SlideShare una empresa de Scribd logo

Uccn1003 may10 - lab 08 - wireshark analysis of trace files - answer-updated-2.8.2010

Shu Shin
Shu Shin

This document provides instructions for a lab exercise using Wireshark to analyze network protocols and trace files. The instructions include opening specific trace files, applying display filters in Wireshark, examining packet details, answering questions based on observations, and performing basic statistical analysis of the trace files. The goal is to help students learn how to use Wireshark and examine various network protocols including HTTP, ICMP, TCP, and DNS.

Tecnología
1 de 15
Descargar para leer sin conexión
UCCN1003 Data Communications and Networks Lab 08: Wireshark Analysis of Protocols – Trace Files Instructions: 1. Read the “Introduction” section for the background 2. Perform all the lab exercises, starting with exercise 1 3. Follow all the steps. 4. Record the results in all italic bold actions. 5. Paste your screen captures on a Word Document and save it. 6. Answer all the questions in italic and in blanks based on the observation of the results. 7. Write your answer in the same Word Document. 8. Please follow the sequence of the exercises, and don’t skip any step. 9. Please try your best to understand the steps of this lab. Introduction to Wireshark In this lab, you will learn how to use Wireshark to examine packets captured by a NIC and then save as a file, known as trace file. Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, in May 2006 the project was renamed Wireshark due to trademark issues. A network packet analyzer will capture network packets and display the packet data as detailed as possible. You could think of a network packet analyzer as a measuring device used to examine what's going on inside a network cable, just like a voltmeter is used by an electrician to examine what's going on inside an electric cable. Here are some examples that people use Wireshark for: • network administrators use it to troubleshoot network problems • network security engineers use it to examine security problems • developers use it to debug protocol implementations • people use it to learn network protocol internals Exercise 1: Getting familiar with the “Pane” of Wireshark Wireshark's (v1.2.10) main window consists of parts that are commonly known from many other GUI programs. • The menu is used to start actions. 1
• The main toolbar provides quick access to frequently used items from the menu. • The filter toolbar provides a way to directly manipulate the currently used display filter. • The packet list pane displays a summary of each packet captured. By clicking on packets in this pane you control what is displayed in the other two panes. • The packet details pane displays the packet selected in the packet list pane in more detail. • The packet bytes pane displays the data from the packet selected in the packet list pane, and highlights the field selected in the packet details pane. • The status bar shows some detailed information about the current program state and the captured data. Menu Main Toolbar Filter Toolbar Packet List Pane Packet Detail Pane Packet Bytes Pane Status Bar 2
1. Go to “menu” => “File” => “open” Lab_08_Ex1.pcap. 2. Refer to the “status bar” and answer the following question: a. What is the total number of packets (or frames) in this file? _________________________________________________ (318) b. What is the number of packets being displayed? _________________________________________________ (318) 3. In the “Packet List Pane”, click on frame “No. 5”. A grey bar will highlight the selected frame, as shown in the following figure. Answer the following question: a. What is the highest layer protocol in this frame? _________________________________________________ (ICMP) b. What is the destination IP address in this frame? _________________________________________________ (192.168.1.3) 4. Refer to the “Packet Detail Pane” of the same frame No. 5, and answer the following question: a. What is the size (in bytes) of this frame? _________________________________________________ (70 bytes) 3
b. What is the source MAC address of 192.168.1.1? _________________________________________________ (00:1e:40:9a:b5:13) 5. Click on the ‘+’ sign next to “Internet Control Message Protocol”, and more information is shown. Answer the following question: a. What are the values of the Type and Code of the ICMP? _________________________________________________ (Type = 3, Code = 0) b. Based on this ICMP message (and the frame), which IP address (192.168.1.1 and 192.168.1.3) is more likely to be the router? _________________________________________________ (192.168.1.1) c. Refer to the ICMP again, what is the value of socket (IP:port) that is unreachable? _________________________________________________ (192.33.4.12:53) d. What is the IP address of this “Wireshark-installed” PC? _________________________________________________ (192.168.1.3) 6. Refer to the “Packet Bytes Pane” of the same frame No. 5, and answer the following question: a. Double click on the value “c0 a8” (last two bytes of the second line), and refer to “Packet Detail Pane”. Which field do these numbers belong to? _________________________________________________ (destination of IP) b. Double click on the value “89 c8” (5th and 6th bytes of the third line), and refer to “Packet Detail Pane”. Which field do these numbers belong to? 4
_________________________________________________ (checksum of ICMP) Exercise 2: Display Filter A very common problem when you launch Wireshark with the default settings is that you will get too much information on the screen and thus will not find the information you are looking for. Too much information kills the information. Instead of showing all the display traffic, you may use the filter toolbar to display the data selectively. That's why filters are important, they will help us to target the packets/frames that you are looking for. • Capture filters: Used to select the data to record in the logs. They are defined before starting the capture. • Display filters: Used to search inside the captured logs. They can be modified while data is captured. So when should I use the capture or the display filter? The goals of the two filters are different. • The capture filter is used as a first large filter to limit the size of captured data to avoid generating a log too big. • The display filter is much more powerful (and complex); it will permit you to search exactly the data you want. In this exercise, we focus only display filter. The display filter follows certain syntax. If the filter syntax is correct, it will be highlighted in green, otherwise if there is a syntax mistake it will be highlighted in red. 1. In the “Filter Toolbar”, type “http” as shown in the following figure and click “Apply” at the far right of the “Filter Toolbar”. a. What is the number of packets being displayed? (Please refer to the status bar) _________________________________________________ (23) 5
2. In the “Filter Toolbar”, click “Clear”. Type “icmp” this time and then click “Apply”. After answering the question, please click on “Clear” again. a. What is the number of packets being displayed now? (Please refer to the status bar) _________________________________________________ (46) 3. The above table shows the “logical expression” of the “Filter Toolbar”. Let's take an example with the following display filter: “dns || arp”. This means displaying packet with protocol dns or arp. Please remember to click “Apply”. 4. For more specific and complex filter conditions, we can use the “Expression” of “Filter Toolbar”. For example, if we want to look for the IP address of the web server in the trace file, we can form the following filter expression: tcp.srcport == 80. Click on “Expression”. Scroll down until you see TCP. Click on ‘+’ next to TCP to expand all the options. Click on “tcp.srcport”. Click on “==”, and then key in “80” in value. Click “Ok”. 6
