:WIRESHARK LAB1 Stephan Benjamin Helmy

HTTP
1-List the different protocols that appear in the protocol column in the unfiltered packet-listing
window in step 7 above.

Arp,Icmpv6,dns,tcp,http

2-How long did it take from when the HTTP GET message was sent until the HTTP OK reply was
received? (By default, the value of the Time column in the packet-listing window is the amount of
time, in seconds, since Wireshark tracing began To display the Time field in time-of-day format, select
the Wireshark VIEW pull down menu, then select Time Display Format, then select Time-of-day.)

0.00000000 sec

3-What is the internet address of the gaia.cs.umass.edu (also known as www.net.cs.imass.edu)?what

is the internet address of your computer?

Src : 10.0.0.14,Des : 128.119.245.12

4-Print the two HTTP messages displayed in step9 above. TO do so, select Print from the Wireshark
File command menu, and select "Selected Packet Only" and "Print as displayed" and then click OK.

1 ) No. Time Source Destination Protocol Info

12 10.015698 10.0.0.14 128.119.245.12 HTTP GET / HTTP/1.1

Frame 12: 466 bytes on wire (3728 bits), 466 bytes captured (3728 bits)

Ethernet II, Src: QuantaCo_65:f1:76 (c8:0a:a9:65:f1:76), Dst: Peripher_08:7e:02 (00:60:52:08:7e:02)

Internet Protocol, Src: 10.0.0.14 (10.0.0.14), Dst: 128.119.245.12 (128.119.245.12)

Transmission Control Protocol, Src Port: 50560 (50560), Dst Port: http (80), Seq: 1, Ack: 1, Len: 412

Hypertext Transfer Protocol

2 ) No. Time Source Destination Protocol Info

81 17.237751 128.119.245.12 10.0.0.14 HTTP HTTP/1.1 404 Not Found (text/html)

Frame 81: 810 bytes on wire (6480 bits), 810 bytes captured (6480 bits)

Ethernet II, Src: Peripher_08:7e:02 (00:60:52:08:7e:02), Dst: QuantaCo_65:f1:76 (c8:0a:a9:65:f1:76)

7
Internet Protocol, Src: 128.119.245.12 (128.119.245.12), Dst: 10.0.0.14 (10.0.0.14)

Transmission Control Protocol, Src Port: http (80), Dst Port: 50560 (50560), Seq: 36865, Ack: 1437, Len: 756

[Reassembled TCP Segments (1492 bytes): #79(736), #81(756)]

Hypertext Transfer Protocol

Line-based text data: text/html

__________________________________________________________________________

1-Is your browser running HTTP version 1.0 or 1.1? What version of HTTP is the server running?

Src : 1.1,Des : 1.1

2-What languages (if any) does your browser indicate that it can accept to the server?

En - us

3-What is the IP address of your computer? Of the gaia.cs.umass.edu server?

10.0.0.14 128.119.245.12

4-What is the status code returned from the server to your browser?

html

5-When was the HTML file that you are retrieving last modified at the server?

Last-Modified: Mon, 06 Dec 2010 00:11:01 GMT\r\n

6-How many bytes of content are being returned to your browser?

128

7-By inspecting the raw data in the packet content window, do you see any headers within the data
that are not displayed in the packet-listing window? If so, name one.

NO

8-Inspect the contents of the first HTTP GET request from your browser to the server. Do you see an
"IF-MODIFIED-SINCE" line in the HTTP GET?

NO

9-Inspect the contents of the server response. Did the server explicity return the contents of the file?
How can you tell?

Yes,From line-based text data we find the HTML code for the web page

7
10-Now inspect the contents of the second HTTP GET request from your browser to the server. Do you
see an "IF-MODIFIED-SINCE" line in the HTTP GET? IF so, what information follows the "IF-MODIFIED-
SINCE:" header?

Yes,If-Modified-Since: Mon, 06 Dec 2010 18:32:02 GMT\r\n

11-What is the HTTP status code and phrase returned from the server in response to this second HTTP
GET? Did the server explicity return the contents of the file? Explain.

HTTP status code : OK

No server return the content of the previous HTTP replay because the page isn’t modified’

12-How many HTTP GET request messages were sent by your browser?

One message

13-How many data-containing TCP segments were needed to carry the single HTTP response? 8

14-What is the status code and phrase associated with the response to the HTTPGET request?

Status code : 200,Phrase : OK

15-Are there any HTTP status lines in the transmitted data associated with a TCP-induced
"Continuation"?

no

16 – How many HTTP GET request messages were sent by your browser? To whichInternet addresses
were these GET requests sent?

17 –Can you tell whether your browser downloaded the two images serially, or
whether they were downloaded from the two web sites in parallel? Explain.

