COMP2322 Lab 1

Introduction to Wireshark
Weichao Li
Jan. 22, 2016

Before the lab

Review the content of communication arc
hitecture.
Review TCP/IP model and protocol suite.
Understand data transferring, layering, an
d encapsulation/demultiplexing.

Content

Data capture basis and tools

Getting started with Wireshark
Advanced usage
Traffic and protocol analysis

Packet capture
Why do we need to capture packets?
troubleshoot network problems
examine security problems
debug protocol implementations
learn network protocol internals

Existing packet capture tools/sniffers

Classic tools
Wireshark (http://www.wireshark.org/)
tcpdump (http://www.tcpdump.org/)
Other tools
Ettercap
Dsniff
Ntop
KISMET
WinDump
Tshark

What is Wireshark?
An open-source network protocol analyzer
capture network packets
display that packet data

Decodes 1,926 protocols (V2.0.1).

Supports command-line and GUI interfaces.
Run on many platforms, including Windows, OS X, Linux
, and UNIX.
Many online resources
Wireshark Users Guide (
http://www.wireshark.org/download/docs/user-guide-a4
.pdf
)
6

How does Wireshark work?

Windows
Linux

Wireshark

libpcap
Winpcap

Libpcap and Winpcap

Libpcap and Winpcap are libraries for netw
ork traffic capture, providing the core functi
ons of packet capturing.
Linux/Unix -> libpcap
Windows -> winpcap

Homepage of libpcap:
http://www.tcpdump.org/

Homepage of winpcap:
http://www.winpcap.org
8

Tcpdump and Windump

Tcpdump
Unix-based command-line tool used to analyze
packets
Include filtering to just capture the packets of intere
st

Homepage: http://www.tcpdump.org/

Windump
The Windows version of tcpdump
Homepage: http://www.winpcap.org/windump /
9

Tshark
Also a network protocol analyzer
Command-line version of Wireshark
User manual: https://
www.wireshark.org/docs/man-pages/tsha
rk.html

10

Basic usage of Wireshark

Tip: packet capture need root / administr
ator privileges
Packet capture: select the right interface!
Save / open trace

11

Practice 1: my first packet trace

Y:\Win32\WiresharkPortable_1.4
Select the right interface.
Start packet capture for 10 seconds and sav
e the trace.
Question 1 (2 marks for each part in a ques
tion)
A) How many interface have you observed? Wh
at are they?
B) Which interface will you choose and why?
12

Advanced usage (1): filters

Capture filters
Only the packets meeting the rule will be captured and decode
d in Wireshark.
Syntax
Specify protocols: ip, tcp, udp
Specify host: host, dst, src
More filters can be found: http://wiki.wireshark.org/CaptureFilters

Display filters
Do not affect captured packets.
Only determine whether or not to display some packets.
Syntax
Useful: Follow TCP Stream
More filters can be found: http://wiki.wireshark.org/DisplayFilters
13

Advanced usage (2)

Follow a stream.
Stream: [IP address A, port A, IP address B, port B]
Adjust the layout and columns.
Edit -> Preference
Statistics
Summary: general statistics about the current capture file
Conversations: statistics of the captured conversations
Conversation is the traffic between two specific endpoints

Endpoints: traffic statistics of an end host

IO Graphs: visualizing the number of packets in time

14

Analyze Web application

The World Wide Web (WWW) is the most
popular Internet application.
Answer the following questions (Question
2):
A) Whats the relationship between Web and
HTTP?
B) What type of protocols does HTTP belong t
o?
C) How many application protocols have you
captured when accessing a website?

15

Practice 2: analyze HTTP traffic

Y:\Win32\WiresharkPortable
Select the right interface.
Visit www.polyu.edu.hk.
Analyze HTTP traffic (Question 3)
A) Whats your HTTP request method?
B) Whats your HTTP request version?
C) Whats the status code in the response? W
hat does it mean?
16

Practice 2 (contd)
Apply a display filter so that only HTTP pa
ckets are shown (Question 4)
A) How many HTTP requests have been sent t
o the Web server?
B) Write down each request (at least 3).

17

Practice 3
Try different capture filters (Question 5)
A) How can I capture only HTTP traffic?
B) How can I capture only the traffic from/to a specified h
ost?

Visit http://www.polyu.edu.hk again and analyze the HT

TP traffic (Question 6)
A) Whats your IP address?
B) Whats the servers IP address?

Visit http://www.polyu.edu.hk/test and analyze the HTT

P traffic (Question 7)
A) Whats the difference compared with the last step?
18

Practice 3 (contd)
Visit http://www.oneprobe.org and analyze HTTP traffic
(Question 8)
A) Whats the difference compared with the previous step
s?
B) How many Web servers have you accessed?
C) Write down the exact IP addresses of servers.
D) Explain what happened in this HTTP session.

19

Practice 4

Delete capture filter

Start a new capture
Visit http://hk.yahoo.com/

When the page is fully loaded, stop captur

ing
Compare the throughput between UDP a
nd TCP in time (through Statistics->IO Gra
phs)
20

Practice 5

Start a new capture

Visit https://www.google.com.hk
When the page is fully loaded, stop capturing
Identify the HTTPS traffic (Question 9)
A) Whats the default port of HTTPS?
B) What can you see after applying follow the TC
P stream?
C) Write down the process of how a https connec
tion is established.
21

Practice 6
Visit http://www.facebook.com and analysis HTTP traffic
Record the IP address of the Facebook server
Save the trace

Visit Facebook again at home, and compare the trace wi

th the one obtained in campus (Question 10)
A) Record the IP address of the Facebook server.
B) Is the IP address recorded at home the same as the on
e recorded in campus?
C) If not, explain why the servers are different.

22

Further reading
CDN (content delivery network)
http://www.nczonline.net/blog/2011/11/29/h
ow-content-delivery-networks-cdns-work/

23

Thanks

24