Unformatted Attachment Preview
Me
E«
yiew
So
Capture
analyze
sattelKs
Help
Bit a* a at tf P S X S S ' ^ * http [F:
HTTP/1.1 200 OK
[TCP segment of
GET /global/en/i
http > 24121 [F:
24121 > http [AI
HTTPA-1 304 NO ,
HTTPA.l 304 NO'
j
L>J
Frame 1 (66 bytes on wire, 66 bytes captured)
Ethernet II, Src: Micro-st_52 :74 : 3 5 (00:13:d3:52:74 :35), Dst:Hew1ettP_71:bf :0f (C
internet Protocol, Src: 155.97.243.202 (155.97.243.202), Dst:65. 55.21.250 (65. 5 5 .
Transmission control Protocol, src Port; 24119 (24119), ost Port: http C80), Seq:
: 0000
~]
Source
290645476
300872140
0 Update list of packets in real time
0
Hide capture info dialog
[3 Enable MAC name resolution
,,
>F
1
EH Enable network name resolution
D ...after
Help
| "
Time
-
Buffer size: ! 1
220619094
23 0 619624
24 0 622996
250623034
26 0 640693
27 0 640750
E3
[Capture Filter: I ' tcp port 80 and host www.microsoft.ee
Capture File(s)
322605263
332618986
D Use multiple files
'
0
Name Resolution
Stop Capture...
': D ... after
0
D ...after
[
00 If 29 71 bf Of 00 13
15 fa
:0020
00 34 Oa 9c 40 00 80 06
0010
5e 37 00 50 6d 94
d3 52 74 35 08 00 45 00
09 cb 9b 61 f3
ca 41 37
d7 02 00 00 00 00 80 02
. . )q. . .
. 4 . . IB
.Rt5..E.
a..A7
,
..A7.Pm
V
|
O'R«altekRTL8139/810x Family Fast Ethernet NIC
Figure 5-6: Capture filter to include www.microsoft.com.
Packets. 34 Displayed 34 Marked
fproffe- Default
Figure 5-7: Captured packets.
13. Click Capture and Options.
14. Enter "tcp port 80 and host www.microsoft.com" in the box next to Capture Filter. (See Figure 56.)
Click Start.
Open a Web browser and go to www.Google.com. (You shouldn't pick up any packets.)
Go to www.Microsoft.com in your Web browser. (You should pick up several packets.)
Click Capture and Stop.
Take a screenshot. (See Figure 5-7.)
15.
16.
17.
18.
19.
File
Capture
Interface: ILocal
! v 1 RealtekRTL8139/810x Family Fast Ethernet NIC
Edit
View
Jo
Capture
SKHttftitt
p*7]
IP address: 155.97.243.202
Analyze
Statistics
'-* El X »2 ei>
Tetephony_
Tools
Help
C ife ^F HL
Buffer size: ; 1
Time
£! megabyte(s)
bytes
[Capture Filter: | ! tcp port 80 and host www.microsoft.eem and src port 80
[^ j
Display Options
File:
Browse.
H Update list of packets in t eal time
0
»
Expression... Clear. Apply
Filter
No. .
Source
Protocol
Destination
Info
u?J
IIL.H ieyrneni. ui
[TCP segment of
HTTP/1. 1 200 OK
http > 24013 [A(
HTTP/1.1 304 NO'
http > 24015 [A!
[TCP segment of
[TCP segment of
[TCP segment of
[TCP segment of f
HTTPA-1 200 OK !
d Capture packets in promiscuous mode,
1 1 Capture packets in pcap-ng format (experimental)
CH Lj"* each packet to i :
Capture File(s)
j
D Use multiple files
Automatic scrolling In live capture
64. .31.252
64.4.31.252
44 0.881139
45 0.881180
64.
64.
64.
64.
64.
64.
64.
64.
64.
34 0.478941
35 0.528130
36 0.528158
37 0.530202
38 0 . 5 3 5 4 3 8
39 0 . 5 3 5 5 4 5
40 0 . 5 3 5 6 5 7
410.535786
42 0 . 5 3 5 8 2 0
.31.252
.31.252
.31.252
.31.252
.31.252
.31.252
.31.252
.31.252
.31.252
155 97 2 3.202
155 97 2 3.202
155 97 2 3 . 2 0 2
155 97 2 3.202
155 97 2 3.202
155 97 243.202
155 97 2 4 3 . 2 0 2
15597243.202
155 97 2 4 3 . 2 0 2
155 97 243.202
155 97 243.202
HTTP
TCP
HTTP
TCP
TCP
TCP
TCP
TCP
HTTP
TCP
[TCP segment of ! I
HTTP/XML HTTPA-1 200 OK
PI Hide capture info dialog
t Frame 1 (60 bytes on wire, 60 bytes captured)
t! Ethernet II, src: HewT ett P_71 : bf : Of (00:lf :29:71:bfOf),
:
Name Resolution 0
Stop Capture . . ,
D ...after
a Transmission control Protocol, Src Port: http (80),
Enable MAC name resolution
Dst: Micro-St_52:74:35 (C
Dst Port :
D Enable network name resolution
D ...after
0
D... after
Enable transport name resolution
00 28 76 a3 40 00 32 06
0010
00 13 d3 52 74 35 00 If
0000
Help
[
Start
j |
. . . Rt 5 .. )qV.:.E.
.(v.e.2 . . .e. . . .a
29 71 bf Of 08 00 45 00
e3 00 40 04 If fc
9b 61
T
0030
[
fd
5C e8 91 00 00 00 00
i
+ 5&v . P .
\3 (24013), Seq: '
00 00 00 00
Cancel
O RealtekRTL8139/810xFairtlyFastahernetNIC.., i PacketsMS Displayed; 45 Marked
Figure 5-8: Capture filter to include "src port 80."
Profile: Default
Figure 5-9: Captured packets from one source IP.
20. Click Capture and Options.
21. Enter "tcp port 80 and host www.microsoft.com and src port 80" in the box next to Capture Filter.
(See Figure 5-8.)
22. Click Start.
132 P a ^ e
23. Go to www.Microsoft.com in your Web browser. (You should pick up several packets with the
same source IP.)
24. Click Capture and Stop.
25. Take a screenshot. (See Figure 5-9.)
Capture
File
Edit
View
Filter
IP address: 155,97.243.202
H M 8i
Interface: Local
v
Realtek RTLS139/310X Family Fast Ethernet NIC
[^J
.e
Buffer size: 1
^
,
,.
£ megabyte(s)
bytes
Display Options
|
[Browse... |
r£] yp^g |i5l:of pacKets In real time
£o
Capture
Analyze
Statistics
X Si da
Telephony
'-
look
Help
r ;\ Q ^ ^ ^ u
-
155
155
155
155 97.243. 202
155 97.243. 202
155 97.243. 202
0.001527
0.001980
0.002356
0.003673
2
3
4
5
Oest nation
Sour ce
T,me
155
155
155
155
155
11 0.075365
101.201
101.201
101.201
101.201
155
155
155
155
10
10
10
10
101.
101.
101.
97
97
97
97
3
3
3
3
Expression...
Protocol
201.10
201.10
201.10
2
2
2
2
202
202
202
202
DNS
DNS
DNS
DNS
DNS
DNS
DNS
Clear Apply
Info
Standard query ,:
standard query ,;
standard query ,
standard
Standard
standard
standard
query
query
query
query
12 0.081577
Hide capture info dialog
14
- Quer les
^
Name: c.m icroso ft . com
ddress)
Type: A (
c l a s s : IN fOxOO 01)
Enable MAC name resolution
v
*
D Enable network name resolution
0000
after
Enable transport name resolution
0010
0030
~*|P
at *
•"
0.005060
0.007405
0.007476
0.007585
7
8
9
10
No. .
[ 1 Capture packets in pcap-ng fc rmat (experimental)
! ! ymft each packet to
Capture File(s)
File:
D Use multiple files
1
0
Name Resolution
0
Stop Capture...
D .-after
CH
0
1
00 If 29 71bf Of 00 13
00 3d 75 e8 00 00 80 11
13
11
52 74 35 08 C 0 45 00
?h 9b 61 f3 c a 9b 65
. .)q
.=u
R t 5 . .E.
+ a ..e
KtXfl»«•
00 00 00 00
'. '"
~]
I
Start
11
Cancel
]
Pac
O Query Name (dns.qry.na
Figure 5-10: Capture filter for port 53.
26.
27.
28.
29.
30.
31.
32.
33.
Figure 5-11: Captured DNS packets.
Click Capture and Options.
Enter "port 53" in the box next to Capture Filter. (See Figure 5-10.)
Click Start.
Go to www.Microsoft.com in your Web browser. (You should pick up several packets colored
blue by default. These are DNS requests.)
Click Capture and Stop.
Click on the first row.
Highlight the Microsoft entry in the Packet Contents pane.
Take a screenshot. (See Figure 5-11.)
In this project you learned how to 1) capture packets going to a specific port, 2) capture traffic addressed
to a specific host (or IP address), 3) capture only the source/destination port, and 4) capture DNS traffic.
For a list of the possible ports you can specify you can go to the following link:
http://wiki.wireshark.org/PortReference.
By filtering only Web traffic (port 80) there was much less information to capture. There was even less
traffic if you specified a particular Web site. You can even look at only one side of the conversation by
specifying a source or destination port. Wireshark's wiki (http://wiki.wireshark.org/FrontPage) has a lot
of information about how to capture specific kinds of traffic and even provides some sample captures.
THOUGHT QUESTIONS
1.
2.
3.
4.
Why does your computer send so many packets? Why not send just one really big packet?
What do SYN, ACK, FIN, GET mean?
Can you capture all of the packets for an entire network?
Can Wireshark automatically resolve the IP address into host names?
P a e e i 133
5.3
PACKET INSPECTION
In the prior project you learned how to capture specific types of traffic. In this project you will look at the
parts of a packet. Each packet comes with a lot of information that the end user never sees. Each packet
has 1) both source and destination IP addresses, 2) both source and destination MAC addresses, 3) a TTL,
and 4) both source and destination port numbers. In addition, they also have information about window
size, IP version, timings, sequence numbers, etc.
