1 0 000000 2 0 024056 3 0 024108 " 1 http > 26929 [SYN, ACK] Sei 26929 > http [ACK] Seq-l A.] HTTP TCP TCP TCP 155.97.243.202 74.125.155.103 74.125.155.103 155.97.243.202 TCP j [TCP segment of a reassemb 26929 > http [ACK] Seq-649 26930 > http [SYN] seq-0 w GET /cs1'v-3&5-webhp&act1oi TCP HTTP http > 26930 [SYN, 25 3 234694 26 3 284707 © Fte:X:\DCX:UME~nHP_ftDM~l\I.OCALS~lUe 1 ACK] Sei Frame 5 (60 bytes on wire, 60 bytes captured) i Ethernet II, Src: Hew1ettP_71:bf :0f (00:lf :29:71:bf :0f ), Dst: Micr Internet Protocol, S r c : 74.125.155.103 (74.125.155.103), Dst: 155.; Transmission Control protocol, src Port: http (80), ost Port: 2692 ; Source port: http (80) Destination port: 26929 (26929) [Stream index: 0] Sequence number: 1 (relative sequence number) Acknowledgement number: 649 (relative ack number) Header length: 20 bytes IB Fl ags : 0x10 (ACK) window size: 7040 (scaled) is Checksum: Ox6fd8 [validation disabled] a [SEQ/ACK analysis] HTTPA.l 204 No Content 26930 > http [ACK] seq-612 26929 > http [ACK] seq-138' 26929 > http [FIN, ACK] Sei http > 26930 [FIN, ACK] Sei [The ; 0000 ^0010 0020 '0030 i http > 26929 [FIN, ACK] Sei 26929 > http [ACK] Seq-138 'packets: 26 Displayed: 26 Marked: 0 Droppe . 00 00 f3 00 13 28 ca 6e RTT to d3 c3 00 6f 52 d3 50 d8 ACK the segment was: 0.024066000 seconds] 74 00 69 00 35 00 31 00 00 31 fe 00 If 06 Ic 00 29 50 Oc 00 71 ec 4c 00 bf 4a c6 00 Of 08 00 45 00 7d 9b 67 9b 61 2c 90 66 50 10 00 . . . Rt 5 . . .(....1. , t ...Pil.. ' ', .no |vj ProHe: Default Figure 5-25: Captured ACK packet. Figure 5-26: Acknowledgement (ACK) to the data transfer. 50. Double-click on the row that has the first [FIN/ACK] occurrence in the Info column with your IP address as the source. (In this case it was row 21. See Figure 5-27.) Expand the tree for Transmission Control Protocol. Expand the tree for [SEQ/ACK analysis]. Highlight the row that indicates that this is a [FIN, ACK] packet. Take a screenshot. (This was the first part of the connection termination. See Figure 5-28.) 51. 52. 53. 54. 138 P a s z e SK U U 91 * Fter: - Espresso... Clear Apply Protocol Ma 0 SYNJ 5eq-0 W1n-6553! ACK] 025727 55.97.243.202 TCP TCP HTTP TCP 202 103 202 139 HTTP 74.125 155 103 GET / 05911.) 059128 144161 158304 4.125.155.103 5.97.243.202 .125.155.103 5.97.243.202 155.97 243 74.125 155 155.97.243 74.125.155 Seq-1 «Ck-l W1| HTTP/1. ACK] 0 0 0 0 [TCP segment 26929 > http HTTP/1.1 200 26930 > http Seq-1 Ack-649 \ a ATK] Seq-649 Ack-271 K (text/html) SYN] Seq-0 w1n-6553l * Ethernet II, Src: Micro-St_52 :74 : 3 5 (00:13 :d3 : 52 :74 : 3 5 ) , D« .* Internet Protocol, src: 1 5 5 . 9 7 . 2 4 3 . 2 0 2 (155. 97. 243. 202), D< i a Transmission Control Protocol, src Port: 26930 (26930), Dst source port: 26930 (26930) Destination port: http (80) reassembled PDU [Stream index: 1] sequence number: 612 (relative sequence number) Acknowledgement number: 147 (relative ack number) Header length: 20 bytes ' : s Flaigs: Oxii CFIN, ACK) 204 HTTP/1.1 ACK] 5eq-l Ack-612 \: 1 192978 0 221706 .125.155.139 .125.155.103 1 5 5 . 9 7 . 2 4 3 202 155.97.2 3 202 HTTP TCP HTTP/1.1 204 http > 26929 window size: 6 5 3 9 0 (scaled) a checksum: Oxblcb [validation disabled] ;ACK] seq-3466 Ack-i: 1 24 3 284668 25 3 284694 26 3 284707 5.97.243.202 1~l\LOCAL5~l\Te. ACK] Seq-3702 1 FIN, Seq-1386 Ack-3i ACK] sis iiiiP^1^™ I- 74.125.155 Packets . 26 Displayed Default Figure 5-28: FIN/ACK segment from your computer. Figure 5-27: Captured FIN/ACK packet from your computer. 55. Double-click on the row that has the first [FIN, ACK] occurrence in the Info column with your IP address as the destination. (In this case it was row 23. See Figure 5-29.) 56. Expand the tree for Transmission Control Protocol. 57. Expand the tree for [SEQ/ACK analysis]. 58. Highlight the row that indicates that this is a [FIN, ACK] packet and an acknowledgement to the first [FIN, ACK]. 59. Take a screenshot. (This was the second part of the connection termination. See Figure 5-30.) 