a. What is the IP address of the web server? _________________________________________________ (128.42.182.20) b. Using the similar concept illustrated above, what is the IP address of the DNS server? (Hint: use UDP source port equal to 53) _________________________________________________ (202.188.0.133) 5. The following feature is also useful to filter on the vendor identifier part (OUI) of the MAC address. Thus you may restrict the display to only packets from a specific device manufacturer, (e.g. for Unispher machines only): eth.src[0:3] == 00:90:1a. The notation stands for the first 3 bytes of the source MAC address. The [0:3] means 3 bytes starting offset 0 (in bytes). 6. Displays the packets with destination IP address not equals to 60.53.75.52 and source IP address not equal to 128.42.182.20. After viewing, click “Clear”. 7
Exercise 3: Basic Statistics of the Trace File Wireshark provides a lot of different statistics which can be consulted if you click on the "statistics" field on the top of the screen. 1. In the “menu”, click on “Statistics” and then “Summary”. After answering the question, close the “Summary” dialog box. a. What is the “average bytes per second”? _________________________________________________ (987.404) 2. In the “Filter Toolbar”, enter “http”, and then click “Apply”. After that, click on “Statistics” and then “Summary”. After answering the question, close the “Summary” dialog box and clear the filter. a. What is the “average bytes per second” of the displayed packets? _________________________________________________ (195.165) b. What is the “average packets per second” of the displayed packets? _________________________________________________ (0.272) 3. Click on “Statistics” and then “Protocol Hierarchy”. The protocol hierarchy shows a dissection per OSI layer of the displayed data. After answering the question, close the dialog box. a. How many packets contain “point-to-point protocol”? _________________________________________________ (259) 8
b. How many percents of packets belong to TCP (Transmission Control Protocol) traffic? _________________________________________________ (66.98%) c. How many bytes for Compuserve GIF? _________________________________________________ (2584) 4. Click on “Statistics” and then “Conversations”. If you use TCP/IP suite application or protocol, you should find four active tabs for Ethernet, IP, TCP and UDP conversations. A "conversation" represents the traffic between two hosts. The number in the tab after the protocol indicates the number of conversations. After answering the question, close the dialog box. a. Click on the “Ethernet” tab. How many MAC addresses are there in the trace file? _________________________________________________ (2) b. Click on “IPv4” tab. How many bytes have been sent from 60.53.75.52 to 128.42.182.20? _________________________________________________ (13377) 9
c. Click on the “TCP” tab. What is the dominant application layer protocol (or service) for the TCP traffic? (Hint: Port B) _________________________________________________ (HTTP) d. Click on the “UDP” tab. What is the dominant application layer protocol (or service) for the UDP traffic? (Hint: Port B) _________________________________________________ (DNS) 5. Click on “Statistics” and then “Endpoints”. The endpoints provide statistics about received and transmitted data on a per machine base. The number after the protocol indicates the number of endpoints. After answering the question, close the dialog box. a. Click on the “IPv4” tab. How many bytes are received for IP = 192.5.5.241? _________________________________________________ (280) b. Click on the “UDP” tab. How many bytes are transmitted by IP = 202.188.0.133? _________________________________________________ (254) 6. Click on “Statistics” and then “IO Graphs”. Basic graphics can be obtained under the "IO graphs" section. Multiple graphics can be added in the same window on a per display filter base. Key in “udp”, “dns”, and “icmp” in the filter box as shown in the following figure. You can display the graph line by clicking on “Graph x” button (works like a toggle). 10
Exercise 4 : Expert Info Wireshark provides “Expert Info” in which certain errors and anomaly can be highlighted in the network. It is rather useful for troubleshooting the network. 1. In the “menu”, click on “Analysis” and then “Expert Info Composite”. After answering the question, close the dialog box. a. What are the warnings? (Hint: “Warnings” tab, Summary) _________________________________________________ (Previous segment lost) b. How many type of Chats and what is the packet count? (Hint: Just look at the “Chat” tab) _________________________________________________ (19, 62) Exercise 5 : Basic HTTP GET/Response Interaction With the introductory exercise in Wireshark, we’re now ready to use Wireshark to investigate protocols in operation. In this exercise, we’ll explore several aspects of the HTTP. 1. Let’s begin our exploration of HTTP by opening “Lab08_Ex5.pcap”. 11
2. Type “http” in the “Filter Toolbox” window and click “Apply”. The Packet Listing Pane should show the HTTP messages that were captured: the GET message and the response message from the server to your browser. The Packet-Detail Pane shows details of the selected message (in this case the HTTP GET message, which is highlighted in the Packet-List Pane). 3. Highlight the line with HTTP GET /ethereal-labs/HTTP-ethereal-file1.html 4. Click on the ‘+’ next to “Hypertext Transfer Protocol”. By looking at the information in the HTTP header, answer the following questions: a. Is your browser running HTTP version 1.0 or 1.1? _________________________________________________ (HTTP 1.1) b. What languages (if any) does your browser indicate that it can accept from the web server? _________________________________________________ (en – US, en) c. What is the name of the “host”? _________________________________________________ (gaia.cs.umass.edu) 5. Highlight the line with HTTP HTTP/1.1 200 OK 6. Click on the ‘+’ next to “Hypertext Transfer Protocol”. By looking at the information in the HTTP header, answer the following questions: a. What is the status code returned from the server to your browser? _________________________________________________ (200 OK) b. What is the “Server” type of the web page? _________________________________________________ (Apache/2.0.52 (CentOS)) c. How many bytes of content are being returned to your browser? _________________________________________________ (126 bytes) d. What is contained in the “Line-based text data: text/html”? 12
_________________________________________________ (Congratulations. You've downloaded the file n….) Exercise 6 : Retrieving Longer HTTP Document In this exercise, we’ll see what happens when we download a longer HTML file. 1. Open “Lab08_Ex6.pcap” with Wireshark. 2. Type “http || tcp” in the “Filter Toolbox” window and click “Apply”. 3. Highlight the line with HTTP HTTP/1.1 200 OK. (Frame 12). Answer the following questions: a. What is the content length of the text file? (The text can be displayed by clicking the ‘+’ next to “Line-based text data: text/html”) _________________________________________________ (4500) b. How many segments have been reassembled? _________________________________________________ (5) c. What is the size (total bytes) of the reassembled segments? _________________________________________________ (4810 bytes) d. What is the size of the HTTP Header? _________________________________________________ (4810-4500 = 310 bytes.) e. What is the maximum size of the TCP segment? _________________________________________________ (1440 bytes.) 4. Right click on any TCP “frame”, and then choose “Follow TCP Stream”. 13
5. The following dialog box should appear. 6. Highlight the content beginning with <html> until </html>. After the highlight, right click on the content to “copy” it. (Hint: the blue portion without the HTTP header) 14
7. Open Notepad and paste the “copied” content on it. 8. Save the file as “try.html”. 9. Use a web browser to open the “try.html”, and you should see the “Bill of Rights” in browser format. 15

