MIS

564 Wireshark Project Instructions (94 points)

!
Name: Sadanand A. Pa-l.

!
Requirements:
When taking screenshots using ScreenHunter or other tools, only capture the area relevant to the ques8on. Points will be deducted if the en8re desktop
areas are copied.

Ques8ons must be answered in your own words rather with a screenshot, except when asked to take screenshots specically, of course.

You might need to use the Internet to study some of the concepts or terms in order to answer some of the ques8ons.

Late Submission
Points will be deducted according to the following scheme for late submission:
1 day late: 10%
2 days late: 20%
3 days late: 30%
4 days late: 40%
5 days late: 50%
6 days late: 100%

In this project, you will use Wireshark to capture and analyze network packets. Wireshark is one of the most popular network protocol analyzers, and is the de
facto standard that most professional and educa8on ins8tu8ons use today. Wireshark enables you to see all packets sent and received by your computer.

Go to www.wireshark.org to download and install Wireshark.

Watch the Introduc8on to Wireshark video on Wireshark documenta8on page: hSp://www.wireshark.org/docs/.

1. HTTP Packets

In this part of the project, you will use Wireshark to capture and analyze HTTP packets.
Start Wireshark.
Select a network interface (listed under Start). If mul8ple interfaces are listed, you need to select the one that is used for Internet access.
Click Start to start packet capturing.
Open a Web browser, visit a couple of Web sites that you havent visited recently, such as hSp://www.uiaa.org/, or hSp://www.uis.edu/development/.
In Wireshark, stop packet capturing. (Click Capture on the menu bar, then Stop.)
In Wireshark, apply HTTP lter to display HTTP packets only (explained in the Wireshark introduc8on video).
In the Packet List window, select the rst HTTP packet (it should say HTTP rather than SSDP under the column Protocol).

The three windows in the Wireshark are called Packet List Window, Packet Detail Window, and Packet Content Window, respec8vely in this document (see
the picture below). The Packet List Window lists packets captured by Wireshark. The Packet Detail Window shows the details, including the types of protocols
used at each network layer, for the packet selected in the Packet List Window.

!
!
!
!

1. With the rst HTTP packet selected in the Packet List Window (it should say HTTP rather than SSDP under the column Protocol), copy the Packet List
Window to your report Using ScreenHunter or another screen capture tool. (See an example below.) Make sure that words in your screenshot are
suciently large and easy to read. 5 points

!
!

2. With the rst HTTP packet selected in the Packet List Window, expand the Internet Protocol and Transmission Control Protocol entries in the Packet Detail
window (click on the + icon before the entries). Copy the en-re Packet Detail window to your report. (See an example below.) Make sure that words in
your screenshot are suciently large and easy to read. 5 points
Answer:

3. What are the source and des-na-on IP addresses of the packet? Is the packet an HTTP request or response message? Why? 5 points
Ans:

Source IP: 10. 0. 0. 13 and Des8na8on IP: 128. 174. 201. 252
Request method for this packet( HEAD/HTTP/1.1) is HEAD and so this says that it is a HTTP request message.
Also, packet detail window shows that it is a HTTP request message.

4. What is the transport layer protocol used in this packet? What are the source and des-na-on port numbers? What is the length of the transport layer
header? (Answers can be found in the Packet Detail Window.) 5 points

Source port: 49447 (49447)

Des8na8on port: 80 (80)
Length of transport layer header: 20 bytes.

5. What is the network layer protocol used in this packet? What is the length of the network layer header? What is the total length of the packet at the
network layer? (Answers can be found in the Packet Detail Window.) 5 points

Header length: 20 bytes

Total length: 164

6. What is the data link layer protocol used in this packet? What are the source and des-na-on data link layer addresses? (Answers can be found in the
Packet Detail Window.) 5 points

Source data link layer address: ac:7b:a1:e2:58:ab

Des8na8on data link layer address: c4:27:95:38:a9:6d

7. What is the length of the en-re frame? 3 points

!
!

