1 Objective In this lab, you will investigate the behavior of TCP by analyzing a trace of the TCP se

  

1 Objective
In this lab, you will investigate the behavior of TCP by analyzing a trace of the TCP segments sent and
received in transferring a file from a server to a client. Specifically, you will accomplish the following:
• Experiment with TCP connections;
• Analyze TCP network traffic
• Experiment with wireshark, traffic monitoring and filters.
2 What is Wireshark?
Wireshark is an open source software project, and is released under the GNU General Public License (GPL).
You can freely use Wireshark on any number of computers you like, without worrying about license keys or
fees or such. In addition, all source code is freely available under the GPL.
Wireshark is a network packet analyzer. It tries to capture network packets and tries to display that
packet data as detailed as possible.
You could think of a network packet analyzer as a measuring device used to examine what’s going on
inside a network cable. Here are some examples people use Wireshark for:
• Network administrators use it to troubleshoot network problems
• Network security engineers use it to examine security problems
• Developers use it to debug protocol implementations
• People use it to learn network protocol internals
Beside these examples Wireshark can be helpful in many other situations too. Wireshark allows:
• Live capture from many different network media: Wireshark can capture traffic from many different
network media types – and despite its name – including wireless LAN as well.
• Import files from many other capture programs Wireshark can open packets captured from a large
number of other capture programs.
• Export files for many other capture programs: Wireshark can save packets captured in a large number
of formats of other capture programs.
• Many protocol dissectors such as TCP, IP, DNS, ICMP, etc.
The following are some of the many features Wireshark provides:
• Available for UNIX, Mac and Windows.
• Capture live packet data from a network interface.
• Open files containing packet data captured with tcpdump/WinDump, Wireshark, and a number of
other packet capture programs.
• Import packets from text files containing hex dumps of packet data.
• Display packets with very detailed protocol information.
lap3.docx

user_guide_wireshark_1_.pdf

Don't use plagiarized sources. Get Your Custom Essay on
1 Objective In this lab, you will investigate the behavior of TCP by analyzing a trace of the TCP se
Just from $13/Page
Order Essay