Recomendados

Chap6
Chap6Chap6
Chap6Shu Shin
 
Acc week 8
Acc week 8Acc week 8
Acc week 8Shu Shin
 
NETW250 Week 3 iLab Observing VoIP Protocols Using Wireshar.docx
NETW250 Week 3 iLab Observing VoIP Protocols Using Wireshar.docxNETW250 Week 3 iLab Observing VoIP Protocols Using Wireshar.docx
NETW250 Week 3 iLab Observing VoIP Protocols Using Wireshar.docxrosemarybdodson23141
 
Uccn1003 -may10_-_lab_07_-_intro_to_protocols_in_packet_tracer
Uccn1003 -may10_-_lab_07_-_intro_to_protocols_in_packet_tracerUccn1003 -may10_-_lab_07_-_intro_to_protocols_in_packet_tracer
Uccn1003 -may10_-_lab_07_-_intro_to_protocols_in_packet_tracerShu Shin
 
How to use packet sniffers
How to use packet sniffersHow to use packet sniffers
How to use packet sniffersDeepika Padmanabhan
 
NETW250 Week 3 iLab Observing VoIP Protocols Using WiresharkYour .docx
NETW250 Week 3 iLab Observing VoIP Protocols Using WiresharkYour .docxNETW250 Week 3 iLab Observing VoIP Protocols Using WiresharkYour .docx
NETW250 Week 3 iLab Observing VoIP Protocols Using WiresharkYour .docxdarwinming1
 
NETW250_W3_iLab_Report_gpubill
NETW250_W3_iLab_Report_gpubillNETW250_W3_iLab_Report_gpubill
NETW250_W3_iLab_Report_gpubillGreg Pubill
 
Voyager Meets MeLCat: MC'ing the Introductions
Voyager Meets MeLCat: MC'ing the IntroductionsVoyager Meets MeLCat: MC'ing the Introductions
Voyager Meets MeLCat: MC'ing the IntroductionsRoy Zimmer
 

Recomendados

Chap6
Chap6Chap6
Chap6Shu Shin
 
Acc week 8
Acc week 8Acc week 8
Acc week 8Shu Shin
 
NETW250 Week 3 iLab Observing VoIP Protocols Using Wireshar.docx
NETW250 Week 3 iLab Observing VoIP Protocols Using Wireshar.docxNETW250 Week 3 iLab Observing VoIP Protocols Using Wireshar.docx
NETW250 Week 3 iLab Observing VoIP Protocols Using Wireshar.docxrosemarybdodson23141
 
Uccn1003 -may10_-_lab_07_-_intro_to_protocols_in_packet_tracer
Uccn1003 -may10_-_lab_07_-_intro_to_protocols_in_packet_tracerUccn1003 -may10_-_lab_07_-_intro_to_protocols_in_packet_tracer
Uccn1003 -may10_-_lab_07_-_intro_to_protocols_in_packet_tracerShu Shin
 
How to use packet sniffers
How to use packet sniffersHow to use packet sniffers
How to use packet sniffersDeepika Padmanabhan
 
NETW250 Week 3 iLab Observing VoIP Protocols Using WiresharkYour .docx
NETW250 Week 3 iLab Observing VoIP Protocols Using WiresharkYour .docxNETW250 Week 3 iLab Observing VoIP Protocols Using WiresharkYour .docx
NETW250 Week 3 iLab Observing VoIP Protocols Using WiresharkYour .docxdarwinming1
 