Understanding the contents of a packet helps you understand how TCP/IP (and the Internet) works in the
real world. Each field in a packet serves a purpose. There are also different types of packets (UDP, ICMP,
etc.) that perform different functions. You will also walk through a TCP connection in this project.
Understanding these fundamental components is critical to becoming a good network administrator.
1. With Wireshark open click Capture and Options.
2. If you haven't already done so, select your Network Interface Card (NIC) in the Interface dropdown menu at the top of the screen.
3. Enter "tcp port 80" in the box next to Capture Filter. (See Figure 5-12.)
Capture
Interface:
; Realtek RTL3139/81CK Family Fast Ethernet NIC
(Microsoft's Ps fjj[]
IP address: 155.97.243.201
Buffei
e: 1
:£i
megabyte(s)
1^1 Capture packets in proi
This wizard helps you to create shortcuts to local or
network programs, files, folders, computers, or Internet
addresses.
Type the location of the item:
[D Limit each packet to
\|
Capture File(s)
Display Options
File:
PI ypdate list of packets in real time
Click Next to continue
O Use multiple files
0 Automatic scrolling in live capture
(3 Hide capture info dialog
Name Resolution
0
Enable MAC name resolution
[ 1 Enable network name resolution
0
Enable transport name resolution
J |
I
Cancel
Figure 5-12: Configuring Wireshark to capture port 80 packets.
4.
5.
6.
7.
8.
9.
10.
Njext>
I
[
Cancel
Figure 5-13: Captured packets for www.Google.com.
Close ALL other programs you currently have open except your word processing program.
Right-click anywhere on your desktop.
Select New and Shortcut.
Enter "www.Google.com". (See Figure 5-13.)
Click Next.
Enter "Google" for the name. (See Figure 5-14.)
Click Finish.
134 P a t i e
< Back
Finish
_
Edit
View
it
View
£o
Capture
Analyze
Stati
Telephony
lools
tJelp
at & # ,^ a x s
1 0.000000
2 0.024056
3 0.024108
155.97
74.125
155.97
5 u.049793
6 0.059043
7 0.059087
8 0.059114
9 0.059128
11 0.158304
tp [ACK] Seq-649
155.97.243.202
Cancel
Figure 5-14: Naming the shortcut.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
Fife
Figure 5-15: GET request showing Google's hostname.
Close all other Web browsers. (This will reduce the number of packets you capture.)
Go back to Wireshark and click Start.
Double-click the Google shortcut on your desktop.
Wait for the page to load.
Close your Web browser.
Go back to Wireshark and click Stop.
Click on the line that has Get in the Info field. (In this example it was the 4th packet. See Figure 515.)
In the Packet Details pane (the middle pane) click on the line labeled "Ethernet II."
Click on the line labeled "Source."
Take a screenshot. (See Figure 5-16.)
Open a command prompt by clicking Start and Run.
Type CMD
Type ipconfig /all
Take a screenshot. (Notice that the MAC and IP addresses are the same as those shown in the
Wireshark capture. In this case the MAC address was 00-13-D3-52-74-35. See Figure 5-17.)
Go
&&&&>$
Capture
Analyze
Statist
s
I'HSCpgfta
Telephony
's
,
lools
Help
'•> 0, ? ,2
Filler
T
Bid
Expression...
Protocol
Q Q. Q,
Clear
26929 > http
155.97 243 202
Info
Source
No. .
Time
1 0.000000
Destination
74.125 155.103
mfUfmctmaxsiafti BBmE£Stti$S12
74.125 155.139
74.125 155.103
155.97 2 3 202
155.97
155.97
155.97
74.125
74.125
74.125
74.125
155.97
155
155
1 5
2 3
103
103
103
202
TCP
MESij3H
243.202
243.202
243.202
155.103
TCP
TCP
TCP
TCP
HTTP
TCP
HTTP
26929 > http
http > 26929
[TCP
[TCP
»
Apply
155.97 243 202
3 0.024108
BBEBSEEHsBtiBI
5 0.049793
6 0.059043
7 0.059087
8 0.059114
10 0.144161
t Frame 4 (702 bytes on wire, 702 bytes captured)
-. Ethernet II, Src: Mlcro-st_52 :74 :35 (00:13 :d3 : 52 :
[Sj
[A;
[A
segment
segment
26929 > http
I
"'
of
of
[A
HTTP/1.1 200 OK
26930 > http [S
GET /CS1?V=3&S-
7 4 : 3 5 ) , Dst: HewlettP_71:ti
i
* Destination: Hew! ett P_71 : bf : Of (00:lf :29:71:bf of)
:
Type: IP (0x0 800)
I>
0000
00 If
29 71
hf
nf !iTiBilHBB9HI
80 00 d3 C6 00 00 47 45
31 2e 31
Od Oa 48 6f
:0030
02 bO db 4b 40 00 80 06
:0010
0040
fftKBffl °8 o°
a? eta 9b 61 f3
ca
5
00
a 7d
. . )q
. . r- S
50 /l.l
:g11
54 20 2f 20 48 54
73 74 3a 20 77 77
2f
4
7 :e
Packets: 26 Displayed: 2...
0 Source Hardware Addres (eth.src), 6 bytes
a"}]
GE T /
.HO St
HTTP
WWW
v
Profile: Default
Figure 5-17: DOS prompt showing MAC addresses.
Figure 5-16: Source MAC address on a packet.
P a g e 135
25. In the Packet Details pane (the middle pane) click on the line labeled "Hypertext Transfer
Protocol."
Click on the line labeled "Cookie."
Take a screenshot. (See Figure 5-18.)
In the File menu click Analyze and Follow TCP Stream.
Take a screenshot. (See Figure 5-19.)
26.
27.
28.
29.
View
So
£«*ife
£naly«
Statistics
Tetaphony^
loo
& m •! i--< s * a is ^ ' - '
1 0.000000
74.125.155.138
155.97.243.202
Figure 5-18: Cookie within a packet.
Figure 5-19: Contents of a TCP stream.
Note: In the next part of this project you are going to identify the three parts of a TCP transaction. You
will identify 1) connection establishment, 2) data transfer and acknowledgement, and 3) connection
termination. You will identify these parts of the TCP process by looking in the Info column of the capture
you just performed.
30. In the File menu click View and Packet Details. (This should make the middle pane disappear.)
31. In the File menu click View and Packet Bytes. (This should make the bottom pane disappear.)
32. Maximize the Wireshark window so you can clearly see the column labeled Info.
33. Click on the row that has the first [SYN] occurrence in the Info column. (In this case it was row 1
in the list. It may be farther down in your list of captured packets.)
34. Take a screenshot. (See Figure 5-20.)
136
File
Edit
View
Go
Capture
Analyze
Statistics
Telephony
Tools
Help
Filter:
Expression.., Clear Apply
No. -
Time
2 0.024056
3 0.024108
4 0.025727
5 0.049793
6 0.059043
7 0.059087
8 0.059114
9 0.059128
10 0.144161
11 0.158304
12 0.168459
13 0.168505
14 0.168729
15 0.192S17
16 0.192978
17 0.221706
18 0.262909
19 0.345198
20 0.447716
21 3 . 2 6 0 6 2 7
22 3.260718
23 3 . 2 8 4 6 2 8
24 3.284668
2 5 3.2S4694
26 3.284707
155.97.243.202
74.125.155.103
74.125.155.103
155.97.243.202
155.97.243.202
155.97.243.202
74.125.155.103
155.97.243.202
74.125.155.139
74.125.155.103
155.97.243.202
74.125.155.139
74.125.155.139
155.97.243.202
155. 9 7 . 2 4 3 . 2 0 2
155.97.243.202
155.97.243.202
74.125.155.139
74.125.155.103
74.125.155.139
74.125.155.103
155.97.243.202
74.125.155.139
155.97.243.202
74.125.155.103
74.125.155.103
155.97.243.202
155.97.243.202
74.125.155.103
74.125.155.103
74.125.155.103
155.97.243.202
74.125.155.103
155.97.243.202
155.97.243.202
74.125.155.139
155.97.243.202
155.97.243.202
74.125.155.139
74.125.155.139
74.125.155.103
74.125.155.103
155.97.243.202
155.97.243.202
155.97.243.202
155.97.243.202
74.125.155.139
155.97.243.202
74.125.155.103
155.97.243.202
Destination
Source
JO Me: "C:\DOCUME~l\HP_ADM~l\LOCALS~l\Te...'
Protocol
TCP
TCP
HTTP
TCP
TCP
TCP
TCP
HTTP
TCP
HTTP
TCP
TCP
HTTP
TCP
HTTP
TCP
HTTP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
Info
http > 26929 [SYN, ACK] Seq-0 Ack=l win
26929 > http [ACK] Seq=l Ack=l win=6553
GET / HTTP/1.1
http > 26929 [ACK] Seq=l Ack=649 win=70
[TCP segment of a reassembled PDLQ
[TCP segment of a reassembled PDU]
26929 > http [ACK] Seq-649 Ack=2761 win
HTTP/1.1 200 OK (text/html)
26930 > http [SYN] seq=0 W i n = 6 5 5 3 5 Len=
GET /csi?v=3&s=webhp&action=&srt=254&e=
http > 26930 [SYN, ACK] seq-0 Ack=l win
26930 > http [ACK] Seq=l Ack-1 W i n = 6 5 5 3
GET /generate_204 HTTP/1.1
http > 26930 [ACK] Seq-1 Ack-612 win=69
HTTP/1.1 204 NO content
http > 26929 [ACK] seq=3466 Ack=1386 Wi
HTTP/1.1 204 No content
26930 > http [ACK] seq=612 Ack=147 win=
26929 > http [ACK] Seq-1386 Ack=3702 Wi ,
26930 > http [FIN, ACK] Seq-612 Ack=147
26929 > http [FIN, ACK] seq=1386 A c k - 3 7
http > 26930 [FIN, ACK] Seq=147 Ack=613
26930 > http [ACK] Seq=613 Ack=148 Win=
http > 26929 [FIN, ACK] Seq=3702 Ack=13
26929 > http [ACK] seq=1387 Ack-3703 Wi v
Profile: Default
Packets: 26 Displayed: 26 Marked: 0 Dropped: 0
Figure 5-20: Captured SYN packet.
35. Double-click on the next row that has the first [SYN, ACK] occurrence in the Info column. (In
this case it was row 2. See Figure 5-21.)