50 Captue « Analyze Telephony loots tjefc nK .000000 .024056 .024108 .049793 .059043 '.059087 '. 059114 '.059128 55.103 55.103 55.103 155.9 155.9 155.9 [ACK] seq-1 «ck-649 i of a reassembled PDU [ACK] Seq-649 Ack-27i t/html) 553 &s-webhp&act-1 on-Asr 1.168459 .168505 1.168729 .192978 .221706 .262909 .345198 .447716 1 3.260627 [SYN, ACK] Seq-0 Ack [ACK] Seq-1 ACk-1 Wl !_204 HTTP/1.1 [ACK] Seq-1 Ack-612 4 . 1 2 5 . 1 5.103 55.9 3.202 5 5 . 9 7 . 2 3.202 155.97 74.125 74.125 [ACK] Ethernet II, Src: HewlettP_71:bf:0f (00:lf:29:71:bf:Qf), Dst: Mi< internet Protocol, Src: 74.125.155.139 (74.125.155.139), Dst: 15 : ;~ Transmission control Protocol, Src Port: http (80), Dst Port: 26' source port: http (80) Destination port: 26930 (26930) [stream index: 1] sequence number: 147 (relative sequence number) Acknowledgement number: 613 (relative ack number) Header length: 20 bytes ±i flags: Qxll (FIN, ACK) window size: 6976 (scaled) til checksum: 0x3115 [validation disabled] [SEQ/ACK analysis] FThis is an ACK to the segment in frame: 211 [The RTT to ACK the segment was: 0.024001000 seconds] ;i, Seq-1386 Ack-31 00 00 ?3 10 13 28 ca 6d d3 cd 00 31 52 76 50 15 74 00 69 00 35 00 32 00 00 31 d7 00 It 06 fe 00 29 47 15 00 71 25 6d 00 Of 4a 3a 00 Ot 08 7d 9b 71 00 Packets: 26 Displayed:', Figure 5-30: FIN/ACK segment from the Web server. Figure 5-29: Captured FIN/ACK packet from the Web server. THOUGHT Q U E S T I O N S 1. 2. 3. 4. Did the packets you captured have a TTL listed? Why? Why do packets have both IP addresses and MAC addresses on them? Which packet had the html code for Google's page (Hint: 200)? What do all the letters and numbers in the bottom pane represent? 139 5.4 CONTENTS OF A PACKET (CAPTURE AN EMAIL) In this project you will capture a packet and look at its contents. You will use Wireshark to capture packets containing an email message. You will send an email to a generic Hotmail.com account and capture it as it's going over the network. Then you will look at the contents of the email without opening it in an email client. Most email traffic has traditionally not been encrypted. However, many providers are starting to make encrypted email an option for their users. A packet sniffer allows you to look at the contents of many different types of packets. 1. With Wireshark open click Capture and Options. 2. If you haven't already done so, select your Network Interface Card (NIC) in the Interface dropdown menu at the top of the screen. (Your NIC will undoubtedly have a different name.) 3. Enter "tcp port 80" in the box next to Capture Filter. (See Figure 5-31.) Capture Interface: File , Realtek RTL8I39/810* Family Fast Ethernet NIC Buffersize: 1 -C megabyte(s) Edit View History (Microsoft's Ps \ \P address: 155.97.213.201 iHI " C ^&*W . - .. - 1 1 . Bookmarks ttj £* Windows Live* ' Tools Help htl-p-y/mail live com/defai* aspv>»3=wagn Home Profile People Mall Photos • [G|* More » MSN' J !. El rantiire nj^kgts 'n yfnrni'-.r-i miremode (vrTlmit each packet to : ^^N. ; bytes t IPI l^rajhotmail.c D Sort by \ your &-rrai/ f> 0 m«;carje
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

This question has not been answered.

Create a free account to get help with this and any other question!

Similar Content

Related Tags

Brown University





1271 Tutors

California Institute of Technology




2131 Tutors

Carnegie Mellon University




982 Tutors

Columbia University





1256 Tutors

Dartmouth University





2113 Tutors

Emory University





2279 Tutors

Harvard University





599 Tutors

Massachusetts Institute of Technology



2319 Tutors

New York University





1645 Tutors

Notre Dam University





1911 Tutors

Oklahoma University





2122 Tutors

Pennsylvania State University





932 Tutors

Princeton University





1211 Tutors

Stanford University





983 Tutors

University of California





1282 Tutors

Oxford University





123 Tutors

Yale University





2325 Tutors