NETW250_W3_iLab_Report_gpubill
NETW250_W3_iLab_Report_gpubillNETW250_W3_iLab_Report_gpubill
NETW250_W3_iLab_Report_gpubillGreg Pubill
 
Voyager Meets MeLCat: MC'ing the Introductions
Voyager Meets MeLCat: MC'ing the IntroductionsVoyager Meets MeLCat: MC'ing the Introductions
Voyager Meets MeLCat: MC'ing the IntroductionsRoy Zimmer
 
HS1011 Data Communication and Networks 13 August 2015 HS101.docx
HS1011 Data Communication and Networks 13 August 2015 HS101.docxHS1011 Data Communication and Networks 13 August 2015 HS101.docx
HS1011 Data Communication and Networks 13 August 2015 HS101.docxadampcarr67227
 
Ecet 375 Education Specialist-snaptutorial.com
Ecet 375 Education Specialist-snaptutorial.comEcet 375 Education Specialist-snaptutorial.com
Ecet 375 Education Specialist-snaptutorial.comrobertlesew62
 
Ecet 375 Education Redefined - snaptutorial.com
Ecet 375 Education Redefined - snaptutorial.comEcet 375 Education Redefined - snaptutorial.com
Ecet 375 Education Redefined - snaptutorial.comDavisMurphyC86
 
Wireshark tutorial
Wireshark tutorialWireshark tutorial
Wireshark tutorialChaman Poorani
 
Wireshark Packet Analyzer.pptx
Wireshark Packet Analyzer.pptxWireshark Packet Analyzer.pptx
Wireshark Packet Analyzer.pptxCarlos González García, PMP®
 
ECET 375 Invent Yourself/newtonhelp.com
ECET 375 Invent Yourself/newtonhelp.comECET 375 Invent Yourself/newtonhelp.com
ECET 375 Invent Yourself/newtonhelp.comlechenau125
 
Wireshark Lab Getting Started v6.0 Supplement to Co.docx
Wireshark Lab Getting Started v6.0 Supplement to Co.docxWireshark Lab Getting Started v6.0 Supplement to Co.docx
Wireshark Lab Getting Started v6.0 Supplement to Co.docxambersalomon88660
 
User-space Network Processing
User-space Network ProcessingUser-space Network Processing
User-space Network ProcessingRyousei Takano
 
Wireshark tutorial
Wireshark tutorialWireshark tutorial
Wireshark tutorialPiyush Mittal
 
Ixiaexplorer
IxiaexplorerIxiaexplorer
Ixiaexplorernlekh
 
Wireshark Lab Ethernet and ARP v7.0 Supplement to Comp.docx
Wireshark Lab Ethernet and ARP v7.0 Supplement to Comp.docxWireshark Lab Ethernet and ARP v7.0 Supplement to Comp.docx
Wireshark Lab Ethernet and ARP v7.0 Supplement to Comp.docxambersalomon88660
 
Ecet 375 Enhance teaching / snaptutorial.com
Ecet 375 Enhance teaching / snaptutorial.comEcet 375 Enhance teaching / snaptutorial.com
Ecet 375 Enhance teaching / snaptutorial.comDavis117a
 
Bio radicycleiq3.1e
Bio radicycleiq3.1eBio radicycleiq3.1e
Bio radicycleiq3.1eElsa von Licy
 
ECET 375 Success Begins/Newtonhelp.com
ECET 375 Success Begins/Newtonhelp.comECET 375 Success Begins/Newtonhelp.com
ECET 375 Success Begins/Newtonhelp.comledlang1
 
ECET 375 Effective Communication/tutorialrank.com
ECET 375 Effective Communication/tutorialrank.com ECET 375 Effective Communication/tutorialrank.com
ECET 375 Effective Communication/tutorialrank.comjonhson203
 
Ecet 375 Massive Success / snaptutorial.com
Ecet 375 Massive Success / snaptutorial.comEcet 375 Massive Success / snaptutorial.com
Ecet 375 Massive Success / snaptutorial.comHarrisGeorgx
 
Developing Real-Time Data Pipelines with Apache Kafka
Developing Real-Time Data Pipelines with Apache KafkaDeveloping Real-Time Data Pipelines with Apache Kafka
Developing Real-Time Data Pipelines with Apache KafkaJoe Stein
 
Mallet
MalletMallet
MalletShatakirti Er
 
Data exchange alternatives, SBIS conference in Stockholm (2008)
Data exchange alternatives, SBIS conference in Stockholm (2008)Data exchange alternatives, SBIS conference in Stockholm (2008)
Data exchange alternatives, SBIS conference in Stockholm (2008)Dag Endresen
 
Forti gate troubleshooting_guide_v0.10
Forti gate troubleshooting_guide_v0.10Forti gate troubleshooting_guide_v0.10
Forti gate troubleshooting_guide_v0.10Phong Nguyễn
 
02 Information System Security
02 Information System Security02 Information System Security
02 Information System SecurityShu Shin
 
Information System Security introduction
Information System Security introductionInformation System Security introduction
Information System Security introductionShu Shin
 

Más contenido relacionado

Similar a Uccn1003 may10 - lab 08 - wireshark analysis of trace files - answer-updated-2.8.2010

HS1011 Data Communication and Networks 13 August 2015 HS101.docx
HS1011 Data Communication and Networks 13 August 2015 HS101.docxHS1011 Data Communication and Networks 13 August 2015 HS101.docx
HS1011 Data Communication and Networks 13 August 2015 HS101.docxadampcarr67227
 