36. Expand the tree for Transmission Control Protocol.
37. Expand the tree for [SEQ/ACK analysis].
38. Highlight the row that indicates that this [SYN, ACK] packet is an acknowledgement to the prior
packet.
39. Take a screenshot. (See Figure 5-22.)
91 W 4<
ft
« r1 H K © &
' s :•< -> o,< ?F 2,
Fifcer:
-
74.125
74.125 155 103
74.125 1 5 103
5 0. 049793
6 0.059043
7 0. 059087
155.97.243.202
1 0.000000
74.125.155.103
74.125 1 5 103
155.97 2 3 202
155.97
18 0.262909
19 0.345198
20 0.447716
155.97
155.97
74.125
155.97
155.97
74.125
74.125
10
11
12
13
14
15
16
0.144161
0.158304
0.168459
0.168505
0.168729
0.192817
0.192978
2
1
2
2
3
5
3
3
SiQ Q Q. Q. E
81 B
»
Expression,., Cleat Apply
TCP
103
74.125 1 5 103
25 3.284694
HTTP
. + Frame 2 (66 bytes on wire, 66 bytes captured)
. t, Ethernet II, Src: Hewlett P_71:bf :0f (00:lf :29:71:bf :0f), Dst : Microa Internet Protocol, Src: 74.125.155.103 (74.125.155.103), Dst: 155.97
Source port: http (80)
Destination port: 26929 (^6929)
26929 > http [STN] Seq-0 w
GET /
HTTP/1.1
'
:
155.97 243 202
155.97 2 3 202
103
202
139
202
202
74.125
155.97
74.125
74.125
1
2
1
1
TCP
TCP
TCP
5 103
3 202
5 139
5 139
15 5 .9 7 243 202
74.125 155 139
[TCP segment of a reassemb
[TCP segment of a reassemb
26929 > http [ACK] Seq-649 !
http > 26930 [SYN. ACK] Se>
26930 > http [ACK] Seq-1 A.
GET /generate_204 HTTP/1.1
TCP
TCP
HTTP
GET /cs1?v-34s-webhp4act 1oi: ,
HTTP
HTTP
TCP
'
HTTP/1.1 204 No Content
26930 > http [ACK] Seq-612
sequence number: 0
(relative sequence number)
Acknowledgement number: 1
(relative ack number)
Header length: 32 bytes
a Flags: 0x12 (SYN, ACK)
window s i z e : 5720
* checksum: OxlbfS [validation disabled]
a options: (12 bytes)
i-i [SEQ/ACK analysis]
[The
RTT to ACK the
i
O fit-cAooajwE-iw AOM-HLOCAI
Te
155.97 243 202
TCP
http > 26929 [FIN,
Packets: 26 Displayed: 26 Maritad: 0 Droppe .
0000
0010
0020
0030
ACK] Se.
segment w a s : 0 . 0 2 4 0 5 6 0 0 0 seconds]
|
':»
00
00
f3
16
13
34
ca
58
d3
c3
00
Ib
52
d2
50
f5
74
00
69
00
35
00
31
00
00
31
fe
02
If
06
Ic
04
!
ProMe: Default
29
50
Oc
05
71
el
4b
64
bf
4a
c6
01
Of
7d
2c
01
08
9b
8d
04
00
67
dp
02
45
9b
80
01
00
61
12
03
>
. . . Rt 5 . . )q
.4....1. P.
...Pnl.. . K
.X
d:v
"B
*
Figure 5-22: Noting the acknowledgement (ACK) to a segment.
Figure 5-21: Captured SYN/ACK packet.
40. Double-click on the next row that has an [ACK] occurrence after the [SYN, ACK] packet in the
Info column. (In this case it was row 3. See Figure 5-23.)
41. Expand the tree for Transmission Control Protocol.
42. Expand the tree for [SEQ/ACK analysis].
43. Highlight the row that indicates that this [ACK] packet is an acknowledgement to the prior [SYN,
ACK] packet you just looked at.
44. Take a screenshot. (This was the 3-way opening. See Figure 5-24.)
P a « e | 137
& w a a«
Ics
Tetephorrjf
loot
belt
i •- [—n ^ ^
i
ui *• ta3 £
3. n|QS Q. GJ. GI. Q WEI
*
Source
Deshnarjoo
»
Expression... Cleat Apply
Protocol
Info
1 0.000000
4
5
6
7
8
9
0.025727
0.049793
0.059043
0.059087
0.059114
0.059128
74.125.1 5.103
74.125.1 5.103
155.97.2 3 . 2 0 2
155.97.243.202
155.97.243.202
[TCP segment of
[TCP secjnent of
TCP
TCP
GET /
HTTP
http > 26929 [SYN, ACK]
TCP
155.97.243
74.125.155 103
1 5 5 . 9 7 . 2 4 3 202
24 3.284668
25 3.284694
26 3.284707
TCP
74.125.155.139
155.97.243.202
155.97.243.202
0 0.447716
1 3.260627
2 3.260718
TCP
HTTP
155.97.243.202
155.97.243.202
74.125.1 5.103
74.125.1 5.103
7 0.221706
8 0.262909
155.97.243.202
74.125.1 5.139
5 0.192817
155.97.2 3.202
74.125.1 5.139
155.97.2 3.202
11 0.158304
12 0.168459
3 0.168505
74.125.155.139
74.125.155.103
Q. Fte: •C:\DOCUME~HHP_AOM~HIOCAL5~1
Se.
HTTPA.l
a reassemb i
a reassemb
http > 26930 [ACK] S6q-l A
TCP
http > 26930 [SYN, ACK] Sei
26930 > http [ACK] seq-l A '
TCP
TCP
TCP
Packets: 26 Displayed: 26 Marked: ODroppe.
i
http > 26929 [ACK] seq-346i
HTTPA.l 204 No content
9 iti Frame 3 (54 bytes on wire, 54 bytes captured)
tti Ethernet II, src: Micro-st_52 :74 :35 (00:13 :d3 :52 :74 . - 3 5 ) , Dst: Hewle
ffi Internet Protocol, Src: 155.97.243.202 (155.97.243.202), Dst: 74. i;
B Transmission Control Protocol, Src Port: 26929 (26929), Dst Port: fj
source port: 26929 (26929)
Destination port: http (SO)
[stream index: 0]
Sequence number: 1
(relative sequence number)
Acknowledgement number: 1
(relative ack number)
Header length: 20 bytes
±1 Flags : 0x10 (ACK)
window size: 65536 (scaled)
±1 checksum: Oxf2cd [validation disabled]
d [SEQ/ACK analysis]
[The RTT to ACK the segment was: 0.000052000 seconds]
26930 > http [FIN, ACK] Sei
26929 > http [ACK]
Sfiq-138 v)
!
!QOOO
0010
0020
0030
00
00
9b
80
If
28
67
00
29
db
69
f2
71
4a
31
Cd
bf
40
00
00
»i
Of 00 13
00 80 06
50 c6 2c
00
1
d3 52 74 35 08 00 45 66
aa 74 9b 61 f3 ca 4a 7d
8d de fe Ic Oc 4c 50 10
!>'!
)q
.(.39... .. ,
. gil. P. , .' '>
|v"
Profile: Oefaot
Figure 5-23: Captured ACK packet.
Figure 5-24: Acknowledgement (ACK) to the 3-way opening.
45. Double-click on the next row that has an [ACK] occurrence after the GET request in the Info
column. (In this case it was row 5. See Figure 5-25.)
46. Expand the tree for Transmission Control Protocol.
47. Expand the tree for [SEQ/ACK analysis].
48. Highlight the row that indicates that this [ACK] packet is an acknowledgement to the prior GET
request. (In this case it was frame 4.)
49. Take a screenshot. (This is an acknowledgement of a data transfer. See Figure 5-26.)
[f * ^d;04979374^?±1^5.1031^i!?7^B!i^re^ftpv> 26929 [liCK]... ^S^j
E«e
Ed*
iie*
50
61 M W JH •
Capture
Analyze
Statistic
Telephony
Tools
Help
Si
Si
S
;a
fe H « & a
3fi... Clear. Apply
Wo
155.97.243.202
74.125.155.139
3 3 284628
155.97.243.202
74.125.155.139
74.125.155.103
155.97.243.202
155.97.243.202
8 0 262909
9 0 345198
0 0 447716
74.125.155.139
74.125.155.103
155.97.243.202
155.97.243.202
10 0 144161
11 0 158304
TCP
TCP
155.97.243.202
74.125.155.103
74.125.155.103
155.97.243.202
6 0 059043
7 0 059087
8 0 059114
TCP
TCP
155.97.243.202
74.125.155.103
74.125.155.103
155.97.243.202
1 0 000000
2 0 024056
3 0 024108
"
1
http > 26929 [SYN, ACK] Sei
26929 > http [ACK] Seq-l A.]
HTTP
TCP
TCP
TCP
155.97.243.202
74.125.155.103
74.125.155.103
155.97.243.202
TCP
j
[TCP segment of a reassemb
26929 > http [ACK] Seq-649
26930 > http [SYN] seq-0 w
GET /cs1'v-3&5-webhp&act1oi
TCP
HTTP
http > 26930 [SYN,
25 3 234694
26 3 284707
© Fte:X:\DCX:UME~nHP_ftDM~l\I.OCALS~lUe
1
ACK] Sei
Frame 5 (60 bytes on wire, 60 bytes captured)
i
Ethernet II, Src: Hew1ettP_71:bf :0f (00:lf :29:71:bf :0f ), Dst: Micr
Internet Protocol, S r c : 74.125.155.103 (74.125.155.103), Dst: 155.;
Transmission Control protocol, src Port: http (80), ost Port: 2692 ;
Source port: http (80)
Destination port: 26929 (26929)
[Stream index: 0]
Sequence number: 1
(relative sequence number)
Acknowledgement number: 649
(relative ack number)
Header length: 20 bytes
IB Fl ags : 0x10 (ACK)
window size: 7040 (scaled)
is Checksum: Ox6fd8 [validation disabled]
a [SEQ/ACK analysis]
HTTPA.l 204 No Content
26930 > http [ACK] seq-612
26929 > http [ACK] seq-138'
26929 > http [FIN, ACK] Sei
http > 26930 [FIN, ACK] Sei
[The
; 0000
^0010
0020
'0030
i
http > 26929 [FIN, ACK] Sei
26929 > http [ACK] Seq-138
'packets: 26 Displayed: 26 Marked: 0 Droppe .
