Lab Session 9

Objective
To understand application layer protocols using Wireshark Packet Analy
zer --part I
Wireshark is a network packet analyzer(sniffer)
available at: www.wireshark.org
(for Window and Linux version)
How to use GUI of wireshark
(In this lab we'll work on WINDOW based host machines)
To start wireshark- from start menu / click wireshark icon on desktop/startup
To capture packetsgoto capture menu- select options -check promiscuous mode, select interface de
vice(eth0),
filter(optional), press start button
wireshark starts capturing packets.
results are displayed in three windows.
top window shows captured packets.
middle window shows packets carrying the protocls/fields data from bottom to
top of network stack.
(In this lab session we are interested in application protocol only- that is b
ottom line in middle window)
lowest window shows the byte information of different fields of a protocol w
ith in a (selected)packet.
To stop packet capturing- goto capture menu- stop
you can apply the filter to display specific packets to the captured packets.
To avoid capture of unwanted packets use- Filter string at capture option menu.
(*** not today's lab)
display filters (In this lab only application layer filters)
http -- to display http packets (more specific packets with more detailing in fi
lters)
dns --to display dns packets
"
"
ftp --to display ftp packets
"
"
telnet --to display telnet packets "
"
smtp --to display smtp packets
"
"
Problem Sheet 9
(Find IP address of your machine using ipconfig command in cmd window of window
machine)
Q1
(a) start wireshark on your window machine
set display filter "HTTP and ip.addr== <your machine ip address>"
(i) start browser with www.google.com / or mnit.ac.in (may need to provide p
roxy authentication data)
(ii) stop wireshark after browser display results
[ select a packet in top window
select last line in middle window
click to expand it. read the protocol fields
view the hex (bytes) in lower window
]
(iii) open http packet(s) carrying GET method and its response and analyse.
(set display filter to see different requests, cookies, authentication, respon
se packets. For example- http.request-methods==GET displays only HTTP segments h
aving GET method.

(iv) note down sub headers,cookies and status codes

(repeat for other sites)
(b) start wireshark with display filter set to "dns and ip.addr==<your machine
ip address>"
(i) activate/run browser with url www.bhaskar.com (after proxy authenticatio
n)
(ii) stop wireshark after browser displays result
(iii)
analyze dns results (note down query and response dns messages.Explor
e how names are compressed in message segment )
(iii)
activate/run browser with url 65.19.157.194
(iv) stop wireshark and check for dns packets corresponding to (iii). if not
why?
(v) open file(if permitted) /c:/windows/system32/drivers/etc/hosts make foll
owing entry in the end and save hosts file
65.19.157.194 morningnews.raj
(vi) start wireshark then run browser with morningnews.raj
stop wireshark and Analyze dns packets in wireshark corresponding to mor
ningnews.raj.
(Use display fields to display different packets of dns . For example dns
.flags.response==1 to display only segments having dns response)
(c) start wireshark with display filter "telnet and ip.addr==<your machine ip ad
dress>"
(i) run telnet from window machine and connect to linux server at 172.16.10.
xxx
(ii) enter login and password at telnet prompt
(iii) list the contents of home directory
(iv) logout (from telnet session)
(v) stop wireshark and analyze telnet packets
(Can you see password etc)
(d) start wireshark with display filter "ftp and ip.addr==<your machine ip addre
ss>"
(i) from window command prompt type
ftp 172.16.10.xxx
when prompted type "anonymous" as user name and for password (PRESS
ENTER KEY)
if successful welcome message displayed.
(ii)
list the directory at remote server
(iii) down/up load a file from remote and save at local/remote with different
name
( download panther.jpg file with ftp (above pub) and open the file i
n window)
(iv) down/up load multiple files with single command
(first create a folder in local directory in window by giving comma
nd dir 7sxxx.
now give command in ftp mget lab* )
(v) list files at remote server in passive/active mode.
(to see data connection ,remove word "ftp and" from display filer an
d click apply )
(vi) stop wireshark and analyse ftp packets
(vii) use telnet at www.google.com 80 and capture packets using telnet filt
er
give following OPTIONS / HTTP/1.1 double enter
repeat for GET , POST, TRACE etc commands ( may not work )
(Can you see password, port used in active server for file transfer)
(e)Start wireshark and use smtp filter
(i) run telnet from window machine and connect to smtp server at 172.16.10.

xxx
(ii) using smtp protocol send a mail to your peer in this lab
(iii) exit from smtp session
(iv) stop wireshark and analyze smtp packets
(f) start wireshark with filter set to "ssh and ip.addr==<your machine ip addres
s>"
(i) run putty and connect to ssh server at 172.16.10.xxx
( you may use sftp at 172.16.10.xxx or https://www.google.com)
(ii) enter login and password at ssh prompt
(iii) list the contents of home directory
(iv) logout (from ssh session)
(v) stop wireshark and analyze ssh packets
[ when proxy port is not 443 and you write https://... in URL , CONNECT method
is used by your browser .
for example if proxy port is 80 or 3128
then all communication through proxy port 3128(80)
client request CONNECT to proxy
proxy respond with connection established
client run ssl protocol
proxy return server(??) certificate
if you set proxy to port 443
until the connection established (until it shows application data)
all request/reply is readable(like in proxy port 80) though wireshark shows SSL/
Tslv1
]