Ecet 375 Education Specialist-snaptutorial.com
Ecet 375 Education Specialist-snaptutorial.comEcet 375 Education Specialist-snaptutorial.com
Ecet 375 Education Specialist-snaptutorial.comrobertlesew62
 
Ecet 375 Education Redefined - snaptutorial.com
Ecet 375 Education Redefined - snaptutorial.comEcet 375 Education Redefined - snaptutorial.com
Ecet 375 Education Redefined - snaptutorial.comDavisMurphyC86
 
ECET 375 Invent Yourself/newtonhelp.com
ECET 375 Invent Yourself/newtonhelp.comECET 375 Invent Yourself/newtonhelp.com
ECET 375 Invent Yourself/newtonhelp.comlechenau125
 
Wireshark Lab Getting Started v6.0 Supplement to Co.docx
Wireshark Lab Getting Started v6.0 Supplement to Co.docxWireshark Lab Getting Started v6.0 Supplement to Co.docx
Wireshark Lab Getting Started v6.0 Supplement to Co.docxambersalomon88660
 
User-space Network Processing
User-space Network ProcessingUser-space Network Processing
User-space Network ProcessingRyousei Takano
 
Ixiaexplorer
IxiaexplorerIxiaexplorer
Ixiaexplorernlekh
 
Wireshark Lab Ethernet and ARP v7.0 Supplement to Comp.docx
Wireshark Lab Ethernet and ARP v7.0 Supplement to Comp.docxWireshark Lab Ethernet and ARP v7.0 Supplement to Comp.docx
Wireshark Lab Ethernet and ARP v7.0 Supplement to Comp.docxambersalomon88660
 
Ecet 375 Enhance teaching / snaptutorial.com
Ecet 375 Enhance teaching / snaptutorial.comEcet 375 Enhance teaching / snaptutorial.com
Ecet 375 Enhance teaching / snaptutorial.comDavis117a
 
ECET 375 Success Begins/Newtonhelp.com
ECET 375 Success Begins/Newtonhelp.comECET 375 Success Begins/Newtonhelp.com
ECET 375 Success Begins/Newtonhelp.comledlang1
 
ECET 375 Effective Communication/tutorialrank.com
ECET 375 Effective Communication/tutorialrank.com ECET 375 Effective Communication/tutorialrank.com
ECET 375 Effective Communication/tutorialrank.comjonhson203
 
Ecet 375 Massive Success / snaptutorial.com
Ecet 375 Massive Success / snaptutorial.comEcet 375 Massive Success / snaptutorial.com
Ecet 375 Massive Success / snaptutorial.comHarrisGeorgx
 
Developing Real-Time Data Pipelines with Apache Kafka
Developing Real-Time Data Pipelines with Apache KafkaDeveloping Real-Time Data Pipelines with Apache Kafka
Developing Real-Time Data Pipelines with Apache KafkaJoe Stein
 
Data exchange alternatives, SBIS conference in Stockholm (2008)
Data exchange alternatives, SBIS conference in Stockholm (2008)Data exchange alternatives, SBIS conference in Stockholm (2008)
Data exchange alternatives, SBIS conference in Stockholm (2008)Dag Endresen
 
Forti gate troubleshooting_guide_v0.10
Forti gate troubleshooting_guide_v0.10Forti gate troubleshooting_guide_v0.10
Forti gate troubleshooting_guide_v0.10Phong Nguyễn
 

Similar a Uccn1003 may10 - lab 08 - wireshark analysis of trace files - answer-updated-2.8.2010 (20)

HS1011 Data Communication and Networks 13 August 2015 HS101.docx
HS1011 Data Communication and Networks 13 August 2015 HS101.docxHS1011 Data Communication and Networks 13 August 2015 HS101.docx
HS1011 Data Communication and Networks 13 August 2015 HS101.docx
 
Ecet 375 Education Specialist-snaptutorial.com
Ecet 375 Education Specialist-snaptutorial.comEcet 375 Education Specialist-snaptutorial.com
Ecet 375 Education Specialist-snaptutorial.com
 
Ecet 375 Education Redefined - snaptutorial.com
Ecet 375 Education Redefined - snaptutorial.comEcet 375 Education Redefined - snaptutorial.com
Ecet 375 Education Redefined - snaptutorial.com
 
Wireshark tutorial
Wireshark tutorialWireshark tutorial
Wireshark tutorial
 
Wireshark Packet Analyzer.pptx
Wireshark Packet Analyzer.pptxWireshark Packet Analyzer.pptx
Wireshark Packet Analyzer.pptx
 
ECET 375 Invent Yourself/newtonhelp.com
ECET 375 Invent Yourself/newtonhelp.comECET 375 Invent Yourself/newtonhelp.com
ECET 375 Invent Yourself/newtonhelp.com
 
Wireshark Lab Getting Started v6.0 Supplement to Co.docx
Wireshark Lab Getting Started v6.0 Supplement to Co.docxWireshark Lab Getting Started v6.0 Supplement to Co.docx
Wireshark Lab Getting Started v6.0 Supplement to Co.docx
 
User-space Network Processing
User-space Network ProcessingUser-space Network Processing
User-space Network Processing
 
Wireshark tutorial
Wireshark tutorialWireshark tutorial
Wireshark tutorial
 
Ixiaexplorer
IxiaexplorerIxiaexplorer
Ixiaexplorer
 
Wireshark Lab Ethernet and ARP v7.0 Supplement to Comp.docx
Wireshark Lab Ethernet and ARP v7.0 Supplement to Comp.docxWireshark Lab Ethernet and ARP v7.0 Supplement to Comp.docx
Wireshark Lab Ethernet and ARP v7.0 Supplement to Comp.docx
 