00
00
f3
00
13
28
ca
6e
RTT to
d3
c3
00
6f
52
d3
50
d8
ACK the segment was: 0.024066000 seconds]
74
00
69
00
35
00
31
00
00
31
fe
00
If
06
Ic
00
29
50
Oc
00
71
ec
4c
00
bf
4a
c6
00
Of 08 00 45 00
7d 9b 67 9b 61
2c 90 66 50 10
00
. . . Rt 5 . .
.(....1. , t
...Pil.. ' ',
.no
|vj
ProHe: Default
Figure 5-25: Captured ACK packet.
Figure 5-26: Acknowledgement (ACK) to the data transfer.
50. Double-click on the row that has the first [FIN/ACK] occurrence in the Info column with your IP
address as the source. (In this case it was row 21. See Figure 5-27.)
Expand the tree for Transmission Control Protocol.
Expand the tree for [SEQ/ACK analysis].
Highlight the row that indicates that this is a [FIN, ACK] packet.
Take a screenshot. (This was the first part of the connection termination. See Figure 5-28.)
51.
52.
53.
54.
138 P a s z e
SK U U 91 *
Fter:
-
Espresso... Clear Apply
Protocol
Ma
0
SYNJ 5eq-0 W1n-6553!
ACK]
025727
55.97.243.202
TCP
TCP
HTTP
TCP
202
103
202
139
HTTP
74.125 155 103
GET /
05911.)
059128
144161
158304
4.125.155.103
5.97.243.202
.125.155.103
5.97.243.202
155.97 243
74.125 155
155.97.243
74.125.155
Seq-1
«Ck-l W1|
HTTP/1.
ACK]
0
0
0
0
[TCP segment
26929 > http
HTTP/1.1 200
26930 > http
Seq-1 Ack-649 \ a
ATK] Seq-649 Ack-271
K
(text/html)
SYN] Seq-0 w1n-6553l
* Ethernet II, Src: Micro-St_52 :74 : 3 5 (00:13 :d3 : 52 :74 : 3 5 ) , D«
.* Internet Protocol, src: 1 5 5 . 9 7 . 2 4 3 . 2 0 2 (155. 97. 243. 202), D<
i a Transmission Control Protocol, src Port: 26930 (26930), Dst
source port: 26930 (26930)
Destination port: http (80)
reassembled PDU
[Stream index: 1]
sequence number: 612
(relative sequence number)
Acknowledgement number: 147
(relative ack number)
Header length: 20 bytes
'
:
s Flaigs: Oxii CFIN, ACK)
204 HTTP/1.1
ACK] 5eq-l Ack-612 \:
1
192978
0 221706
.125.155.139
.125.155.103
1 5 5 . 9 7 . 2 4 3 202
155.97.2 3 202
HTTP
TCP
HTTP/1.1 204
http > 26929
window size: 6 5 3 9 0 (scaled)
a checksum: Oxblcb [validation disabled]
;ACK] seq-3466 Ack-i:
1
24 3 284668
25 3 284694
26 3 284707
5.97.243.202
1~l\LOCAL5~l\Te.
ACK] Seq-3702 1
FIN,
Seq-1386 Ack-3i
ACK]
sis iiiiP^1^™ I-
74.125.155
Packets . 26 Displayed
Default
Figure 5-28: FIN/ACK segment from your computer.
Figure 5-27: Captured FIN/ACK packet from your computer.
55. Double-click on the row that has the first [FIN, ACK] occurrence in the Info column with your IP
address as the destination. (In this case it was row 23. See Figure 5-29.)
56. Expand the tree for Transmission Control Protocol.
57. Expand the tree for [SEQ/ACK analysis].
58. Highlight the row that indicates that this is a [FIN, ACK] packet and an acknowledgement to the
first [FIN, ACK].
59. Take a screenshot. (This was the second part of the connection termination. See Figure 5-30.)
50
Captue
«
Analyze
Telephony
loots
tjefc
nK
.000000
.024056
.024108
.049793
.059043
'.059087
'. 059114
'.059128
55.103
55.103
55.103
155.9
155.9
155.9
[ACK] seq-1 «ck-649 i
of a reassembled PDU
[ACK] Seq-649 Ack-27i
t/html)
553
&s-webhp&act-1 on-Asr
1.168459
.168505
1.168729
.192978
.221706
.262909
.345198
.447716
1 3.260627
[SYN, ACK] Seq-0 Ack
[ACK] Seq-1 ACk-1 Wl
!_204 HTTP/1.1
[ACK] Seq-1 Ack-612
4 . 1 2 5 . 1 5.103
55.9
3.202
5 5 . 9 7 . 2 3.202
155.97
74.125
74.125
[ACK]
Ethernet II, Src: HewlettP_71:bf:0f (00:lf:29:71:bf:Qf), Dst: Mi<
internet Protocol, Src: 74.125.155.139 (74.125.155.139), Dst: 15
: ;~ Transmission control Protocol, Src Port: http (80), Dst Port: 26'
source port: http (80)
Destination port: 26930 (26930)
[stream index: 1]
sequence number: 147
(relative sequence number)
Acknowledgement number: 613
(relative ack number)
Header length: 20 bytes
±i flags: Qxll (FIN, ACK)
window size: 6976 (scaled)
til checksum: 0x3115 [validation disabled]
[SEQ/ACK analysis]
FThis is an ACK to the segment in frame: 211
[The RTT to ACK the segment was: 0.024001000 seconds]
;i,
Seq-1386 Ack-31
00
00
?3
10
13
28
ca
6d
d3
cd
00
31
52
76
50
15
74
00
69
00
35
00
32
00
00
31
d7
00
It
06
fe
00
29
47
15
00
71
25
6d
00
Of
4a
3a
00
Ot 08
7d 9b
71
00
Packets: 26 Displayed:',
Figure 5-30: FIN/ACK segment from the Web server.
Figure 5-29: Captured FIN/ACK packet from the Web server.
THOUGHT Q U E S T I O N S
1.
2.
3.
4.
Did the packets you captured have a TTL listed? Why?
Why do packets have both IP addresses and MAC addresses on them?
Which packet had the html code for Google's page (Hint: 200)?
What do all the letters and numbers in the bottom pane represent?
139
5.4
CONTENTS OF A PACKET (CAPTURE AN EMAIL)
In this project you will capture a packet and look at its contents. You will use Wireshark to capture
packets containing an email message. You will send an email to a generic Hotmail.com account and
capture it as it's going over the network. Then you will look at the contents of the email without opening
it in an email client.
Most email traffic has traditionally not been encrypted. However, many providers are starting to make
encrypted email an option for their users. A packet sniffer allows you to look at the contents of many
different types of packets.
1. With Wireshark open click Capture and Options.
2. If you haven't already done so, select your Network Interface Card (NIC) in the Interface dropdown menu at the top of the screen. (Your NIC will undoubtedly have a different name.)
3. Enter "tcp port 80" in the box next to Capture Filter. (See Figure 5-31.)
Capture
Interface:
File
, Realtek RTL8I39/810* Family Fast Ethernet NIC
Buffersize: 1
-C
megabyte(s)
Edit
View
History
(Microsoft's Ps \ \P address: 155.97.213.201
iHI
" C
^&*W
. - .. - 1 1 .
Bookmarks
ttj
£* Windows Live*
'
Tools
Help
htl-p-y/mail live com/defai* aspv>»3=wagn
Home
Profile
People
Mall
Photos
•
[G|*
More »
MSN'
J
!.
El rantiire nj^kgts 'n yfnrni'-.r-i miremode
(vrTlmit each packet to :
^^N.
;
bytes
t
IPI
l^rajhotmail.c
D
Sort by
\ your &-rrai/
f>
0 m«;carje
Source
155.97.243.201
155.99.22.200
155.97.243.201
155.97.243.201
a!55-99-22-200.deploy
155.97.243.201
155.97.243.201
64.233.167.147
155.97.243.201
155.97.243.201
1616.040456
155.97.243.201
1416.040408
64.233.167.147
12 16.040354
BiQ
Destination
Protocol
155.99.22.200
HTTP
155.97.243.201
HTTP
155.99.22.200
TCP
al55-99-22-200.deploy HTTP
155.97.243.201
HTTP
a!55-99-22-200.deploy TCP
64.233.167.147
TCP
155.97.243.201
TCP
64.233.167.147
TCP
GET /guest/rush! 1mb/rushSLIC'E/New750x470/750tax
HTTP/1.1 304 Not Modified
1nformatlk-lm > http [ACK] Seq-696 Ack-160 w1n«
GET /gue5t/rushl1mb/rushSLIDE/New750x470/750tv.'
HTTPA-1 304 Not Modified
1nformat1k-lm > http [ACK] seq-1387 Ack-319 wiri
e1con-slp > http [SYN] seq-0 w1n-65535 Len-0 MS
http > eicon-slp [SYN, ACK] Seq-0 Ack-1 wln-572
http > eicon-slp [ACK] seq-1 Ack-918 w1n-7336 u
[TCP segment of a reassembled PDU]
TCP
64. 2 3 3 . 1 6 7 . 1 4 7
elcon-slp > http [ACK] seq-918 Ack-1381 w1n-655
e1con-slp > http [ACK] seq-918 Ack-2953 win-655
GET /1ntl/en ALL/imaaes/loao.a1f HTTP/I.1
I
GET / HTTP/I.IV\
[truncated] Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application
Accept-Language: en-us\r\
UA-CPU: x86\r\
Accept-Encoding: gzip, deflate\r\
[truncated] user-Agent: Mozilla/4.0 (compatible; MSIE 7.0; window: NT 5.1; Mozilla/4.0 (compatible; MSIE 6 . 0 ; windo'!
Host: www.google.com\r\
connection: Keep-Alive\r\
cookie: PREF=ID«c7fdc9el74534f7b:TB=2:TM=1209657598:LM»1209657598 S-hI9qaIzGrxcui3XO; NID=10-eoKAADljz4CwM8lEQUwnwe
\r\
CLR 3.0 . 0 4 5 0 6 . 3
0; infop ath.2; .
