CompSci 275, Introduction to Networks

Exploring with Wireshark

  1. Start wireshark:
    $ sudo wireshark &
    $ 
    
    Let run for a minute or so.
  2. Perform a "traceroute" to remote.bloomu.edu , 4.2.2.2 , and 8.8.8.8
    $ traceroute  remote.bloomu.edu
    
  3. Browse to web.mit.edu, using your preferred browser.

    Does the browser indicate "http" or "https" ?

  4. Browse to www.bloomu.edu, using your preferred browser.

    Does the browser indicate "http" or "https" ?

  5. Stop the capture. Search for "udp" packets.

    Which ones aren't DNS packets?

  6. Find a "traceroute" packet. If necessary, set "View -> Name Resolution -> Resolve Transport Addresses" on. (Or search for udp.port==33434)
  7. Review wireshark display vis-a-vis OSI (TCP/IP) layers.
  8. Review UDP structure.

    Observe traceroute's data.

    (Did anyone run "tracert" on Windows instead? What data?)

  9. Examine IP structure. Note TTL value.
  10. Track series of traceroute exchanges: udp.dstport >= 33434 && udp.dstport < 33500

    Note TTL values.

    Why are ICMP packets included by this filter? Is UDP involved?

  11. Examine ICMP frame structure.
  12. Find "tcp" packets. Examine tcp structure.

    What are some of the payloads?

  13. Find three-way handshake with filter tcp.flags.syn==1 && ip.addr==148.137.10.10

    Explore 3-way handshake's characteristics.

  14. Find "http" and "https" packets, using filter tcp.port == 80 || tcp.port == 443

    Which browser session used port 80 or port 443?

  15. Select the session that uses port 80. Then click on "Analyze -> Follow -> TCP stream".

    Find the first packet that contains an application payload.

    What is the application payload? Can you see it in the hex dump?

  16. Select the session that uses port 443 Then click on "Analyze -> Follow -> TCP stream".

    What can you figure out from this stream? How much of it is comprehensible?

  17. Review Ethernet frame structure. Note eth.type instead of eth.len field.

    Find and match the OUI values in MAC addresses?

  18. Find "eth.len" frames.

    What are some of the payloads?