project wireshark packet analyzer
TRANSCRIPT
Lab Project
Analyzing Ethernet using Wireshark Packet Analyzer and DOS Commands
Developed by: Dr. Natarajan Meghanathan
In this project, you will use analyze the local Ethernet and the Internet with the Wireshark (other
name: Ethereal) packet analyzer and DOS commands.
For better analysis, I recommend going to the Computer Networks Lab (AT&T Lab) and work
on the project.
The Wireshark analyzer is available for free at www.wireshark.org/
You will learn and analyze the following three protocols in this section of the project:
(1) Domain Name Service - DNS
(2) Dynamic Host Configuration Protocol – DHCP
(3) Hyper Text Transfer Protocol - HTTP
DHCP
The main motivation behind DHCP is to enable individual computers in an IP network to extract
their configuration information (predominantly the IP address) from a server called the DHCP
server. The DHCP server has no exact information about the individual computers until they
request the information. Using DHCP, a machine can be assigned a dynamic IP address, each
time it boots up.
GETTING STARTED WITH WIRESHARK
1) When you start Wireshark, the following GUI will appear:
2) To start capturing packets, pull down the Capture Menu and click Options. It will display a
GUI similar to this.
3) Make sure, you are using the correct network interface card that is connected to the network
(Ethernet) whose packets you want to capture. Then, click Start
4) The packet capture begins and a window something like this will appear.
5) After doing the required tasks as mentioned in the project question, stop packet capturing, by
pressing the stop button in the packet capture screen. The main Wireshark window with
some packet information will appear (sample shown below): The window will have three
parts as illustrated in the figure:
Questions Pertaining to HTTP Protocol
1) Start up the Wireshark packet analyzer
2) Enter the following URL into your Internet Explorer browser:
http://www.jsums.edu/cms/reu/2010/html/photos2010.html
3) After the web page is loaded, stop Wireshark.
4) You will get the main window with packet information similar to this:
Listing of captured packets
Details of selected packet
Packet content in
Hexadecimal/ASCII
5) Type http in the Filter field in the above screen. You will now get only the packet information
pertaining to the HTTP protocol.
6) Select each packet in the top section of the window, and click on the + in the packet details
section, to see the details of the packet headers corresponding to each layer:
Find the IP address of your machine using the ipconfig DOS command.
In the filter field on the packet screen, enter, ip.addr==YOUR_IP_ADDRESS && http, where
YOUR_IP_ADDRESS is the ip address of your machine. Note that there are two “=” symbols.
After analyzing each packet in the trace, answer the following questions:
(Include Screenshots for each of your answers)
1) Is your browser using HTTP version 1.0 or 1.1?
2) What are the accepted languages of your browser?
3) What is the IP address of the HTTP server, your machine is trying to contact?
4) When was the html file your are trying to retrieve last modified at the server?
5) What is the HTTP response code returned by the server?
DNS
Domain Name Service is used to resolve hostnames into IP addresses. Normally, we remember
only the name of machines like ccaix.jsums.edu, not their IP addresses. But, if your machine
wants to contact another machine in the Internet, it needs to know the IP address of that machine.
The software that does this translation of computer names into equivalent IP addresses is called
DNS software and the database that stores this translation information is called the DNS
database. The DNS database is distributed across the Internet in multiple name servers. A client
contacts a name server, which may contact another name server until the name gets resolved.
1) Start Wireshark, Make sure the filter field in the packet screen is empty.
2) Load the webpage www.rediff.com
3) Stop Wireshark
Find the IP address of your machine using the ipconfig DOS command.
In the filter field on the packet screen, enter, ip.addr ==YOUR_IP_ADDRESS && http, where
YOUR_IP_ADDRESS is the ip address of your machine. Note that there are two “=” symbols.
You will get a screen similar to the sample shown below:
Answer the following questions:
(Include Screenshots for each of your answers):
1) Locate the DNS query and response messages. Are they sent over UDP or TCP?
2) What is the destination port for the DNS query message? What is the source port of DNS
response message?
3) To what IP address is the DNS query message sent? Use ipconfig to determine the IP
address of your local DNS server. Are these two IP addresses the same?