Unformatted Attachment Preview

1 Ob jective
In this lab, you will investigate the behavior of TCP by analyzing a trace of the TCP
segments sent and received in transferring a file from a server to a client. Specifically,
you will accomplish the following:
• Experiment with TCP connections; • Analyze TCP network traffic • Experiment with
wireshark, traffic monitoring and filters.
2 What is Wireshark?
Wireshark is an open source software project, and is released under the GNU General
Public License (GPL). You can freely use Wireshark on any number of computers you
like, without worrying about license keys or fees or such. In addition, all source code is
freely available under the GPL.
Wireshark is a network packet analyzer. It tries to capture network packets and tries to
display that packet data as detailed as possible.
You could think of a network packet analyzer as a measuring device used to examine
what’s going on inside a network cable. Here are some examples people use Wireshark
for:
• Network administrators use it to troubleshoot network problems • Network security
engineers use it to examine security problems • Developers use it to debug protocol
implementations • People use it to learn network protocol internals
Beside these examples Wireshark can be helpful in many other situations too. Wireshark
allows:
• Live capture from many different network media: Wireshark can capture traffic from
many different network media types – and despite its name – including wireless
LAN as well.
• Import files from many other capture programs Wireshark can open packets captured
from a large number of other capture programs.
• Export files for many other capture programs: Wireshark can save packets captured in a
large number of formats of other capture programs.
• Many protocol dissectors such as TCP, IP, DNS, ICMP, etc. The following are some of
the many features Wireshark provides:
• Available for UNIX, Mac and Windows.
• Capture live packet data from a network interface.
• Open files containing packet data captured with tcpdump/WinDump, Wireshark, and a
number of other packet capture programs.
• Import packets from text files containing hex dumps of packet data.
• Display packets with very detailed protocol information.
Page 1 of 5
IST 275 Wireshark & TCP Lab Summer 2019
3
• Save packet data captured. • Export some or all packets in a number of capture file
formats. • Filter packets on many criteria. • Search for packets on many criteria. •
Colorize packet display based on filters. • Create various statistics.
To explore further Wireshark, I refer you to the user-guide-Wireshark file posted on
Blackboard. Experimenting
with TCP Wireshark Captures
As we mentioned in class, TCP is a common transport layer protocol. Its is a reliable
protocol (uses acknowledgements) an provides in order delivery (uses sequence
numbers). Though wireshark capture all traffic in your network, in this lab we will focus
on TCP traffic.
It is helpful to know that Wireshark displays relative sequence and acknowledgment
numbers, not actual numbers. To view the actual sequence number, select the segment in
the upper pane, expand the TCP header in the middle window, select the sequence or
ACK number field in the middle window, and examine the selected bytes in the lower
window.
In the lower window, wireshark displays the data relevant to all TCP/IP stack. More
details will be provided in class. Note that during this capture I visited The Internet
Engineering Task Force (IETF) ”http://www.ietf.org”.
You will answer the following questions based on the capture on the given file.
1. What is the IP address and TCP port number used by your client computer (source) to
transfer the file to http://www.ietf.org?
2. What is the IP address and port number used by http://www.ietf.org server.
3. What is the sequence number of the TCP SYN segment that is used to initiate the TCP
connection between the client computer and ietf.org? What is it in the segment that
identifies the segment as a SYN segment?
4. (a) What is the sequence number of the SYN/ACK segment sent by ietf.org to the
client computer in reply to the SYN?
Page 2 of 5
IST 275 Wireshark & TCP Lab Summer 2019 (b) What is the value of the
ACKnowledgement flag field in the SYN/ACK segment?
4 Experimenting with Wireshark Filter
1. Assume the IP address of the client, determined in section 2 question 1, is the IP
address of your device.
. (a) What class is your IP address?
. (b) Write the command that lists frames originating from your device. Experiment
with it in the capture given to you.
. (c) Write the command that lists frames received by your device
. (d) Write the command that lists TCP segments with a length less than 1500. Check
the results applied to the capture you have and make sure the condition is satisfied.
. (e) Write the command that lists all http request frames with a domain com or org?
Check the results applied to the capture you have.
Page 3 of 5
IST 275
Wireshark & TCP Lab Summer 2019
(f)
A boolean field is present in the protocol decode only if its value is true. For example,
tcp.flags.syn is present, and thus true, only if the SYN flag is present in a TCP segment
header. The filter expres- sion tcp.flags.syn will select only those packets for which this
flag exists, that is, TCP segments where the segment header contains the SYN flag. List
all SYN TCP segments
Select all TCP segments where the FIN bit is set.
What is the MAC address of your device? Write the command/filter you used to answer
the question.
Wireshark allows you to select subsequences of a sequence in rather elaborate ways. The
example eth.src[0:3] == 00:00:83 uses the n:m format to specify a single range. In this
case n is the beginning offset and m is the length of the range being specified. The example eth.src[1-2]
== 00:83 uses the n-m format to specify a single range. In this case n is the beginning
offset and m is the ending offset. To use the above filter in an example, enter the
following example eth.src[0:3] == 78:4f:43 Study the output. Explain it in the box below.
Wireshark allows you to test a field for membership in a set of values or fields. After the
field name, use the ’in’ operator followed by the set items surrounded by braces . Use the
following filter tcp.port in {80 53 8080}. Study the output and explain what the filter you
used it in the space below.
(g)
(h)
(i)
(j)
Page 4 of 5
IST 275
Wireshark & TCP Lab Summer 2019
(k)
Display a time line of the TCP session that was initiated from your device to download