Total length of the frame: 178 bytes

2. SMTP and POP Packets

In this part of the project, you will use Wireshark to analyze email packets. Two Wireshark les - SMTP_Capture.pcap, POP3_Capture.pcap - that contain SMTP
and POP3 packets are posted in the course site. Download the les to your computer.

The SMTP packet le contains packets sent between an email client (IP address: 192.168.1.100) and server (IP address: 128.196.40.4) where the client sent
an email to the server. Packet 8 is the start of the email that iden8es the sender.
Do some research on the Internet about SMTP commands. In Wireshark, these commands are listed under the Info column.

In Wireshark, open the SMTP packet le.

Clear the HTTP lter if its s8ll there.

!
!

2.1.Do some research on the Internet and explain the concept of the Three-Way TCP handshake in a short paragraph. 5 points

A three-way TCP handshake is a method used to create a connec8on between a client and server. It is designed so that both ends can share
separate TCP socket connec8ons at the same 8me. It is a three-step method that requires both the client and server to exchange SYN and ACK
(acknowledgment) packets before actual data communica8on begins.

- A client sends a SYN data packet over an IP network to a server on the same or an external network. The objec8ve of this packet is to ask if
the server is available for new connec8on.
- The target server must have open ports that can accept and ini8ate new connec8ons. When the server receives the SYN packet from the
client, it responds with a conrma8on receipt, the ACK packet.
- The client receives the SYN/ACK from the server and responds with an ACK packet.

!
!
!
!
!
!
!
!
!
!
!

2.2.Using ScreenHunter or another screen capture tool, copy the rst three TCP packets from the Packet List window in Wireshark. The three packets form the
TCP handshake process. Examine informa-on in the Packet Detail window. List the source IP address, source port number, des-na-on IP address, and
des-na-on port number of the three TCP packets. 5 points

!
Source IP address
Source Port
Destination IP address
Destination Port

!
!
!
!
!
!

192. 168. 1. 100

128. 196. 40. 4

192. 168. 1. 100

55012

25

55012

128. 196. 40. 4

192. 168. 1. 100

128. 196. 40. 4

25

55012

25

Packet 14 contains the rst part of the email message that the user wrote.

2.3.List the SMTP packets that were sent from the client to the server before packet 14. (Hint: In the Packet List window, packets sent from client to server are
marked C: in the Info eld.) Explain the purpose of each packet. (You might need to do some research on the Internet on the meaning of SMTP
commands, such as EHLO in packet 5). 5 points

Package 5: Handshake with server

Package 8: Iden8ca8on of sender
Package 10: Provide recipient address
Package 12: The email message starts
Package 14: Segment of the message to t in one Ethernet frame

!
!
!
!
!
!

2.4.The SMTP command for sending the message body of an email is DATA (listed under the Info column in Wireshark). The message body is usually broken
down into mul-ple packets because it is too big to t into one packet. Star-ng from packet 14, how many packets was the email message broken down
into and sent from the client to the server? List the packet numbers. 5 points

!
!
!

There are three packets in email message. The packet numbers are 14, 15, 17.

The POP3 packet le contains packets sent between an email client (IP address: 128.196.239.91) and server (IP address: 128.192.40.4) where the client
retrieved an email from the server.

Do some research on the Internet about POP3 commands. In Wireshark, these commands are listed under the Info column.

In Wireshark, open the POP3 packet le.

!
2.5.What is the port number for POP3 on the email server? (The informa-on can be found in any POP packet.) 3 points
!
Port number for POP3 on email server is 110.
!
2.6.Have the users user name and password been captured by Wireshark? If yes, what are they? 3 points

!
!

YES, they are

User name: teacher
password: just4teacher

!
!
!
!
3. DNS Packets

!
In this part of the project, you will use Wireshark to capture and analyze DNS query and response packets.
!

3.1.What is Domain Name System? How are domain names resolved on the Internet? Answer each ques-on in a short paragraph. Must answer in your own
words. 5 points

Domain Name System is used to translate domain names into IP addresses, as they are easier to remember. The Internet is based on IP
addresses. Every 8me you use a domain name, a DNS service must translate the name into the corresponding IP address.