NET CLR 3 . 0 . 0 4 5 0
6.648; . NET CLR
3.5.2102 2 ) . . 5
U'iliWiflJ>lll^i*'ll
Mconriec tic
ep-Alive . . c o o k i e
: PREF=I D-c7fdc9
e!74534f 7b:TB=2:
TM-12096 5 7 5 9 8 : L M
3d^68 49
=1209657 5 9 8 : S = h I
40 Marked: 0 Dropped: 0
Profile: Default
Figure 5-5: Viewing the contents of a packet.
4. Close ALL other programs you currently have open except your word processing program
(Microsoft Word, OpenOffice Writer, etc.).
5. Click Start.
6. Open a Web browser and go to www.Google.com.
7. Click Capture and Stop.
8. Scroll down until you see a line that has GET / HTTP/1.1. (You may have to try more than one
until you get to the www.Google.com packet.)
9. Select that row.
10. In the bottom pane you will see a bunch of numbers to the left. (It's the contents of the packet in
hexadecimal.) Just to the right you will see the contents of the packet in a column.
11. Select the text www.Google.com.
12. Take a screenshot. (See Figure 5-5.)
P a g e j 131
Capture
Fife
£dit
tfew
£o
Capture
Analyze
Statistics
Telephony
Tools
tlelp
Filler: j
IP address: 155,97.243.202
• w w a i a c ^ B i x e M ^ > * *> w a p|a|
Interface:
Local
i v l RealtekRTLS 139/81 Ox Family Fast Ethernet NIC
[^ )
1
'
[
| Capture packets in pcap-ng format (experimental)
D Limit each packet to ! •
File:
No. -
£i megabyte(s)
bytes
Display Options
I
[firowse. jj
Automatic scrolling in live capture
1 .
it
a
it
n
Enable transport name resolution
j
Start
j |
Cancel
Destination
155.97.243.202
65.55.21.250
155.97.243.202
155.97.243.202
65.55.21.250
155.97.243.202
65.55.21.250
155.97.243.202
65.55.21.250
65.55.21.250
. .
Expression..
Protocol
65.55.21.250
155.97.243.202
65.55.21.250
65.55.21.250
155.97.243.202
65.55.21.250
155.97.243.202
65.55.21.250
155.97.243.202
155.97.243.202
>
TCP
HTTP
TCP
HTTP
TCP
TCP
HTTP
TCP
TCP
HTTP
Q. q. Q ED
dear Apply
Info
i"
24121 > http [F:
HTTP/1.1 200 OK
[TCP segment of
GET /global/en/i
http > 24121 [F:
24121 > http [AI
HTTPA-1 304 NO ,
HTTPA.l 304 NO'
j
L>J
Frame 1 (66 bytes on wire, 66 bytes captured)
Ethernet II, Src: Micro-st_52 :74 : 3 5 (00:13:d3:52:74 :35), Dst:Hew1ettP_71:bf :0f (C
internet Protocol, Src: 155.97.243.202 (155.97.243.202), Dst:65. 55.21.250 (65. 5 5 .
Transmission control Protocol, src Port; 24119 (24119), ost Port: http C80), Seq:
: 0000
~]
Source
290645476
300872140
0 Update list of packets in real time
0
Hide capture info dialog
[3 Enable MAC name resolution
,,
>F
1
EH Enable network name resolution
D ...after
Help
| "
Time
-
Buffer size: ! 1
220619094
23 0 619624
24 0 622996
250623034
26 0 640693
27 0 640750
E3
[Capture Filter: I ' tcp port 80 and host www.microsoft.ee
Capture File(s)
322605263
332618986
D Use multiple files
'
0
Name Resolution
Stop Capture...
': D ... after
0
D ...after
[
00 If 29 71 bf Of 00 13
15 fa
:0020
00 34 Oa 9c 40 00 80 06
0010
5e 37 00 50 6d 94
d3 52 74 35 08 00 45 00
09 cb 9b 61 f3
ca 41 37
d7 02 00 00 00 00 80 02
. . )q. . .
. 4 . . IB
.Rt5..E.
a..A7
,
..A7.Pm
V
|
O'R«altekRTL8139/810x Family Fast Ethernet NIC
Figure 5-6: Capture filter to include www.microsoft.com.
Packets. 34 Displayed 34 Marked
fproffe- Default
Figure 5-7: Captured packets.
13. Click Capture and Options.
14. Enter "tcp port 80 and host www.microsoft.com" in the box next to Capture Filter. (See Figure 56.)
Click Start.
Open a Web browser and go to www.Google.com. (You shouldn't pick up any packets.)
Go to www.Microsoft.com in your Web browser. (You should pick up several packets.)
Click Capture and Stop.
Take a screenshot. (See Figure 5-7.)
15.
16.
17.
18.
19.
File
Capture
Interface: ILocal
! v 1 RealtekRTL8139/810x Family Fast Ethernet NIC
Edit
View
Jo
Capture
SKHttftitt
p*7]
IP address: 155.97.243.202
Analyze
Statistics
'-* El X »2 ei>
Tetephony_
Tools
Help
C ife ^F HL
Buffer size: ; 1
Time
£! megabyte(s)
bytes
[Capture Filter: | ! tcp port 80 and host www.microsoft.eem and src port 80
[^ j
Display Options
File:
Browse.
H Update list of packets in t eal time
0
»
Expression... Clear. Apply
Filter
No. .
Source
Protocol
Destination
Info
u?J
IIL.H ieyrneni. ui
[TCP segment of
HTTP/1. 1 200 OK
http > 24013 [A(
HTTP/1.1 304 NO'
http > 24015 [A!
[TCP segment of
[TCP segment of
[TCP segment of
[TCP segment of f
HTTPA-1 200 OK !
d Capture packets in promiscuous mode,
1 1 Capture packets in pcap-ng format (experimental)
CH Lj"* each packet to i :
Capture File(s)
j
D Use multiple files
Automatic scrolling In live capture
64. .31.252
64.4.31.252
44 0.881139
45 0.881180
64.
64.
64.
64.
64.
64.
64.
64.
64.
34 0.478941
35 0.528130
36 0.528158
37 0.530202
38 0 . 5 3 5 4 3 8
39 0 . 5 3 5 5 4 5
40 0 . 5 3 5 6 5 7
410.535786
42 0 . 5 3 5 8 2 0
.31.252
.31.252
.31.252
.31.252
.31.252
.31.252
.31.252
.31.252
.31.252
155 97 2 3.202
155 97 2 3.202
155 97 2 3 . 2 0 2
155 97 2 3.202
155 97 2 3.202
155 97 243.202
155 97 2 4 3 . 2 0 2
15597243.202
155 97 2 4 3 . 2 0 2
155 97 243.202
155 97 243.202
HTTP
TCP
HTTP
TCP
TCP
TCP
TCP
TCP
HTTP
TCP
[TCP segment of ! I
HTTP/XML HTTPA-1 200 OK
PI Hide capture info dialog
t Frame 1 (60 bytes on wire, 60 bytes captured)
t! Ethernet II, src: HewT ett P_71 : bf : Of (00:lf :29:71:bfOf),
:
Name Resolution 0
Stop Capture . . ,
D ...after
a Transmission control Protocol, Src Port: http (80),
Enable MAC name resolution
Dst: Micro-St_52:74:35 (C
Dst Port :
D Enable network name resolution
D ...after
0
D... after
Enable transport name resolution
00 28 76 a3 40 00 32 06
0010
00 13 d3 52 74 35 00 If
0000
Help
[
Start
j |
. . . Rt 5 .. )qV.:.E.
.(v.e.2 . . .e. . . .a
29 71 bf Of 08 00 45 00
e3 00 40 04 If fc
9b 61
T
0030
[
fd
5C e8 91 00 00 00 00
i
+ 5&v . P .
\3 (24013), Seq: '
00 00 00 00
Cancel
O RealtekRTL8139/810xFairtlyFastahernetNIC.., i PacketsMS Displayed; 45 Marked
Figure 5-8: Capture filter to include "src port 80."
Profile: Default
Figure 5-9: Captured packets from one source IP.
20. Click Capture and Options.
21. Enter "tcp port 80 and host www.microsoft.com and src port 80" in the box next to Capture Filter.
(See Figure 5-8.)
22. Click Start.
132 P a ^ e
23. Go to www.Microsoft.com in your Web browser. (You should pick up several packets with the
same source IP.)
24. Click Capture and Stop.
25. Take a screenshot. (See Figure 5-9.)
Capture
File
Edit
View
Filter
IP address: 155,97.243.202
H M 8i
Interface: Local
v
Realtek RTLS139/310X Family Fast Ethernet NIC
[^J
.e
Buffer size: 1
^
,
,.
£ megabyte(s)
bytes
Display Options
|
[Browse... |
r£] yp^g |i5l:of pacKets In real time
£o
Capture
Analyze
Statistics
X Si da
Telephony
'-
look
Help
r ;\ Q ^ ^ ^ u
-
155
155
155
155 97.243. 202
155 97.243. 202
155 97.243. 202
0.001527
0.001980
0.002356
0.003673
2
3
4
5
Oest nation
Sour ce
T,me
155
155
155
155
155
11 0.075365
101.201
101.201
101.201
101.201
155
155
155
155
10
10
10
10
101.
101.
101.
97
97
97
97
3
3
3
3
Expression...
Protocol
201.10
201.10
201.10
2
2
2
2
202
202
202
202
DNS
DNS
DNS
DNS
DNS
DNS
DNS
Clear Apply
Info
Standard query ,:
standard query ,;
standard query ,
standard
Standard
standard
standard
query
query
query
query
12 0.081577
Hide capture info dialog
14
- Quer les
^
Name: c.m icroso ft . com
ddress)
Type: A (
c l a s s : IN fOxOO 01)
Enable MAC name resolution
v
*
D Enable network name resolution
0000
after
Enable transport name resolution
0010
0030
~*|P
at *
•"
0.005060
0.007405
0.007476
0.007585
7
8
9
10
No. .
[ 1 Capture packets in pcap-ng fc rmat (experimental)
! ! ymft each packet to
Capture File(s)
File:
D Use multiple files
1
0
Name Resolution
0
Stop Capture...
