Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
!
Name:
Sadanand
A.
Pa-l.
!
Requirements:
When
taking
screenshots
using
ScreenHunter
or
other
tools,
only
capture
the
area
relevant
to
the
ques8on.
Points
will
be
deducted
if
the
en8re
desktop
areas
are
copied.
Ques8ons must be answered in your own words rather with a screenshot, except when asked to take screenshots specically, of course.
You might need to use the Internet to study some of the concepts or terms in order to answer some of the ques8ons.
Late
Submission
Points
will
be
deducted
according
to
the
following
scheme
for
late
submission:
1
day
late:
10%
2
days
late:
20%
3
days
late:
30%
4
days
late:
40%
5
days
late:
50%
6
days
late:
100%
In
this
project,
you
will
use
Wireshark
to
capture
and
analyze
network
packets.
Wireshark
is
one
of
the
most
popular
network
protocol
analyzers,
and
is
the
de
facto
standard
that
most
professional
and
educa8on
ins8tu8ons
use
today.
Wireshark
enables
you
to
see
all
packets
sent
and
received
by
your
computer.
1. HTTP Packets
In
this
part
of
the
project,
you
will
use
Wireshark
to
capture
and
analyze
HTTP
packets.
Start
Wireshark.
Select
a
network
interface
(listed
under
Start).
If
mul8ple
interfaces
are
listed,
you
need
to
select
the
one
that
is
used
for
Internet
access.
Click
Start
to
start
packet
capturing.
Open
a
Web
browser,
visit
a
couple
of
Web
sites
that
you
havent
visited
recently,
such
as
hSp://www.uiaa.org/,
or
hSp://www.uis.edu/development/.
In
Wireshark,
stop
packet
capturing.
(Click
Capture
on
the
menu
bar,
then
Stop.)
In
Wireshark,
apply
HTTP
lter
to
display
HTTP
packets
only
(explained
in
the
Wireshark
introduc8on
video).
In
the
Packet
List
window,
select
the
rst
HTTP
packet
(it
should
say
HTTP
rather
than
SSDP
under
the
column
Protocol).
The
three
windows
in
the
Wireshark
are
called
Packet
List
Window,
Packet
Detail
Window,
and
Packet
Content
Window,
respec8vely
in
this
document
(see
the
picture
below).
The
Packet
List
Window
lists
packets
captured
by
Wireshark.
The
Packet
Detail
Window
shows
the
details,
including
the
types
of
protocols
used
at
each
network
layer,
for
the
packet
selected
in
the
Packet
List
Window.
!
!
!
!
1. With
the
rst
HTTP
packet
selected
in
the
Packet
List
Window
(it
should
say
HTTP
rather
than
SSDP
under
the
column
Protocol),
copy
the
Packet
List
Window
to
your
report
Using
ScreenHunter
or
another
screen
capture
tool.
(See
an
example
below.)
Make
sure
that
words
in
your
screenshot
are
suciently
large
and
easy
to
read.
5
points
!
!
2. With
the
rst
HTTP
packet
selected
in
the
Packet
List
Window,
expand
the
Internet
Protocol
and
Transmission
Control
Protocol
entries
in
the
Packet
Detail
window
(click
on
the
+
icon
before
the
entries).
Copy
the
en-re
Packet
Detail
window
to
your
report.
(See
an
example
below.)
Make
sure
that
words
in
your
screenshot
are
suciently
large
and
easy
to
read.
5
points
Answer:
3. What
are
the
source
and
des-na-on
IP
addresses
of
the
packet?
Is
the
packet
an
HTTP
request
or
response
message?
Why?
5
points
Ans:
Source
IP:
10.
0.
0.
13
and
Des8na8on
IP:
128.
174.
201.
252
Request
method
for
this
packet(
HEAD/HTTP/1.1)
is
HEAD
and
so
this
says
that
it
is
a
HTTP
request
message.
Also,
packet
detail
window
shows
that
it
is
a
HTTP
request
message.
4. What
is
the
transport
layer
protocol
used
in
this
packet?
What
are
the
source
and
des-na-on
port
numbers?
What
is
the
length
of
the
transport
layer
header?
(Answers
can
be
found
in
the
Packet
Detail
Window.)
5
points
5. What
is
the
network
layer
protocol
used
in
this
packet?
What
is
the
length
of
the
network
layer
header?
What
is
the
total
length
of
the
packet
at
the
network
layer?
(Answers
can
be
found
in
the
Packet
Detail
Window.)
5
points
6. What
is
the
data
link
layer
protocol
used
in
this
packet?
What
are
the
source
and
des-na-on
data
link
layer
addresses?
(Answers
can
be
found
in
the
Packet
Detail
Window.)
5
points
!
!
In
this
part
of
the
project,
you
will
use
Wireshark
to
analyze
email
packets.
