Birla Institute of Technology &Science, Pilani Computer Networks (CS C 461 / IS C 461) Second Semester 2012-2013 Lab Sheet-

Introduction to Wireshark and Protocol Analysis

Aim: To analyze various network protocols using Wireshark (Ethereal) Objective: To learn the different Header Fields of the protocols by capturing live packets using a network protocol analysis tool Prerequisite: Understanding of TCP/IP Layers and its protocols Required Resources: LAN or WAN, Wireshark Network Analyzer Description: Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Wireshark does not manipulate packets on the network, but can only analyze those already present, with minimal overhead. (Further reading: http://is.gd/RazB76) Installing Wireshark: For Windows OS (Windows 7) Download the latest stable version of WireShark (v1.6.5). (Available at http://is.gd/Ys7UeV) Choose all components for installation, including WinPcap. Proceed until completion. WireShark may now be launched by running the application launcher. Checklist: A PC with 256 MB RAM, 40 GB HDD Wireshark with complete installation Proper LAN or WAN to capture the packets For Linux OS (Ubuntu 9.10) Use Ubuntu Software Center to install WireShark. WireShark has to be run with root privileges, so that it has the required permissions to monitor the network interfaces. To do so, type in the following command in the terminal sudo wireshark (without quotes).

Procedure: BITS-Pilani 1

PART-I 1. Start Wireshark by starting the executable from the installed directory. 2. Select proper interface for capturing packets.

Figure 1 3. You will now see a dynamic list of packets being captured by WireShark. In order to stop a running capture, press CTRL+E or from the menu, select Capture > Stop.

Figure 2 4. Various packets may be filtered based on a certain expression. For instance, if you would only like to see HTTP packets enter HTTP in the Filter input-box and press Apply. BITS-Pilani 2

Figure 3 PART-II 1. Now, packet capture is tried while trying to access a website (say, Wikipedia.org). 2. Filter for http packets and right click on one of them to follow the TCP stream. 3. You will be able to see the TCP request and the associated acknowledgement packets as shown.

Figure 4

BITS-Pilani

Figure 5

Figure 6 4. The application layer HTTP packet may also be analyzed.

Figure 7 BITS-Pilani 4

5. We can examine the amount of data sent per unit time from the client to the server. Select a HTTP segment in the window and then go to Statistics->TCP Stream Graph->TimeSequence Graph (Stevens). You should see a plot that looks similar to the following plot.

Figure 8 Here, each dot represents a TCP segment sent, plotting the sequence number of the segment versus the time at which it was sent. Note that a set of dots stacked above each other represents a series of packets that were sent back-to-back by the sender. Similarly, go through other statistical presentations.

Observations: Header format of a TCP packet TCP three way hand-shaking Different Layers in TCP/IP and their header formats Likewise other protocols can also be analyzed using Wireshark, provided the desired protocol (for analysis) should run on the LAN at the time of capturing through Wireshark. For example UDP packets should be transferred on the LAN when one is trying to capture it via Wireshark. For that matter one can use Network Traffic Generator tool. In brief some protocol capturing and analysis is shown below.

BITS-Pilani

User Datagram Protocol The User Datagram Protocol (UDP) is one of the core members of the Internet protocol suite, the set of network protocols used for the Internet. With UDP, computer applications can send messages, in this case referred to as datagram, to other hosts on an Internet Protocol (IP) network without prior communications to set up special transmission channels or data paths. UDP uses a simple transmission model with a minimum of protocol mechanism. It has no handshaking dialogues, and thus exposes any unreliability of the underlying network protocol to the user's program. As this is normally IP over unreliable media, there is no guarantee of delivery, ordering or duplicate protection. UDP provides checksums for data integrity, and port numbers for addressing different functions at the source and destination of the datagram. UDP is suitable for purposes where error checking and correction is either not necessary or performed in the application, avoiding the overhead of such processing at the network interface level. Time-sensitive applications often use UDP because dropping packets is preferable to waiting for delayed packets, which may not be an option in a real-time system. UDP provides no guarantees to the upper layer protocol for message delivery and the UDP protocol layer retains no state of UDP messages once sent. If error correction facilities are needed at the network interface level, an application may use the Transmission Control Protocol (TCP) which is designed for this purpose. A number of UDP's attributes make it especially suited for certain applications. It is transaction-oriented, suitable for simple query-response protocols such as the Domain Name System (DNS) or the Network Time Protocol. It provides datagram, suitable for modelling other protocols such as in IP tunnelling or Remote Procedure Call and the Network File System. It is simple, suitable for bootstrapping or other purposes without a full protocol stack, such as the DHCP and Trivial File Transfer Protocol. It is stateless, suitable for very large numbers of clients, such as in streaming media applications for example IPTV The lack of retransmission delays makes it suitable for real-time applications such as Voice over IP, online games, and many protocols built on top of the Real Time Streaming Protocol. Works well in unidirectional communication, suitable for broadcast information such as in many kinds of service discovery and shared information such as broadcast time or Routing Information Protocol