Ecet 375 Enhance teaching / snaptutorial.com
Ecet 375 Enhance teaching / snaptutorial.comEcet 375 Enhance teaching / snaptutorial.com
Ecet 375 Enhance teaching / snaptutorial.com
 
Bio radicycleiq3.1e
Bio radicycleiq3.1eBio radicycleiq3.1e
Bio radicycleiq3.1e
 
ECET 375 Success Begins/Newtonhelp.com
ECET 375 Success Begins/Newtonhelp.comECET 375 Success Begins/Newtonhelp.com
ECET 375 Success Begins/Newtonhelp.com
 
ECET 375 Effective Communication/tutorialrank.com
ECET 375 Effective Communication/tutorialrank.com ECET 375 Effective Communication/tutorialrank.com
ECET 375 Effective Communication/tutorialrank.com
 
Ecet 375 Massive Success / snaptutorial.com
Ecet 375 Massive Success / snaptutorial.comEcet 375 Massive Success / snaptutorial.com
Ecet 375 Massive Success / snaptutorial.com
 
Developing Real-Time Data Pipelines with Apache Kafka
Developing Real-Time Data Pipelines with Apache KafkaDeveloping Real-Time Data Pipelines with Apache Kafka
Developing Real-Time Data Pipelines with Apache Kafka
 
Mallet
MalletMallet
Mallet
 
Data exchange alternatives, SBIS conference in Stockholm (2008)
Data exchange alternatives, SBIS conference in Stockholm (2008)Data exchange alternatives, SBIS conference in Stockholm (2008)
Data exchange alternatives, SBIS conference in Stockholm (2008)
 
Forti gate troubleshooting_guide_v0.10
Forti gate troubleshooting_guide_v0.10Forti gate troubleshooting_guide_v0.10
Forti gate troubleshooting_guide_v0.10
 

Más de Shu Shin

02 Information System Security
02 Information System Security02 Information System Security
02 Information System SecurityShu Shin
 
Information System Security introduction
Information System Security introductionInformation System Security introduction
Information System Security introductionShu Shin
 
Chap12 part 1_
Chap12 part 1_Chap12 part 1_
Chap12 part 1_Shu Shin
 

Más de Shu Shin (20)

02 Information System Security
02 Information System Security02 Information System Security
02 Information System Security
 
Information System Security introduction
Information System Security introductionInformation System Security introduction
Information System Security introduction
 
Chap12 part 1_
Chap12 part 1_Chap12 part 1_
Chap12 part 1_
 
Chap11
Chap11Chap11
Chap11
 
Chap10
Chap10Chap10
Chap10
 
Chap9
Chap9Chap9
Chap9
 
Chap8
Chap8Chap8
Chap8
 
Chap7
Chap7Chap7
Chap7
 
Chap6
Chap6Chap6
Chap6
 
Chap5
Chap5Chap5
Chap5
 
Chap4
Chap4Chap4
Chap4
 
Chap3
Chap3Chap3
Chap3
 
Chap2
Chap2Chap2
Chap2
 
Chap1
Chap1Chap1
Chap1
 
Chap13
Chap13Chap13
Chap13
 
Chap13
Chap13Chap13
Chap13
 
Chap11
Chap11Chap11
Chap11
 
Chap10
Chap10Chap10
Chap10
 
Chap9
Chap9Chap9
Chap9
 
Chap7
Chap7Chap7
Chap7
 

Último

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 

Último (20)

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 

Uccn1003 may10 - lab 08 - wireshark analysis of trace files - answer-updated-2.8.2010