Two
Wireshark
les
-
SMTP_Capture.pcap,
POP3_Capture.pcap
-
that
contain
SMTP
and
POP3
packets
are
posted
in
the
course
site.
Download
the
les
to
your
computer.
The
SMTP
packet
le
contains
packets
sent
between
an
email
client
(IP
address:
192.168.1.100)
and
server
(IP
address:
128.196.40.4)
where
the
client
sent
an
email
to
the
server.
Packet
8
is
the
start
of
the
email
that
iden8es
the
sender.
Do
some
research
on
the
Internet
about
SMTP
commands.
In
Wireshark,
these
commands
are
listed
under
the
Info
column.
!
!
2.1.Do some research on the Internet and explain the concept of the Three-Way TCP handshake in a short paragraph. 5 points
A
three-way
TCP
handshake
is
a
method
used
to
create
a
connec8on
between
a
client
and
server.
It
is
designed
so
that
both
ends
can
share
separate
TCP
socket
connec8ons
at
the
same
8me.
It
is
a
three-step
method
that
requires
both
the
client
and
server
to
exchange
SYN
and
ACK
(acknowledgment)
packets
before
actual
data
communica8on
begins.
-
A
client
sends
a
SYN
data
packet
over
an
IP
network
to
a
server
on
the
same
or
an
external
network.
The
objec8ve
of
this
packet
is
to
ask
if
the
server
is
available
for
new
connec8on.
-
The
target
server
must
have
open
ports
that
can
accept
and
ini8ate
new
connec8ons.
When
the
server
receives
the
SYN
packet
from
the
client,
it
responds
with
a
conrma8on
receipt,
the
ACK
packet.
-
The
client
receives
the
SYN/ACK
from
the
server
and
responds
with
an
ACK
packet.
!
!
!
!
!
!
!
!
!
!
!
2.2.Using
ScreenHunter
or
another
screen
capture
tool,
copy
the
rst
three
TCP
packets
from
the
Packet
List
window
in
Wireshark.
The
three
packets
form
the
TCP
handshake
process.
Examine
informa-on
in
the
Packet
Detail
window.
List
the
source
IP
address,
source
port
number,
des-na-on
IP
address,
and
des-na-on
port
number
of
the
three
TCP
packets.
5
points
!
Source IP address
Source Port
Destination IP address
Destination Port
!
!
!
!
!
!
55012
25
55012
25
55012
25
Packet 14 contains the rst part of the email message that the user wrote.
2.3.List
the
SMTP
packets
that
were
sent
from
the
client
to
the
server
before
packet
14.
(Hint:
In
the
Packet
List
window,
packets
sent
from
client
to
server
are
marked
C:
in
the
Info
eld.)
Explain
the
purpose
of
each
packet.
(You
might
need
to
do
some
research
on
the
Internet
on
the
meaning
of
SMTP
commands,
such
as
EHLO
in
packet
5).
5
points
!
!
!
!
!
!
2.4.The
SMTP
command
for
sending
the
message
body
of
an
email
is
DATA
(listed
under
the
Info
column
in
Wireshark).
The
message
body
is
usually
broken
down
into
mul-ple
packets
because
it
is
too
big
to
t
into
one
packet.
Star-ng
from
packet
14,
how
many
packets
was
the
email
message
broken
down
into
and
sent
from
the
client
to
the
server?
List
the
packet
numbers.
5
points
!
!
!
There are three packets in email message. The packet numbers are 14, 15, 17.
The
POP3
packet
le
contains
packets
sent
between
an
email
client
(IP
address:
128.196.239.91)
and
server
(IP
address:
128.192.40.4)
where
the
client
retrieved
an
email
from
the
server.
Do some research on the Internet about POP3 commands. In Wireshark, these commands are listed under the Info column.
!
2.5.What
is
the
port
number
for
POP3
on
the
email
server?
(The
informa-on
can
be
found
in
any
POP
packet.)
3
points
!
Port
number
for
POP3
on
email
server
is
110.
!
2.6.Have
the
users
user
name
and
password
been
captured
by
Wireshark?
If
yes,
what
are
they?
3
points
!
!
!
!
!
!
3. DNS
Packets
!
In
this
part
of
the
project,
you
will
use
Wireshark
to
capture
and
analyze
DNS
query
and
response
packets.
!
3.1.What
is
Domain
Name
System?
How
are
domain
names
resolved
on
the
Internet?
Answer
each
ques-on
in
a
short
paragraph.
Must
answer
in
your
own
words.
5
points
Domain
Name
System
is
used
to
translate
domain
names
into
IP
addresses,
as
they
are
easier
to
remember.
The
Internet
is
based
on
IP
addresses.