Domain Name Resolu8on is used to convert domain names to the corresponding IP address. When you enter a domain name in an applica8on that
uses the Internet, the applica8on will send a command to convert the domain name into its IP address, and then connect to that IP address. There
is a le called the HOSTS le which is used to convert domain names to IP addresses. Entries in the HOSTS le override any mappings that would be
resolved via a DNS server, which is used on the Internet for conver8ng domain names to corresponding IP addresses. Your opera8ng system will
connect to the DNS server congured on your computer and have that server return to you the IP address for the domain name you asked for.

3.2.Open a command prompt window. Run command ipcong/all to nd the IP addresses of your computer and its DNS server. List both IP addresses. 5
points

IPv4 address:- 10. 0. 0. 13

IPv6 address:- fe80::6c02:61b9:d122:272f%4
DNS servers:- 75. 75. 75. 75
75. 75. 76. 76
Open a Web browser, visit University of Chicago Web site hSp://www.uchicago.edu/. (Do not click on anything once the page is loaded.) Close all other tabs/
windows in your Web browser and stop any media streaming services, if applicable.
In the command prompt window, run command ipcong/ushdns to clear DNS cache on your computer.
Start packet capturing in Wireshark. Select con8nue without saving if prompted.

Go back to the Web browser, reload University of Chicago home page (look for the reload/refresh buSon in or around the address box). Do not visit any other
Web sites.
Stop packet capturing in Wireshark.
The rest of the ques8ons in this sec8on are based on packets captured in the above steps.

3.3.In Wireshark, apply a DNS lter to display DNS packets only. Locate the two packets for www.uchicago.edu (one query packet and one response packet).
Take a screenshot of the two packets in the Packet List Window (see an example below). Make sure that words in your screenshot are suciently large
and easy to read. The example below shows the DNS packets for City of Springeld Web site. No-ce that it says Standard query and Standard query
response under the Info column, and the query ID, ox35ec, matches in the two packets. 5 points

!
!
!
!

3.4.What are the source and des-na-on IP addresses of the two DNS packets that you captured? Compare them to those that you found in ques-on 3.2. 5
points

Answer:-

Source IP address

Destination IP address

Standard query DNS packet(74)

10. 0. 0.13

75. 75. 75. 75

Standard query response DNS packet(75)

75. 75. 75. 75

10. 0. 0. 13

Source IP address of query DNS packet is same as the IPv4 address of the computer.
Source IP address of query response DNS packet is same as DNS server address of the computer.
Des8na8on IP address of query DNS packet is same as DNS server address.
Des8na8on IP address of query response DNS packet is same as IPv4 address.

!
!

!
!
!
!
!
!
!

3.5.With the second DNS packet the response packet selected in the Packet List window, expand the Domain Name System entry and its Answers sub-
entry in the Packet Detail window. Take a screenshot of the Packet Detail window (see an example below). Make sure that words in your screenshot are
suciently large and easy to read. 5 points

!
!
!

!
!
!
!
!
!

3.6.Explain the following items in the Answers sub-entry in the DNS response packet: Name, Type, Class, Time to live, Address. (You might need to do some
research on the Internet.) 5 points

Name:- www.uchicago.edu
This is the name of node to which this informa8on belongs.

Type: A (host address) 1

There are two type in DNS which are queries and replies. Both have same format. Queries to be resolved and resolved queries.

Class:- IN (0*0001)
Its a class code. It tells us that a class of a record is set to IN(for internet).

Time to live:- 33

The DNS Resolu8on Process caches DNS request records for a period of 8me aker a response to reduce the load. This 8me for which a resolver
caches a DNS response is determined by a value called the 8me to live (TTL) associated with every record.

Address:- 198. 101. 129. 15

This tells us the loca8on of the computer.

3.7.What is the transport layer protocol used for the DNS response packet? Why does DNS typically use this protocol as the transport layer protocol? (You
might need to do some research on the Internet.) 5 points

!
!

Transport layer protocol used for DNS response packet is UDP(User Datagram Protocol).
Because DNS requests and responses are usually short. It is more ecient to use UDP in transport layer than TCP. UDP is used for simpler
messaging transmissions.