  • 1. UCCN1003 Data Communications and Networks Lab 08: Wireshark Analysis of Protocols – Trace Files Instructions: 1. Read the “Introduction” section for the background 2. Perform all the lab exercises, starting with exercise 1 3. Follow all the steps. 4. Record the results in all italic bold actions. 5. Paste your screen captures on a Word Document and save it. 6. Answer all the questions in italic and in blanks based on the observation of the results. 7. Write your answer in the same Word Document. 8. Please follow the sequence of the exercises, and don’t skip any step. 9. Please try your best to understand the steps of this lab. Introduction to Wireshark In this lab, you will learn how to use Wireshark to examine packets captured by a NIC and then save as a file, known as trace file. Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, in May 2006 the project was renamed Wireshark due to trademark issues. A network packet analyzer will capture network packets and display the packet data as detailed as possible. You could think of a network packet analyzer as a measuring device used to examine what's going on inside a network cable, just like a voltmeter is used by an electrician to examine what's going on inside an electric cable. Here are some examples that people use Wireshark for: • network administrators use it to troubleshoot network problems • network security engineers use it to examine security problems • developers use it to debug protocol implementations • people use it to learn network protocol internals Exercise 1: Getting familiar with the “Pane” of Wireshark Wireshark's (v1.2.10) main window consists of parts that are commonly known from many other GUI programs. • The menu is used to start actions. 1
  • 2. The main toolbar provides quick access to frequently used items from the menu. • The filter toolbar provides a way to directly manipulate the currently used display filter. • The packet list pane displays a summary of each packet captured. By clicking on packets in this pane you control what is displayed in the other two panes. • The packet details pane displays the packet selected in the packet list pane in more detail. • The packet bytes pane displays the data from the packet selected in the packet list pane, and highlights the field selected in the packet details pane. • The status bar shows some detailed information about the current program state and the captured data. Menu Main Toolbar Filter Toolbar Packet List Pane Packet Detail Pane Packet Bytes Pane Status Bar 2
  • 3. 1. Go to “menu” => “File” => “open” Lab_08_Ex1.pcap. 2. Refer to the “status bar” and answer the following question: a. What is the total number of packets (or frames) in this file? _________________________________________________ (318) b. What is the number of packets being displayed? _________________________________________________ (318) 3. In the “Packet List Pane”, click on frame “No. 5”. A grey bar will highlight the selected frame, as shown in the following figure. Answer the following question: a. What is the highest layer protocol in this frame? _________________________________________________ (ICMP) b. What is the destination IP address in this frame? _________________________________________________ (192.168.1.3) 4. Refer to the “Packet Detail Pane” of the same frame No. 5, and answer the following question: a. What is the size (in bytes) of this frame? _________________________________________________ (70 bytes) 3
  • 4. b. What is the source MAC address of 192.168.1.1? _________________________________________________ (00:1e:40:9a:b5:13) 5. Click on the ‘+’ sign next to “Internet Control Message Protocol”, and more information is shown. Answer the following question: a. What are the values of the Type and Code of the ICMP? _________________________________________________ (Type = 3, Code = 0) b. Based on this ICMP message (and the frame), which IP address (192.168.1.1 and 192.168.1.3) is more likely to be the router? _________________________________________________ (192.168.1.1) c. Refer to the ICMP again, what is the value of socket (IP:port) that is unreachable? _________________________________________________ (192.33.4.12:53) d. What is the IP address of this “Wireshark-installed” PC? _________________________________________________ (192.168.1.3) 6. Refer to the “Packet Bytes Pane” of the same frame No. 5, and answer the following question: a. Double click on the value “c0 a8” (last two bytes of the second line), and refer to “Packet Detail Pane”. Which field do these numbers belong to? _________________________________________________ (destination of IP) b. Double click on the value “89 c8” (5th and 6th bytes of the third line), and refer to “Packet Detail Pane”. Which field do these numbers belong to? 4
  • 5. _________________________________________________ (checksum of ICMP) Exercise 2: Display Filter A very common problem when you launch Wireshark with the default settings is that you will get too much information on the screen and thus will not find the information you are looking for. Too much information kills the information. Instead of showing all the display traffic, you may use the filter toolbar to display the data selectively. That's why filters are important, they will help us to target the packets/frames that you are looking for. • Capture filters: Used to select the data to record in the logs. They are defined before starting the capture. • Display filters: Used to search inside the captured logs. They can be modified while data is captured. So when should I use the capture or the display filter? The goals of the two filters are different. • The capture filter is used as a first large filter to limit the size of captured data to avoid generating a log too big. • The display filter is much more powerful (and complex); it will permit you to search exactly the data you want. In this exercise, we focus only display filter. The display filter follows certain syntax. If the filter syntax is correct, it will be highlighted in green, otherwise if there is a syntax mistake it will be highlighted in red. 1. In the “Filter Toolbar”, type “http” as shown in the following figure and click “Apply” at the far right of the “Filter Toolbar”. a. What is the number of packets being displayed? (Please refer to the status bar) _________________________________________________ (23) 5
  • 6. 2. In the “Filter Toolbar”, click “Clear”. Type “icmp” this time and then click “Apply”. After answering the question, please click on “Clear” again. a. What is the number of packets being displayed now? (Please refer to the status bar) _________________________________________________ (46) 3. The above table shows the “logical expression” of the “Filter Toolbar”. Let's take an example with the following display filter: “dns || arp”. This means displaying packet with protocol dns or arp. Please remember to click “Apply”. 4. For more specific and complex filter conditions, we can use the “Expression” of “Filter Toolbar”. For example, if we want to look for the IP address of the web server in the trace file, we can form the following filter expression: tcp.srcport == 80. Click on “Expression”. Scroll down until you see TCP. Click on ‘+’ next to TCP to expand all the options. Click on “tcp.srcport”. Click on “==”, and then key in “80” in value. Click “Ok”. 6
  • 7. a. What is the IP address of the web server? _________________________________________________ (128.42.182.20) b. Using the similar concept illustrated above, what is the IP address of the DNS server? (Hint: use UDP source port equal to 53) _________________________________________________ (202.188.0.133) 5. The following feature is also useful to filter on the vendor identifier part (OUI) of the MAC address. Thus you may restrict the display to only packets from a specific device manufacturer, (e.g. for Unispher machines only): eth.src[0:3] == 00:90:1a. The notation stands for the first 3 bytes of the source MAC address. The [0:3] means 3 bytes starting offset 0 (in bytes). 6. Displays the packets with destination IP address not equals to 60.53.75.52 and source IP address not equal to 128.42.182.20. After viewing, click “Clear”. 7