Every
8me
you
use
a
domain
name,
a
DNS
service
must
translate
the
name
into
the
corresponding
IP
address.
Domain
Name
Resolu8on
is
used
to
convert
domain
names
to
the
corresponding
IP
address.
When
you
enter
a
domain
name
in
an
applica8on
that
uses
the
Internet,
the
applica8on
will
send
a
command
to
convert
the
domain
name
into
its
IP
address,
and
then
connect
to
that
IP
address.
There
is
a
le
called
the
HOSTS
le
which
is
used
to
convert
domain
names
to
IP
addresses.
Entries
in
the
HOSTS
le
override
any
mappings
that
would
be
resolved
via
a
DNS
server,
which
is
used
on
the
Internet
for
conver8ng
domain
names
to
corresponding
IP
addresses.
Your
opera8ng
system
will
connect
to
the
DNS
server
congured
on
your
computer
and
have
that
server
return
to
you
the
IP
address
for
the
domain
name
you
asked
for.
3.2.Open
a
command
prompt
window.
Run
command
ipcong/all
to
nd
the
IP
addresses
of
your
computer
and
its
DNS
server.
List
both
IP
addresses.
5
points
Go
back
to
the
Web
browser,
reload
University
of
Chicago
home
page
(look
for
the
reload/refresh
buSon
in
or
around
the
address
box).
Do
not
visit
any
other
Web
sites.
Stop
packet
capturing
in
Wireshark.
The
rest
of
the
ques8ons
in
this
sec8on
are
based
on
packets
captured
in
the
above
steps.
3.3.In
Wireshark,
apply
a
DNS
lter
to
display
DNS
packets
only.
Locate
the
two
packets
for
www.uchicago.edu
(one
query
packet
and
one
response
packet).
Take
a
screenshot
of
the
two
packets
in
the
Packet
List
Window
(see
an
example
below).
Make
sure
that
words
in
your
screenshot
are
suciently
large
and
easy
to
read.
The
example
below
shows
the
DNS
packets
for
City
of
Springeld
Web
site.
No-ce
that
it
says
Standard
query
and
Standard
query
response
under
the
Info
column,
and
the
query
ID,
ox35ec,
matches
in
the
two
packets.
5
points
!
!
!
!
3.4.What
are
the
source
and
des-na-on
IP
addresses
of
the
two
DNS
packets
that
you
captured?
Compare
them
to
those
that
you
found
in
ques-on
3.2.
5
points
Answer:-
Source IP address
Destination IP address
10. 0. 0.13
10. 0. 0. 13
Source
IP
address
of
query
DNS
packet
is
same
as
the
IPv4
address
of
the
computer.
Source
IP
address
of
query
response
DNS
packet
is
same
as
DNS
server
address
of
the
computer.
Des8na8on
IP
address
of
query
DNS
packet
is
same
as
DNS
server
address.
Des8na8on
IP
address
of
query
response
DNS
packet
is
same
as
IPv4
address.
!
!
!
!
!
!
!
!
!
3.5.With
the
second
DNS
packet
the
response
packet
selected
in
the
Packet
List
window,
expand
the
Domain
Name
System
entry
and
its
Answers
sub-
entry
in
the
Packet
Detail
window.
Take
a
screenshot
of
the
Packet
Detail
window
(see
an
example
below).
Make
sure
that
words
in
your
screenshot
are
suciently
large
and
easy
to
read.
5
points
!
!
!
!
!
!
!
!
!
3.6.Explain
the
following
items
in
the
Answers
sub-entry
in
the
DNS
response
packet:
Name,
Type,
Class,
Time
to
live,
Address.
(You
might
need
to
do
some
research
on
the
Internet.)
5
points
Name:-
www.uchicago.edu
This
is
the
name
of
node
to
which
this
informa8on
belongs.
Class:-
IN
(0*0001)
Its
a
class
code.
It
tells
us
that
a
class
of
a
record
is
set
to
IN(for
internet).
Time to live:- 33
The
DNS
Resolu8on
Process
caches
DNS
request
records
for
a
period
of
8me
aker
a
response
to
reduce
the
load.
This
8me
for
which
a
resolver
caches
a
DNS
response
is
determined
by
a
value
called
the
8me
to
live
(TTL)
associated
with
every
record.
3.7.What
is
the
transport
layer
protocol
used
for
the
DNS
response
packet?
Why
does
DNS
typically
use
this
protocol
as
the
transport
layer
protocol?
(You
might
need
to
do
some
research
on
the
Internet.)
5
points
!
!
Transport
layer
protocol
used
for
DNS
response
packet
is
UDP(User
Datagram
Protocol).
Because
DNS
requests
and
responses
are
usually
short.
It
is
more
ecient
to
use
UDP
in
transport
layer
than
TCP.
UDP
is
used
for
simpler
messaging
transmissions.