128.119.240.90 and for image 165.193.140.14

18-What is the servers response (status code and phrase) in response to the initial HTTP GET message
from your browser?

Status code : 401,Phrase : Authorization Required

19-When your browser's sends the HTTP GET message for the second time, what new field is included
in the HTTP GET message?

Authorization field

_________________________________________________________________________

7
DNS
1- Run nslookup to obtain the IP address of a Web server in Asia.
www.aiit.or.kr Server: UnKnown Address: 192.168.1.1

2-Run nslookup to determine the authoritative DNS servers for a university in Europe.
mit.edu nameserver = strawb.mit.edu

mit.edu nameserver = w20ns.mit.edu

mit.edu nameserver = bitsy.mit.edu

3. Run nslookup so that one of the DNS servers obtained in Question 2 is queried for the mail servers
for Yahoo! mail.

yahoo.com nameserver = ns6.yahoo.com

yahoo.com nameserver = ns4.yahoo.com
yahoo.com nameserver = ns3.yahoo.com
yahoo.com nameserver = ns1.yahoo.com
yahoo.com nameserver = ns2.yahoo.com
yahoo.com nameserver = ns5.yahoo.com
yahoo.com nameserver = ns8.yahoo.com
yahoo.com nameserver = ns6.yahoo.com
yahoo.com nameserver = ns4.yahoo.com
yahoo.com nameserver = ns3.yahoo.com
yahoo.com nameserver = ns1.yahoo.com
yahoo.com nameserver = ns2.yahoo.com
yahoo.com nameserver = ns5.yahoo.com
yahoo.com nameserver = ns8.yahoo.com

4-Locate the DNS query and response messages. Are then sent over UDP or TCP?

UDP

5-What is the destination port for the DNS query message sent? What is the source port of DNS
response message?

the destination port for the DNS query message sent = 53

the source port of DNS response message = 65418

6-TO what IP address is the DNS query message sent? Use ipconfig to determine the IP address of your
local DNS server. Are these two IP addresses the same?

7
192.168.1.1, 192.168.1.1, yes the same

7-Examine the DNS query message. what "Type" of DNS query is it? Does the query message contain
any "answers"?

Slandered query UDP no its hasn’t any answer

8-Examine the DNS response message. How many "answers" are provided? What do each of these
answers contain?

Slandered query response UDP yes it has answer contain the name , type ,class ,time to live , data length
,addr

9-Consider the subsequent TCP SYN packet sent by your host. Does the destination IP address of the
SYN packet correspond to any of the IP addresses provided in the DNS response message?

Yes , it correspond to addr field

10-This web page contains images. Before retrieving each image, does your host issue new DNS
queries?

No

11-WhaT is the destination port for the DNS query message? What is the source port of DNS response
message?

Destination port = 53,Source port = 58757

12-To what IP address is the DNS query message sent? Is this the IP address of your default local DNS
server?

192.168.1.1,yes

13-EXamine the DNS query message. What "Type" of DNS query is it? DOES the query message
contain any "answers"?

Slandered query UDP no its hasn’t any answer

14-Examine the DNS response message. How many "answers" are provided? What do each of these
answers contain?

Slandered query response UDP yes it has 7 answer contain

the name = www.mit.edu

type = a (host address), class = IN (0x0001)

time to live= 1 minute

7
data length= 4, addr= 18.9.22.169

15- Provide a screenshot.

16-TO what IP address is the DNS query message sent? Is this the IP address of your default local DNS
server?TO what IP address is the DNS query message sent? Is this the IP address of your default local
DNS server?

192.168.1.1,Yes

17-Examine the DNS query message. what "Type" of DNS query is it? Does the query message contain
any "answers"?

Slandered query UDP no its hasn’t any answer

18-Examine the DNS query message. What MIT nameservers does the reponse message provide? Does
this response message also provide the IP addresses of the MIT nameservers?

strawb.mit.edu

w20ns.mit.edu

bitsy.mit.edu

strawb.mit.edu

w20ns.mit.edu

7
bitsy.mit.edu

no it isn’t provided the IP addresses of the MIT nameseverrs

19-Provide a screenshot.

20-TO what IP address is the DNS query message sent? Is this the IP address of your default local DNS
server? IF not, what does the IP address correspond to?

18.72.0.3,No it’s the default dns

21-EXamine the DNS query message. What "Type" of DNS query is it? DOES the query message
contain any "answers"?

Slandered query UDP no its hasn’t any answer

22-Examine the DNS response message. How many "answers" are provided? What do each of these
answers contain?

Slandered query response UDP yes it has 7 answer contain

the name = www.ait.or.kr

type = a (host address)

class = IN (0x0001)

7
time to live= 1 hour

data length= 4

addr= 222.106.36.115

23-Provide a screenshot.