D .-after
CH
0
1
00 If 29 71bf Of 00 13
00 3d 75 e8 00 00 80 11
13
11
52 74 35 08 C 0 45 00
?h 9b 61 f3 c a 9b 65
. .)q
.=u
R t 5 . .E.
+ a ..e
KtXfl»«•
00 00 00 00
'. '"
~]
I
Start
11
Cancel
]
Pac
O Query Name (dns.qry.na
Figure 5-10: Capture filter for port 53.
26.
27.
28.
29.
30.
31.
32.
33.
Figure 5-11: Captured DNS packets.
Click Capture and Options.
Enter "port 53" in the box next to Capture Filter. (See Figure 5-10.)
Click Start.
Go to www.Microsoft.com in your Web browser. (You should pick up several packets colored
blue by default. These are DNS requests.)
Click Capture and Stop.
Click on the first row.
Highlight the Microsoft entry in the Packet Contents pane.
Take a screenshot. (See Figure 5-11.)
In this project you learned how to 1) capture packets going to a specific port, 2) capture traffic addressed
to a specific host (or IP address), 3) capture only the source/destination port, and 4) capture DNS traffic.
For a list of the possible ports you can specify you can go to the following link:
http://wiki.wireshark.org/PortReference.
By filtering only Web traffic (port 80) there was much less information to capture. There was even less
traffic if you specified a particular Web site. You can even look at only one side of the conversation by
specifying a source or destination port. Wireshark's wiki (http://wiki.wireshark.org/FrontPage) has a lot
of information about how to capture specific kinds of traffic and even provides some sample captures.
THOUGHT QUESTIONS
1.
2.
3.
4.
Why does your computer send so many packets? Why not send just one really big packet?
What do SYN, ACK, FIN, GET mean?
Can you capture all of the packets for an entire network?
Can Wireshark automatically resolve the IP address into host names?
P a e e i 133
5.3
PACKET INSPECTION
In the prior project you learned how to capture specific types of traffic. In this project you will look at the
parts of a packet. Each packet comes with a lot of information that the end user never sees. Each packet
has 1) both source and destination IP addresses, 2) both source and destination MAC addresses, 3) a TTL,
and 4) both source and destination port numbers. In addition, they also have information about window
size, IP version, timings, sequence numbers, etc.
Understanding the contents of a packet helps you understand how TCP/IP (and the Internet) works in the
real world. Each field in a packet serves a purpose. There are also different types of packets (UDP, ICMP,
etc.) that perform different functions. You will also walk through a TCP connection in this project.
Understanding these fundamental components is critical to becoming a good network administrator.
1. With Wireshark open click Capture and Options.
2. If you haven't already done so, select your Network Interface Card (NIC) in the Interface dropdown menu at the top of the screen.
3. Enter "tcp port 80" in the box next to Capture Filter. (See Figure 5-12.)
Capture
Interface:
; Realtek RTL3139/81CK Family Fast Ethernet NIC
(Microsoft's Ps fjj[]
IP address: 155.97.243.201
Buffei
e: 1
:£i
megabyte(s)
1^1 Capture packets in proi
This wizard helps you to create shortcuts to local or
network programs, files, folders, computers, or Internet
addresses.
Type the location of the item:
[D Limit each packet to
\|
Capture File(s)
Display Options
File:
PI ypdate list of packets in real time
Click Next to continue
O Use multiple files
0 Automatic scrolling in live capture
(3 Hide capture info dialog
Name Resolution
0
Enable MAC name resolution
[ 1 Enable network name resolution
0
Enable transport name resolution
J |
I
Cancel
Figure 5-12: Configuring Wireshark to capture port 80 packets.
4.
5.
6.
7.
8.
9.
10.
Njext>
I
[
Cancel
Figure 5-13: Captured packets for www.Google.com.
Close ALL other programs you currently have open except your word processing program.
Right-click anywhere on your desktop.
Select New and Shortcut.
Enter "www.Google.com". (See Figure 5-13.)
Click Next.
Enter "Google" for the name. (See Figure 5-14.)
Click Finish.
134 P a t i e
< Back
Finish
_
Edit
View
it
View
£o
Capture
Analyze
Stati
Telephony
lools
tJelp
at & # ,^ a x s
1 0.000000
2 0.024056
3 0.024108
155.97
74.125
155.97
5 u.049793
6 0.059043
7 0.059087
8 0.059114
9 0.059128
11 0.158304
tp [ACK] Seq-649
155.97.243.202
Cancel
Figure 5-14: Naming the shortcut.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
Fife
Figure 5-15: GET request showing Google's hostname.
Close all other Web browsers. (This will reduce the number of packets you capture.)
Go back to Wireshark and click Start.
Double-click the Google shortcut on your desktop.
Wait for the page to load.
Close your Web browser.
Go back to Wireshark and click Stop.
Click on the line that has Get in the Info field. (In this example it was the 4th packet. See Figure 515.)
In the Packet Details pane (the middle pane) click on the line labeled "Ethernet II."
Click on the line labeled "Source."
Take a screenshot. (See Figure 5-16.)
Open a command prompt by clicking Start and Run.
Type CMD
Type ipconfig /all
Take a screenshot. (Notice that the MAC and IP addresses are the same as those shown in the
Wireshark capture. In this case the MAC address was 00-13-D3-52-74-35. See Figure 5-17.)
Go
&&&&>$
Capture
Analyze
Statist
s
I'HSCpgfta
Telephony
's
,
lools
Help
'•> 0, ? ,2
Filler
T
Bid
Expression...
Protocol
Q Q. Q,
Clear
26929 > http
155.97 243 202
Info
Source
No. .
Time
1 0.000000
Destination
74.125 155.103
mfUfmctmaxsiafti BBmE£Stti$S12
74.125 155.139
74.125 155.103
155.97 2 3 202
155.97
155.97
155.97
74.125
74.125
74.125
74.125
155.97
155
155
1 5
2 3
103
103
103
202
TCP
MESij3H
243.202
243.202
243.202
155.103
TCP
TCP
TCP
TCP
HTTP
TCP
HTTP
26929 > http
http > 26929
[TCP
[TCP
»
Apply
155.97 243 202
3 0.024108
BBEBSEEHsBtiBI
5 0.049793
6 0.059043
7 0.059087
8 0.059114
10 0.144161
t Frame 4 (702 bytes on wire, 702 bytes captured)
-. Ethernet II, Src: Mlcro-st_52 :74 :35 (00:13 :d3 : 52 :
[Sj
[A;
[A
segment
segment
26929 > http
I
"'
of
of
[A
HTTP/1.1 200 OK
26930 > http [S
GET /CS1?V=3&S-
7 4 : 3 5 ) , Dst: HewlettP_71:ti
i
* Destination: Hew! ett P_71 : bf : Of (00:lf :29:71:bf of)
:
Type: IP (0x0 800)
I>
0000
00 If
29 71
hf
nf !iTiBilHBB9HI
80 00 d3 C6 00 00 47 45
31 2e 31
Od Oa 48 6f
:0030
02 bO db 4b 40 00 80 06
:0010
0040
fftKBffl °8 o°
a? eta 9b 61 f3
ca
5
00
a 7d
. . )q
. . r- S
50 /l.l
:g11
54 20 2f 20 48 54
73 74 3a 20 77 77
2f
4
7 :e
Packets: 26 Displayed: 2...
0 Source Hardware Addres (eth.src), 6 bytes
a"}]
GE T /
.HO St
HTTP
WWW
v
Profile: Default
Figure 5-17: DOS prompt showing MAC addresses.
Figure 5-16: Source MAC address on a packet.
P a g e 135
25. In the Packet Details pane (the middle pane) click on the line labeled "Hypertext Transfer
Protocol."
Click on the line labeled "Cookie."
Take a screenshot. (See Figure 5-18.)
In the File menu click Analyze and Follow TCP Stream.
Take a screenshot. (See Figure 5-19.)
26.
27.
28.
29.
View
So
£«*ife
£naly«
Statistics
Tetaphony^
loo
& m •! i--< s * a is ^ ' - '
1 0.000000
74.125.155.138
155.97.243.202
Figure 5-18: Cookie within a packet.
Figure 5-19: Contents of a TCP stream.
Note: In the next part of this project you are going to identify the three parts of a TCP transaction. You
will identify 1) connection establishment, 2) data transfer and acknowledgement, and 3) connection
termination. You will identify these parts of the TCP process by looking in the Info column of the capture
you just performed.
30. In the File menu click View and Packet Details. (This should make the middle pane disappear.)
31. In the File menu click View and Packet Bytes. (This should make the bottom pane disappear.)
32. Maximize the Wireshark window so you can clearly see the column labeled Info.
33. Click on the row that has the first [SYN] occurrence in the Info column. (In this case it was row 1
in the list. It may be farther down in your list of captured packets.)
34. Take a screenshot. (See Figure 5-20.)
136
File
Edit
View
Go
Capture
Analyze
Statistics
Telephony
Tools
Help
Filter:
Expression.., Clear Apply
No. -
Time
2 0.024056
3 0.024108
4 0.025727
5 0.049793
6 0.059043
7 0.059087
8 0.059114
9 0.059128
10 0.144161
11 0.158304
12 0.168459
13 0.168505
14 0.168729
15 0.192S17
16 0.192978
17 0.221706
18 0.262909
19 0.345198
20 0.447716
21 3 . 2 6 0 6 2 7
22 3.260718
23 3 . 2 8 4 6 2 8
24 3.284668
2 5 3.2S4694
26 3.284707
155.97.243.202
74.125.155.103
74.125.155.103
155.97.243.202
155.97.243.202
155.97.243.202
74.125.155.103
155.97.243.202
74.125.155.139
74.125.155.103
155.97.243.202
74.125.155.139
74.125.155.139
155.97.243.202
155. 9 7 . 2 4 3 . 2 0 2
155.97.243.202
155.97.243.202
74.125.155.139
74.125.155.103
74.125.155.139
74.125.155.103
155.97.243.202
74.125.155.139
155.97.243.202
74.125.155.103
74.125.155.103
155.97.243.202
155.97.243.202
74.125.155.103
74.125.155.103
74.125.155.103
155.97.243.202
74.125.155.103
155.97.243.202
155.97.243.202
74.125.155.139
155.97.243.202
155.97.243.202
74.125.155.139
74.125.155.139
74.125.155.103
74.125.155.103
155.97.243.202
155.97.243.202
155.97.243.202
155.97.243.202
74.125.155.139
155.97.243.202
74.125.155.103
155.97.243.202
Destination
Source
JO Me: "C:\DOCUME~l\HP_ADM~l\LOCALS~l\Te...'