the ietf.org page. Hint go to statistics → Flow graph and set the right parameters to filter
the required session and traffic. Demonstrate your work to me in class.
(l)
Open the expert info dialog by selecting Analyze -> Expert Info. Explain the display and
the colors. Refer the user-guide-Wireshark file posted on Blackboard for more details.
Page 5 of 5
Wireshark User’s Guide
Preface
Foreword
Wireshark is one of those programs that many network managers would love to be able to use, but
they are often prevented from getting what they would like from Wireshark because of the lack of
documentation.
This document is part of an effort by the Wireshark team to improve the usability of Wireshark.
We hope that you find it useful and look forward to your comments.
Who should read this document?
The intended audience of this book is anyone using Wireshark.
This book will explain all the basics and also some of the advanced features that Wireshark
provides. As Wireshark has become a very complex program since the early days, not every feature
of Wireshark may be explained in this book.
This book is not intended to explain network sniffing in general and it will not provide details
about specific network protocols. A lot of useful information regarding these topics can be found at
the Wireshark Wiki at https://wiki.wireshark.org/.
By reading this book, you will learn how to install Wireshark, how to use the basic elements of the
graphical user interface (such as the menu) and what’s behind some of the advanced features that
are not always obvious at first sight. It will hopefully guide you around some common problems
that frequently appear for new (and sometimes even advanced) users of Wireshark.
Acknowledgements
The authors would like to thank the whole Wireshark team for their assistance. In particular, the
authors would like to thank:
• Gerald Combs, for initiating the Wireshark project and funding to do this documentation.
• Guy Harris, for many helpful hints and a great deal of patience in reviewing this document.
• Gilbert Ramirez, for general encouragement and helpful hints along the way.
The authors would also like to thank the following people for their helpful feedback on this
document:
• Pat Eyler, for his suggestions on improving the example on generating a backtrace.
• Martin Regner, for his various suggestions and corrections.
• Graeme Hewson, for a lot of grammatical corrections.
The authors would like to acknowledge those man page and README authors for the Wireshark
1
project from who sections of this document borrow heavily:
• Scott Renfro from whose mergecap man page mergecap: Merging multiple capture files into one
is derived.
• Ashok Narayanan from whose text2pcap man page text2pcap: Converting ASCII hexdumps to
network captures is derived.
About this document
This book was originally developed by Richard Sharpe with funds provided from the Wireshark
Fund. It was updated by Ed Warnicke and more recently redesigned and updated by Ulf Lamping.
It was originally written in DocBook/XML and converted to AsciiDoc by Gerald Combs.
Where to get the latest copy of this document?
The latest copy of this documentation can always be found at https://www.wireshark.org/docs/.
Providing feedback about this document
Should you have any feedback about this document, please send it to the authors through
wireshark-dev[AT]wireshark.org.
Typographic Conventions
The following table shows the typographic conventions that are used in this guide.
Table 1. Typographic Conventions
Style
Description
Italic
File names, folder names, and extensions C:Developmentwireshark.
Monospace
Commands, flags, and environment
variables
CMake’s -G option.
Bold
Monospace
Commands that should be run by the
user
Run cmake -G Ninja …
[ Button ]
Dialog and window buttons
Press [ Launch ] to go to the Moon.
Key
Keyboard shortcut
Press Ctrl+Down to move to the next
packet.
Menu
Menu item
Select Go › Next Packet to move to the
next packet.
Admonitions
Important and notable items are marked as follows:
2
Example
WARNING
You should pay attention to a warning, otherwise data loss might occur.
This is a note
NOTE
TIP
This is a warning
A note will point you to common mistakes and things that might not be obvious.
This is a tip
Tips are helpful for your everyday work using Wireshark.
Shell Prompt and Source Code Examples
Bourne shell, normal user
$ # This is a comment
$ git config –global log.abbrevcommit true
Bourne shell, root user
# # This is a comment
# ninja install
Command Prompt (cmd.exe)
>rem This is a comment
>cd C:Development
PowerShell
PS$># This is a comment
PS$>choco list -l
C Source Code
#include “config.h”
/* This method dissects foos */
static int
dissect_foo_message(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree _U_, void
*data _U_)
{
/* TODO: implement your dissecting code */
return tvb_captured_length(tvb);
}
3
Introduction
What is Wireshark?
Wireshark is a network packet analyzer. A network packet analyzer will try to capture network
packets and tries to display that packet data as detailed as possible.
You could think of a network packet analyzer as a measuring device used to examine what’s going
on inside a network cable, just like a voltmeter is used by an electrician to examine what’s going on
inside an electric cable (but at a higher level, of course).
In the past, such tools were either very expensive, proprietary, or both. However, with the advent
of Wireshark, all that has changed.
Wireshark is perhaps one of the best open source packet analyzers available today.
Some intended purposes
Here are some examples people use Wireshark for:
• Network administrators use it to troubleshoot network problems
• Network security engineers use it to examine security problems
• QA engineers use it to verify network applications
• Developers use it to debug protocol implementations
• People use it to learn network protocol internals
Beside these examples Wireshark can be helpful in many other situations too.
Features
The following are some of the many features Wireshark provides:
• Available for UNIX and Windows.
• Capture live packet data from a network interface.
• Open files containing packet data captured with tcpdump/WinDump, Wireshark, and a number
of other packet capture programs.
• Import packets from text files containing hex dumps of packet data.
• Display packets with very detailed protocol information.
• Save packet data captured.
• Export some or all packets in a number of capture file formats.
• Filter packets on many criteria.
• Search for packets on many criteria.
• Colorize packet display based on filters.
4