  • 8. Exercise 3: Basic Statistics of the Trace File Wireshark provides a lot of different statistics which can be consulted if you click on the "statistics" field on the top of the screen. 1. In the “menu”, click on “Statistics” and then “Summary”. After answering the question, close the “Summary” dialog box. a. What is the “average bytes per second”? _________________________________________________ (987.404) 2. In the “Filter Toolbar”, enter “http”, and then click “Apply”. After that, click on “Statistics” and then “Summary”. After answering the question, close the “Summary” dialog box and clear the filter. a. What is the “average bytes per second” of the displayed packets? _________________________________________________ (195.165) b. What is the “average packets per second” of the displayed packets? _________________________________________________ (0.272) 3. Click on “Statistics” and then “Protocol Hierarchy”. The protocol hierarchy shows a dissection per OSI layer of the displayed data. After answering the question, close the dialog box. a. How many packets contain “point-to-point protocol”? _________________________________________________ (259) 8
  • 9. b. How many percents of packets belong to TCP (Transmission Control Protocol) traffic? _________________________________________________ (66.98%) c. How many bytes for Compuserve GIF? _________________________________________________ (2584) 4. Click on “Statistics” and then “Conversations”. If you use TCP/IP suite application or protocol, you should find four active tabs for Ethernet, IP, TCP and UDP conversations. A "conversation" represents the traffic between two hosts. The number in the tab after the protocol indicates the number of conversations. After answering the question, close the dialog box. a. Click on the “Ethernet” tab. How many MAC addresses are there in the trace file? _________________________________________________ (2) b. Click on “IPv4” tab. How many bytes have been sent from 60.53.75.52 to 128.42.182.20? _________________________________________________ (13377) 9
  • 10. c. Click on the “TCP” tab. What is the dominant application layer protocol (or service) for the TCP traffic? (Hint: Port B) _________________________________________________ (HTTP) d. Click on the “UDP” tab. What is the dominant application layer protocol (or service) for the UDP traffic? (Hint: Port B) _________________________________________________ (DNS) 5. Click on “Statistics” and then “Endpoints”. The endpoints provide statistics about received and transmitted data on a per machine base. The number after the protocol indicates the number of endpoints. After answering the question, close the dialog box. a. Click on the “IPv4” tab. How many bytes are received for IP = 192.5.5.241? _________________________________________________ (280) b. Click on the “UDP” tab. How many bytes are transmitted by IP = 202.188.0.133? _________________________________________________ (254) 6. Click on “Statistics” and then “IO Graphs”. Basic graphics can be obtained under the "IO graphs" section. Multiple graphics can be added in the same window on a per display filter base. Key in “udp”, “dns”, and “icmp” in the filter box as shown in the following figure. You can display the graph line by clicking on “Graph x” button (works like a toggle). 10
  • 11. Exercise 4 : Expert Info Wireshark provides “Expert Info” in which certain errors and anomaly can be highlighted in the network. It is rather useful for troubleshooting the network. 1. In the “menu”, click on “Analysis” and then “Expert Info Composite”. After answering the question, close the dialog box. a. What are the warnings? (Hint: “Warnings” tab, Summary) _________________________________________________ (Previous segment lost) b. How many type of Chats and what is the packet count? (Hint: Just look at the “Chat” tab) _________________________________________________ (19, 62) Exercise 5 : Basic HTTP GET/Response Interaction With the introductory exercise in Wireshark, we’re now ready to use Wireshark to investigate protocols in operation. In this exercise, we’ll explore several aspects of the HTTP. 1. Let’s begin our exploration of HTTP by opening “Lab08_Ex5.pcap”. 11
  • 12. 2. Type “http” in the “Filter Toolbox” window and click “Apply”. The Packet Listing Pane should show the HTTP messages that were captured: the GET message and the response message from the server to your browser. The Packet-Detail Pane shows details of the selected message (in this case the HTTP GET message, which is highlighted in the Packet-List Pane). 3. Highlight the line with HTTP GET /ethereal-labs/HTTP-ethereal-file1.html 4. Click on the ‘+’ next to “Hypertext Transfer Protocol”. By looking at the information in the HTTP header, answer the following questions: a. Is your browser running HTTP version 1.0 or 1.1? _________________________________________________ (HTTP 1.1) b. What languages (if any) does your browser indicate that it can accept from the web server? _________________________________________________ (en – US, en) c. What is the name of the “host”? _________________________________________________ (gaia.cs.umass.edu) 5. Highlight the line with HTTP HTTP/1.1 200 OK 6. Click on the ‘+’ next to “Hypertext Transfer Protocol”. By looking at the information in the HTTP header, answer the following questions: a. What is the status code returned from the server to your browser? _________________________________________________ (200 OK) b. What is the “Server” type of the web page? _________________________________________________ (Apache/2.0.52 (CentOS)) c. How many bytes of content are being returned to your browser? _________________________________________________ (126 bytes) d. What is contained in the “Line-based text data: text/html”? 12
  • 13. _________________________________________________ (Congratulations. You've downloaded the file n….) Exercise 6 : Retrieving Longer HTTP Document In this exercise, we’ll see what happens when we download a longer HTML file. 1. Open “Lab08_Ex6.pcap” with Wireshark. 2. Type “http || tcp” in the “Filter Toolbox” window and click “Apply”. 3. Highlight the line with HTTP HTTP/1.1 200 OK. (Frame 12). Answer the following questions: a. What is the content length of the text file? (The text can be displayed by clicking the ‘+’ next to “Line-based text data: text/html”) _________________________________________________ (4500) b. How many segments have been reassembled? _________________________________________________ (5) c. What is the size (total bytes) of the reassembled segments? _________________________________________________ (4810 bytes) d. What is the size of the HTTP Header? _________________________________________________ (4810-4500 = 310 bytes.) e. What is the maximum size of the TCP segment? _________________________________________________ (1440 bytes.) 4. Right click on any TCP “frame”, and then choose “Follow TCP Stream”. 13
  • 14. 5. The following dialog box should appear. 6. Highlight the content beginning with <html> until </html>. After the highlight, right click on the content to “copy” it. (Hint: the blue portion without the HTTP header) 14
  • 15. 7. Open Notepad and paste the “copied” content on it. 8. Save the file as “try.html”. 9. Use a web browser to open the “try.html”, and you should see the “Bill of Rights” in browser format. 15