Protocol
TCP
TCP
HTTP
TCP
TCP
TCP
TCP
HTTP
TCP
HTTP
TCP
TCP
HTTP
TCP
HTTP
TCP
HTTP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
Info
http > 26929 [SYN, ACK] Seq-0 Ack=l win
26929 > http [ACK] Seq=l Ack=l win=6553
GET / HTTP/1.1
http > 26929 [ACK] Seq=l Ack=649 win=70
[TCP segment of a reassembled PDLQ
[TCP segment of a reassembled PDU]
26929 > http [ACK] Seq-649 Ack=2761 win
HTTP/1.1 200 OK (text/html)
26930 > http [SYN] seq=0 W i n = 6 5 5 3 5 Len=
GET /csi?v=3&s=webhp&action=&srt=254&e=
http > 26930 [SYN, ACK] seq-0 Ack=l win
26930 > http [ACK] Seq=l Ack-1 W i n = 6 5 5 3
GET /generate_204 HTTP/1.1
http > 26930 [ACK] Seq-1 Ack-612 win=69
HTTP/1.1 204 NO content
http > 26929 [ACK] seq=3466 Ack=1386 Wi
HTTP/1.1 204 No content
26930 > http [ACK] seq=612 Ack=147 win=
26929 > http [ACK] Seq-1386 Ack=3702 Wi ,
26930 > http [FIN, ACK] Seq-612 Ack=147
26929 > http [FIN, ACK] seq=1386 A c k - 3 7
http > 26930 [FIN, ACK] Seq=147 Ack=613
26930 > http [ACK] Seq=613 Ack=148 Win=
http > 26929 [FIN, ACK] Seq=3702 Ack=13
26929 > http [ACK] seq=1387 Ack-3703 Wi v
Profile: Default
Packets: 26 Displayed: 26 Marked: 0 Dropped: 0
Figure 5-20: Captured SYN packet.
35. Double-click on the next row that has the first [SYN, ACK] occurrence in the Info column. (In
this case it was row 2. See Figure 5-21.)
36. Expand the tree for Transmission Control Protocol.
37. Expand the tree for [SEQ/ACK analysis].
38. Highlight the row that indicates that this [SYN, ACK] packet is an acknowledgement to the prior
packet.
39. Take a screenshot. (See Figure 5-22.)
91 W 4<
ft
« r1 H K © &
' s :•< -> o,< ?F 2,
Fifcer:
-
74.125
74.125 155 103
74.125 1 5 103
5 0. 049793
6 0.059043
7 0. 059087
155.97.243.202
1 0.000000
74.125.155.103
74.125 1 5 103
155.97 2 3 202
155.97
18 0.262909
19 0.345198
20 0.447716
155.97
155.97
74.125
155.97
155.97
74.125
74.125
10
11
12
13
14
15
16
0.144161
0.158304
0.168459
0.168505
0.168729
0.192817
0.192978
2
1
2
2
3
5
3
3
SiQ Q Q. Q. E
81 B
»
Expression,., Cleat Apply
TCP
103
74.125 1 5 103
25 3.284694
HTTP
. + Frame 2 (66 bytes on wire, 66 bytes captured)
. t, Ethernet II, Src: Hewlett P_71:bf :0f (00:lf :29:71:bf :0f), Dst : Microa Internet Protocol, Src: 74.125.155.103 (74.125.155.103), Dst: 155.97
Source port: http (80)
Destination port: 26929 (^6929)
26929 > http [STN] Seq-0 w
GET /
HTTP/1.1
'
:
155.97 243 202
155.97 2 3 202
103
202
139
202
202
74.125
155.97
74.125
74.125
1
2
1
1
TCP
TCP
TCP
5 103
3 202
5 139
5 139
15 5 .9 7 243 202
74.125 155 139
[TCP segment of a reassemb
[TCP segment of a reassemb
26929 > http [ACK] Seq-649 !
http > 26930 [SYN. ACK] Se>
26930 > http [ACK] Seq-1 A.
GET /generate_204 HTTP/1.1
TCP
TCP
HTTP
GET /cs1?v-34s-webhp4act 1oi: ,
HTTP
HTTP
TCP
'
HTTP/1.1 204 No Content
26930 > http [ACK] Seq-612
sequence number: 0
(relative sequence number)
Acknowledgement number: 1
(relative ack number)
Header length: 32 bytes
a Flags: 0x12 (SYN, ACK)
window s i z e : 5720
* checksum: OxlbfS [validation disabled]
a options: (12 bytes)
i-i [SEQ/ACK analysis]
[The
RTT to ACK the
i
O fit-cAooajwE-iw AOM-HLOCAI
Te
155.97 243 202
TCP
http > 26929 [FIN,
Packets: 26 Displayed: 26 Maritad: 0 Droppe .
0000
0010
0020
0030
ACK] Se.
segment w a s : 0 . 0 2 4 0 5 6 0 0 0 seconds]
|
':»
00
00
f3
16
13
34
ca
58
d3
c3
00
Ib
52
d2
50
f5
74
00
69
00
35
00
31
00
00
31
fe
02
If
06
Ic
04
!
ProMe: Default
29
50
Oc
05
71
el
4b
64
bf
4a
c6
01
Of
7d
2c
01
08
9b
8d
04
00
67
dp
02
45
9b
80
01
00
61
12
03
>
. . . Rt 5 . . )q
.4....1. P.
...Pnl.. . K
.X
d:v
"B
*
Figure 5-22: Noting the acknowledgement (ACK) to a segment.
Figure 5-21: Captured SYN/ACK packet.
40. Double-click on the next row that has an [ACK] occurrence after the [SYN, ACK] packet in the
Info column. (In this case it was row 3. See Figure 5-23.)
41. Expand the tree for Transmission Control Protocol.
42. Expand the tree for [SEQ/ACK analysis].
43. Highlight the row that indicates that this [ACK] packet is an acknowledgement to the prior [SYN,
ACK] packet you just looked at.
44. Take a screenshot. (This was the 3-way opening. See Figure 5-24.)
P a « e | 137
& w a a«
Ics
Tetephorrjf
loot
belt
i •- [—n ^ ^
i
ui *• ta3 £
3. n|QS Q. GJ. GI. Q WEI
*
Source
Deshnarjoo
»
Expression... Cleat Apply
Protocol
Info
1 0.000000
4
5
6
7
8
9
0.025727
0.049793
0.059043
0.059087
0.059114
0.059128
74.125.1 5.103
74.125.1 5.103
155.97.2 3 . 2 0 2
155.97.243.202
155.97.243.202
[TCP segment of
[TCP secjnent of
TCP
TCP
GET /
HTTP
http > 26929 [SYN, ACK]
TCP
155.97.243
74.125.155 103
1 5 5 . 9 7 . 2 4 3 202
24 3.284668
25 3.284694
26 3.284707
TCP
74.125.155.139
155.97.243.202
155.97.243.202
0 0.447716
1 3.260627
2 3.260718
TCP
HTTP
155.97.243.202
155.97.243.202
74.125.1 5.103
74.125.1 5.103
7 0.221706
8 0.262909
155.97.243.202
74.125.1 5.139
5 0.192817
155.97.2 3.202
74.125.1 5.139
155.97.2 3.202
11 0.158304
12 0.168459
3 0.168505
74.125.155.139
74.125.155.103
Q. Fte: •C:\DOCUME~HHP_AOM~HIOCAL5~1
Se.
HTTPA.l
a reassemb i
a reassemb
http > 26930 [ACK] S6q-l A
TCP
http > 26930 [SYN, ACK] Sei
26930 > http [ACK] seq-l A '
TCP
TCP
TCP
Packets: 26 Displayed: 26 Marked: ODroppe.
i
http > 26929 [ACK] seq-346i
HTTPA.l 204 No content
9 iti Frame 3 (54 bytes on wire, 54 bytes captured)
tti Ethernet II, src: Micro-st_52 :74 :35 (00:13 :d3 :52 :74 . - 3 5 ) , Dst: Hewle
ffi Internet Protocol, Src: 155.97.243.202 (155.97.243.202), Dst: 74. i;
B Transmission Control Protocol, Src Port: 26929 (26929), Dst Port: fj
source port: 26929 (26929)
Destination port: http (SO)
[stream index: 0]
Sequence number: 1
(relative sequence number)
Acknowledgement number: 1
(relative ack number)
Header length: 20 bytes
±1 Flags : 0x10 (ACK)
window size: 65536 (scaled)
±1 checksum: Oxf2cd [validation disabled]
d [SEQ/ACK analysis]
[The RTT to ACK the segment was: 0.000052000 seconds]
26930 > http [FIN, ACK] Sei
26929 > http [ACK]
Sfiq-138 v)
!
!QOOO
0010
0020
0030
00
00
9b
80
If
28
67
00
29
db
69
f2
71
4a
31
Cd
bf
40
00
00
»i
Of 00 13
00 80 06
50 c6 2c
00
1
d3 52 74 35 08 00 45 66
aa 74 9b 61 f3 ca 4a 7d
8d de fe Ic Oc 4c 50 10
!>'!
)q
.(.39... .. ,
. gil. P. , .' '>
|v"
Profile: Oefaot
Figure 5-23: Captured ACK packet.
Figure 5-24: Acknowledgement (ACK) to the 3-way opening.
45. Double-click on the next row that has an [ACK] occurrence after the GET request in the Info
column. (In this case it was row 5. See Figure 5-25.)
46. Expand the tree for Transmission Control Protocol.
47. Expand the tree for [SEQ/ACK analysis].
48. Highlight the row that indicates that this [ACK] packet is an acknowledgement to the prior GET
request. (In this case it was frame 4.)