• Create various statistics.
• …and a lot more!
However, to really appreciate its power you have to start using it.
Wireshark captures packets and lets you examine their contents. shows Wireshark having captured
some packets and waiting for you to examine them.
Figure 1. Wireshark captures packets and lets you examine their contents.
Live capture from many different network media
Wireshark can capture traffic from many different network media types – and despite its name including wireless LAN as well. Which media types are supported, depends on many things like the
operating system you are using. An overview of the supported media types can be found at
https://wiki.wireshark.org/CaptureSetup/NetworkMedia.
Import files from many other capture programs
Wireshark can open packets captured from a large number of other capture programs. For a list of
input formats see Input File Formats.
Export files for many other capture programs
Wireshark can save packets captured in a large number of formats of other capture programs. For
a list of output formats see Output File Formats.
5
Many protocol dissectors
There are protocol dissectors (or decoders, as they are known in other products) for a great many
protocols: see Protocols and Protocol Fields.
Open Source Software
Wireshark is an open source software project, and is released under the GNU General Public
License (GPL). You can freely use Wireshark on any number of computers you like, without
worrying about license keys or fees or such. In addition, all source code is freely available under
the GPL. Because of that, it is very easy for people to add new protocols to Wireshark, either as
plugins, or built into the source, and they often do!
What Wireshark is not
Here are some things Wireshark does not provide:
• Wireshark isn’t an intrusion detection system. It will not warn you when someone does strange
things on your network that he/she isn’t allowed to do. However, if strange things happen,
Wireshark might help you figure out what is really going on.
• Wireshark will not manipulate things on the network, it will only “measure” things from it.
Wireshark doesn’t send packets on the network or do other active things (except for name
resolutions, but even that can be disabled).
System Requirements
The amount of resources Wireshark needs depends on your environment and on the size of the
capture file you are analyzing. The values below should be fine for small to medium-sized capture
files no more than a few hundred MB. Larger capture files will require more memory and disk
space.
Busy networks mean large captures
NOTE
Working with a busy network can easily produce huge capture files. Capturing on a
gigabit or even 100 megabit network can produce hundreds of megabytes of
capture data in a short time. A fast processor, lots of memory and disk space is
always a good idea.
If Wireshark runs out of memory it will crash. See https://wiki.wireshark.org/KnownBugs/
OutOfMemory for details and workarounds.
Although Wireshark captures packets using a separate process the main interface is singlethreaded and won’t benefit much from multi-core systems.
Microsoft Windows
• The current version of Wireshark should support any version of Windows that is still within its
extended support lifetime. At the time of writing this includes Windows 10, 8, 7, Vista, Server
2016, Server 2012 R2, Server 2012, Server 2008 R2, and Server 2008.
6
• Any modern 64-bit AMD64/x86-64 or 32-bit x86 processor.
• 400 MB available RAM. Larger capture files require more RAM.
• 300 MB available disk space. Capture files require additional disk space.
• 1024 × 768 (1280 × 1024 or higher recommended) resolution with at least 16-bit color. 8-bit color
should work but user experience will be degraded. Power users will find multiple monitors
useful.
• A supported network card for capturing
◦ Ethernet. Any card supported by Windows should work. See the wiki pages on Ethernet
capture and offloading for issues that may affect your environment.
◦ 802.11. See the Wireshark wiki page. Capturing raw 802.11 information may be difficult
without special equipment.
◦ Other media. See https://wiki.wireshark.org/CaptureSetup/NetworkMedia.
Older versions of Windows which are outside Microsoft’s extended lifecycle support window are no
longer supported. It is often difficult or impossible to support these systems due to circumstances
beyond our control, such as third party libraries on which we depend or due to necessary features
that are only present in newer versions of Windows (such as hardened security or memory
management).
Wireshark 1.12 was the last release branch to support Windows Server 2003. Wireshark 1.10 was
the last branch to officially support Windows XP. See the Wireshark release lifecycle page for more
details.
UNIX / Linux
Wireshark runs on most UNIX and UNIX-like platforms including macOS and Linux. The system
requirements should be comparable to the Windows values listed above.
Binary packages are available for most Unices and Linux distributions including the following
platforms:
• Apple macOS
• Debian GNU/Linux
• FreeBSD
• Gentoo Linux
• HP-UX
• Mandriva Linux
• NetBSD
• OpenPKG
• Red Hat Enterprise/Fedora Linux
• Sun Solaris/i386
• Sun Solaris/SPARC
7
• Canonical Ubuntu
If a binary package is not available for your platform you can download the source and try to build
it. Please report your experiences to wireshark-dev[AT]wireshark.org.
Where to get Wireshark
You
can
get
the
latest
copy
of
the
program
from
the
Wireshark
website
at
https://www.wireshark.org/download.html. The download page should automatically highlight the
appropriate download for your platform and direct you to the nearest mirror. Official Windows
and macOS installers are signed by the Wireshark Foundation.
A new Wireshark version typically becomes available each month or two.
If you want to be notified about new Wireshark releases you should subscribe to the wiresharkannounce mailing list. You will find more details in Mailing Lists.
A brief history of Wireshark
In late 1997 Gerald Combs needed a tool for tracking down network problems and wanted to learn
more about networking so he started writing Ethereal (the original name of the Wireshark project)
as a way to solve both problems.
Ethereal was initially released after several pauses in development in July 1998 as version 0.2.0.
Within days patches, bug reports, and words of encouragement started arriving and Ethereal was
on its way to success.
Not long after that Gilbert Ramirez saw its potential and contri …
Purchase answer to see full
attachment