As stated above, it is a carrier for DNS data, so we will be analyzing UDP with DNS. The datagram format for UDP is explained in below figure in which various fields of UDP datagram are mentioned, followed by the DNS protocol explanation.

BITS-Pilani

Figure 9; UDP Datagram The UDP datagrams are captured (using Wireshark) when system is trying to use DNS query

Figure 10; UDP Datagram captured Using Wireshark BITS-Pilani 7

The analysis of various protocols can be done using the Analysis option, for example here is the comparison of TCP and UDP packets sent on time scale.

UDP TCP

Figure 11, TCP Vs UDP Packet Sent Domain Name System The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates information with domain names assigned to each of the participating entities. Most prominently, it translates domain names meaningful for users to the numerical IP addresses needed for the purpose of locating computer services and devices worldwide. By providing a worldwide, distributed keyword-based redirection service, the Domain Name System is an essential component of the functionality of the Internet. In the query response manner DNS server serves the clients, for which UDP is used as work horse. Following figures will be showing the capturing of DNS queries, format of a particular DNS query and the flow graph of the DNS query-response mechanism, all are captured using Wireshark. BITS-Pilani 8

Figure 12; Capturing DNS Query Wireshark

Figure 13; DNS Packet Format Captured through Wireshark

Figure 14; Flow Graph for Captured DNS Query Response BITS-Pilani 9

Internet Control Message Protocol The Internet Control Message Protocol (ICMP) is one of the core protocols of the Internet Protocol Suite. It is chiefly used by the operating systems of networked computers to send error messages indicating, for example, that a requested service is not available or that a host or router could not be reached. ICMP can also be used to relay query messages. ICMP differs from transport protocols such as TCP and UDP in that it is not typically used to exchange data between systems, nor is it regularly employed by end-user network applications.

Figure 15; ICMP Header Format

Figure 16; ICMP Message and Format BITS-Pilani 10

Internet Group Management Protocol The Internet Group Management Protocol (IGMP) is a communications protocol used by hosts and adjacent routers on IP networks to establish multicast group memberships. IGMP is an integral part of IP multicast. IGMP can be used for one-to-many networking applications such as online streaming video and gaming, and allows more efficient use of resources when supporting these types of applications.

Figure 17; IGMP Packet Format

Figure 18; IGMP Packet Header Format Captured through Wireshark BITS-Pilani 11

Figure 19; Flow Graph for IGMP

Observation Scope: After observing the packet formats with their header fields, you should think how a network protocol reader like Wireshark can function as a network sniffer. Carefully analyze the different attributes captured in a stream and see what such fields contain. Can you see what goes through a hackers mind! Also many other protocols such as IPv6, DHCP, ARP and many more can be observed using Wireshark. The standard procedure for capturing and analyzing such protocols are same and as above.

BITS-Pilani

12

Observation Sheet Experiment Name: Introduction to Wireshark and Protocol Analysis Procedure:

Observation Table: S. No Questions What is the IP address used by 1 the client computer? What is the TCP port number 2 used by the client computer? What is the sequence number of the TCP SYN segment that is used to initiate the TCP 3 connection between the client computer and destination? What is the sequence number of the SYNACK segment sent 4 by destination to the client computer in reply to the SYN? What is the length for 5 captured UDP packet header? Which flag is set in a captured 6 DNS query and why? What are the observed type(s) of ICMP message captured 7 using Wireshark? What is the version of ICMP 8 used? Suggestions (if any):

Answers

Name:

ID No.:

Date:

Signature BITS-Pilani 13