49. Take a screenshot. (This is an acknowledgement of a data transfer. See Figure 5-26.)
[f * ^d;04979374^?±1^5.1031^i!?7^B!i^re^ftpv> 26929 [liCK]... ^S^j
E«e
Ed*
iie*
50
61 M W JH •
Capture
Analyze
Statistic
Telephony
Tools
Help
Si
Si
S
;a
fe H « & a
3fi... Clear. Apply
Wo
155.97.243.202
74.125.155.139
3 3 284628
155.97.243.202
74.125.155.139
74.125.155.103
155.97.243.202
155.97.243.202
8 0 262909
9 0 345198
0 0 447716
74.125.155.139
74.125.155.103
155.97.243.202
155.97.243.202
10 0 144161
11 0 158304
TCP
TCP
155.97.243.202
74.125.155.103
74.125.155.103
155.97.243.202
6 0 059043
7 0 059087
8 0 059114
TCP
TCP
155.97.243.202
74.125.155.103
74.125.155.103
155.97.243.202
1 0 000000
2 0 024056
3 0 024108
"
1
http > 26929 [SYN, ACK] Sei
26929 > http [ACK] Seq-l A.]
HTTP
TCP
TCP
TCP
155.97.243.202
74.125.155.103
74.125.155.103
155.97.243.202
TCP
j
[TCP segment of a reassemb
26929 > http [ACK] Seq-649
26930 > http [SYN] seq-0 w
GET /cs1'v-3&5-webhp&act1oi
TCP
HTTP
http > 26930 [SYN,
25 3 234694
26 3 284707
© Fte:X:\DCX:UME~nHP_ftDM~l\I.OCALS~lUe
1
ACK] Sei
Frame 5 (60 bytes on wire, 60 bytes captured)
i
Ethernet II, Src: Hew1ettP_71:bf :0f (00:lf :29:71:bf :0f ), Dst: Micr
Internet Protocol, S r c : 74.125.155.103 (74.125.155.103), Dst: 155.;
Transmission Control protocol, src Port: http (80), ost Port: 2692 ;
Source port: http (80)
Destination port: 26929 (26929)
[Stream index: 0]
Sequence number: 1
(relative sequence number)
Acknowledgement number: 649
(relative ack number)
Header length: 20 bytes
IB Fl ags : 0x10 (ACK)
window size: 7040 (scaled)
is Checksum: Ox6fd8 [validation disabled]
a [SEQ/ACK analysis]
HTTPA.l 204 No Content
26930 > http [ACK] seq-612
26929 > http [ACK] seq-138'
26929 > http [FIN, ACK] Sei
http > 26930 [FIN, ACK] Sei
[The
; 0000
^0010
0020
'0030
i
http > 26929 [FIN, ACK] Sei
26929 > http [ACK] Seq-138
'packets: 26 Displayed: 26 Marked: 0 Droppe .
00
00
f3
00
13
28
ca
6e
RTT to
d3
c3
00
6f
52
d3
50
d8
ACK the segment was: 0.024066000 seconds]
74
00
69
00
35
00
31
00
00
31
fe
00
If
06
Ic
00
29
50
Oc
00
71
ec
4c
00
bf
4a
c6
00
Of 08 00 45 00
7d 9b 67 9b 61
2c 90 66 50 10
00
. . . Rt 5 . .
.(....1. , t
...Pil.. ' ',
.no
|vj
ProHe: Default
Figure 5-25: Captured ACK packet.
Figure 5-26: Acknowledgement (ACK) to the data transfer.
50. Double-click on the row that has the first [FIN/ACK] occurrence in the Info column with your IP
address as the source. (In this case it was row 21. See Figure 5-27.)
Expand the tree for Transmission Control Protocol.
Expand the tree for [SEQ/ACK analysis].
Highlight the row that indicates that this is a [FIN, ACK] packet.
Take a screenshot. (This was the first part of the connection termination. See Figure 5-28.)
51.
52.
53.
54.
138 P a s z e
SK U U 91 *
Fter:
-
Espresso... Clear Apply
Protocol
Ma
0
SYNJ 5eq-0 W1n-6553!
ACK]
025727
55.97.243.202
TCP
TCP
HTTP
TCP
202
103
202
139
HTTP
74.125 155 103
GET /
05911.)
059128
144161
158304
4.125.155.103
5.97.243.202
.125.155.103
5.97.243.202
155.97 243
74.125 155
155.97.243
74.125.155
Seq-1
«Ck-l W1|
HTTP/1.
ACK]
0
0
0
0
[TCP segment
26929 > http
HTTP/1.1 200
26930 > http
Seq-1 Ack-649 \ a
ATK] Seq-649 Ack-271
K
(text/html)
SYN] Seq-0 w1n-6553l
* Ethernet II, Src: Micro-St_52 :74 : 3 5 (00:13 :d3 : 52 :74 : 3 5 ) , D«
.* Internet Protocol, src: 1 5 5 . 9 7 . 2 4 3 . 2 0 2 (155. 97. 243. 202), D<
i a Transmission Control Protocol, src Port: 26930 (26930), Dst
source port: 26930 (26930)
Destination port: http (80)
reassembled PDU
[Stream index: 1]
sequence number: 612
(relative sequence number)
Acknowledgement number: 147
(relative ack number)
Header length: 20 bytes
'
:
s Flaigs: Oxii CFIN, ACK)
204 HTTP/1.1
ACK] 5eq-l Ack-612 \:
1
192978
0 221706
.125.155.139
.125.155.103
1 5 5 . 9 7 . 2 4 3 202
155.97.2 3 202
HTTP
TCP
HTTP/1.1 204
http > 26929
window size: 6 5 3 9 0 (scaled)
a checksum: Oxblcb [validation disabled]
;ACK] seq-3466 Ack-i:
1
24 3 284668
25 3 284694
26 3 284707
5.97.243.202
1~l\LOCAL5~l\Te.
ACK] Seq-3702 1
FIN,
Seq-1386 Ack-3i
ACK]
sis iiiiP^1^™ I-
74.125.155
Packets . 26 Displayed
Default
Figure 5-28: FIN/ACK segment from your computer.
Figure 5-27: Captured FIN/ACK packet from your computer.
55. Double-click on the row that has the first [FIN, ACK] occurrence in the Info column with your IP
address as the destination. (In this case it was row 23. See Figure 5-29.)
56. Expand the tree for Transmission Control Protocol.
57. Expand the tree for [SEQ/ACK analysis].
58. Highlight the row that indicates that this is a [FIN, ACK] packet and an acknowledgement to the
first [FIN, ACK].
59. Take a screenshot. (This was the second part of the connection termination. See Figure 5-30.)
50
Captue
«
Analyze
Telephony
loots
tjefc
nK
.000000
.024056
.024108
.049793
.059043
'.059087
'. 059114
'.059128
55.103
55.103
55.103
155.9
155.9
155.9
[ACK] seq-1 «ck-649 i
of a reassembled PDU
[ACK] Seq-649 Ack-27i
t/html)
553
&s-webhp&act-1 on-Asr
1.168459
.168505
1.168729
.192978
.221706
.262909
.345198
.447716
1 3.260627
[SYN, ACK] Seq-0 Ack
[ACK] Seq-1 ACk-1 Wl
!_204 HTTP/1.1
[ACK] Seq-1 Ack-612
4 . 1 2 5 . 1 5.103
55.9
3.202
5 5 . 9 7 . 2 3.202
155.97
74.125
74.125
[ACK]
Ethernet II, Src: HewlettP_71:bf:0f (00:lf:29:71:bf:Qf), Dst: Mi<
internet Protocol, Src: 74.125.155.139 (74.125.155.139), Dst: 15
: ;~ Transmission control Protocol, Src Port: http (80), Dst Port: 26'
source port: http (80)
Destination port: 26930 (26930)
[stream index: 1]
sequence number: 147
(relative sequence number)
Acknowledgement number: 613
(relative ack number)
Header length: 20 bytes
±i flags: Qxll (FIN, ACK)
window size: 6976 (scaled)
til checksum: 0x3115 [validation disabled]
[SEQ/ACK analysis]
FThis is an ACK to the segment in frame: 211
[The RTT to ACK the segment was: 0.024001000 seconds]
;i,
Seq-1386 Ack-31
00
00
?3
10
13
28
ca
6d
d3
cd
00
31
52
76
50
15
74
00
69
00
35
00
32
00
00
31
d7
00
It
06
fe
00
29
47
15
00
71
25
6d
00
Of
4a
3a
00
Ot 08
7d 9b
71
00
Packets: 26 Displayed:',
Figure 5-30: FIN/ACK segment from the Web server.
Figure 5-29: Captured FIN/ACK packet from the Web server.
THOUGHT Q U E S T I O N S
1.
2.
3.
4.
Did the packets you captured have a TTL listed? Why?
Why do packets have both IP addresses and MAC addresses on them?
Which packet had the html code for Google's page (Hint: 200)?
What do all the letters and numbers in the bottom pane represent?
139
5.4
CONTENTS OF A PACKET (CAPTURE AN EMAIL)
In this project you will capture a packet and look at its contents. You will use Wireshark to capture
packets containing an email message. You will send an email to a generic Hotmail.com account and
capture it as it's going over the network. Then you will look at the contents of the email without opening
it in an email client.
Most email traffic has traditionally not been encrypted. However, many providers are starting to make
encrypted email an option for their users. A packet sniffer allows you to look at the contents of many
different types of packets.
1. With Wireshark open click Capture and Options.
2. If you haven't already done so, select your Network Interface Card (NIC) in the Interface dropdown menu at the top of the screen. (Your NIC will undoubtedly have a different name.)
3. Enter "tcp port 80" in the box next to Capture Filter. (See Figure 5-31.)
Capture
Interface:
File
, Realtek RTL8I39/810* Family Fast Ethernet NIC
Buffersize: 1
-C
megabyte(s)
Edit
View
History
(Microsoft's Ps \ \P address: 155.97.213.201
iHI
" C
^&*W
. - .. - 1 1 .
Bookmarks
ttj
£* Windows Live*
'
Tools
Help
htl-p-y/mail live com/defai* aspv>»3=wagn
Home
Profile
People
Mall
Photos
•
[G|*
More »
MSN'
J
!.
El rantiire nj^kgts 'n yfnrni'-.r-i miremode
(vrTlmit each packet to :
^^N.
;
bytes
t
IPI
l^rajhotmail.c
D
Sort by
\ your &-rrai/
f>
0 m«;carje