  
Basic features
  • Free title page and bibliography
  • Unlimited revisions
  • Plagiarism-free guarantee
  • Money-back guarantee
  • 24/7 support
On-demand options
  • Writer’s samples
  • Part-by-part delivery
  • Overnight delivery
  • Copies of used sources
  • Expert Proofreading
Paper format
  • 275 words per page
  • 12 pt Arial/Times New Roman
  • Double line spacing
  • Any citation style (APA, MLA, Chicago/Turabian, Harvard)

Our guarantees

Delivering a high-quality product at a reasonable price is not enough anymore.
That’s why we have developed 5 beneficial guarantees that will make your experience with our service enjoyable, easy, and safe.

Money-back guarantee

You have to be 100% sure of the quality of your product to give a money-back guarantee. This describes us perfectly. Make sure that this guarantee is totally transparent.

Read more

Zero-plagiarism guarantee

Each paper is composed from scratch, according to your instructions. It is then checked by our plagiarism-detection software. There is no gap where plagiarism could squeeze in.

Read more

Free-revision policy

Thanks to our free revisions, there is no way for you to be unsatisfied. We will work on your paper until you are completely happy with the result.

Read more

Privacy policy

Your email is safe, as we store it according to international data protection rules. Your bank details are secure, as we use only reliable payment systems.

Read more

Fair-cooperation guarantee

By sending us your money, you buy the service we provide. Check out our terms and conditions if you prefer business talks to be laid out in official language.

Read more