4) Examine the DNS response message. How many “answers” are provided? What do each
of these answers contain?
5) This webpage contains images. Before retrieving each image, does your host issue new
DNS queries? Why you think it behaves like that?
DHCP
1) Make sure the filter field in the packet screen is initially empty.
2) Start the Wireshark.
3) Open the Windows command prompt. Type ipconfig/release and press enter
4) Type ipconfig/renew and press enter
5) Stop Wireshark
Answer the following questions by analyzing the packet screen:
(Include Screenshots for each of your answers):
1) What is the IP address and Ethernet address of the DHCP server that offers the IP address
to your machine?
2) Are DHCP messages sent over UDP or TCP? Why?
3) What are the port number used by the DHCP server and your machine?
4) What is the IP address and Ethernet address of your machine at the end of the process?
5) What are the four messages exchanged between the DHCP server and your client and in
what order?
6) What is the subnet mask of the network your machine is located?
7) What is the renewal time value set by the DHCP server for the IP address assigned to
your machine?
DOS Commands and Utilities
The DOS commands we will be studying are: ping, tracert, arp, ipconfig, nslookup, route, netstat and
finger.
To get an idea of the commands, refer to the documentation (Help Module), included after the questions
in the next page.
Submission: In addition to presenting the results, show how you tried to answer each of the questions by
capturing the DOS screen using the PrintScreen key in your keyboard and then pasting it in the Paint
Brush application in your PC. Save the picture as a jpeg file and present the picture in your submission report.
1. Submit a hardcopy of your report in class 2. Compress your report into a zip file and send to me in an email.
Questions:
(5 Points Each)
1. Use an efficient algorithm and any one of the above command tools to find the maximum data size
that can be handled by the physical network to which your computer is attached.
2. Use the ping command to determine how long it takes for a request packet with data size 50 bytes to reach a website operated from India: www.sify.com. Try sending another request packet of data
size 1200 bytes to the same website and observe the delay it takes this time. Compare the delays
you observed in the two cases. Are they significantly different? If so, why? If not, why there is no significant difference?
3. Find the number of hops and the corresponding delay it takes to reach www.abc.com and www.eduaustralia.co.kr. What is the percentage increase in the number of hops and delay to reach
the site in Korea compared to reaching www.abc.com, a website in California? If you observe that
the increase in the delay is not proportional to the increase in the number of hops, comment?
4. Find the domain name of the machine with IP address 192.251.58.37?
5. Find the number of unicast Ethernet frames sent and received by each of the network interfaces of
your PC?
6. What is the physical address of the Ethernet adapter of the PC in which you are working?
7. Find whether port number 4123 is part of an active connection?
8. What is the IP address and physical address of the default router to which your machine forwards a
packet for which it has no other next-hop forwarding router information in its local routing table?
Help Module on DOS Network Tools and Commands
To go to the DOS promot, click Start-> Run-> Type cmd and Press enter. Type cd\ on the DOS
window, it will take you to the root directory, commonly the C:\
To get and idea of the commands, we will now see the primary utilities of each them.
Ping: Used to check the availability of systems by using the ICMP Echo Request / Response
messages.
Tracert: The traceroute command is used to find the sequence of hops (i.e., the name of the
intermediate hops/routers) from the source to a remote destination host.
Route: The route command is used to display and modify the entries in the local routing table.
Finger: The finger command is used to display information about users running in a specific
host.
Arp: The arp command is used to display and modify the address resolution cache, which stores
the mapping between the IP address of systems and their resolved physical addresses.
IPconfig: The ipconfig command is used to display the current TCP/IP network configurations.
Also, try IPconfig /all to display full configuration information
Netstat: When used without parameters, netstat displays active TCP connections.
Use netstat -e option to learn about the statistics of the Ethernet.
netstat –a option to learn about the active TCP connections and also the ports on which the
computer is waiting for incoming TCP/UDP messages.
netstat –n option to learn about the numerical values of the IP addresses and ports used for
active TCP connections.
netstat –p <protocol> to learn about the statistics for a specific protocol. The valid values for
<protocol> include tcp, udp, ip, icmp.
nslookup: The nslookup command is used to study the DNS infrastructure.