Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Objective
To understand application layer protocols using Wireshark Packet Analy
zer --part I
Wireshark is a network packet analyzer(sniffer)
available at: www.wireshark.org
(for Window and Linux version)
How to use GUI of wireshark
(In this lab we'll work on WINDOW based host machines)
To start wireshark- from start menu / click wireshark icon on desktop/startup
To capture packetsgoto capture menu- select options -check promiscuous mode, select interface de
vice(eth0),
filter(optional), press start button
wireshark starts capturing packets.
results are displayed in three windows.
top window shows captured packets.
middle window shows packets carrying the protocls/fields data from bottom to
top of network stack.
(In this lab session we are interested in application protocol only- that is b
ottom line in middle window)
lowest window shows the byte information of different fields of a protocol w
ith in a (selected)packet.
To stop packet capturing- goto capture menu- stop
you can apply the filter to display specific packets to the captured packets.
To avoid capture of unwanted packets use- Filter string at capture option menu.
(*** not today's lab)
display filters (In this lab only application layer filters)
http -- to display http packets (more specific packets with more detailing in fi
lters)
dns --to display dns packets
"
"
ftp --to display ftp packets
"
"
telnet --to display telnet packets "
"
smtp --to display smtp packets
"
"
Problem Sheet 9
(Find IP address of your machine using ipconfig command in cmd window of window
machine)
Q1
(a) start wireshark on your window machine
set display filter "HTTP and ip.addr== <your machine ip address>"
(i) start browser with www.google.com / or mnit.ac.in (may need to provide p
roxy authentication data)
(ii) stop wireshark after browser display results
[ select a packet in top window
select last line in middle window
click to expand it. read the protocol fields
view the hex (bytes) in lower window
]
(iii) open http packet(s) carrying GET method and its response and analyse.
(set display filter to see different requests, cookies, authentication, respon
se packets. For example- http.request-methods==GET displays only HTTP segments h
aving GET method.
xxx
(ii) using smtp protocol send a mail to your peer in this lab
(iii) exit from smtp session
(iv) stop wireshark and analyze smtp packets
(f) start wireshark with filter set to "ssh and ip.addr==<your machine ip addres
s>"
(i) run putty and connect to ssh server at 172.16.10.xxx
( you may use sftp at 172.16.10.xxx or https://www.google.com)
(ii) enter login and password at ssh prompt
(iii) list the contents of home directory
(iv) logout (from ssh session)
(v) stop wireshark and analyze ssh packets
[ when proxy port is not 443 and you write https://... in URL , CONNECT method
is used by your browser .
for example if proxy port is 80 or 3128
then all communication through proxy port 3128(80)
client request CONNECT to proxy
proxy respond with connection established
client run ssl protocol
proxy return server(??) certificate
if you set proxy to port 443
until the connection established (until it shows application data)
all request/reply is readable(like in proxy port 80) though wireshark shows SSL/
Tslv1
]