Lab 3: Introduction to Wireshark

  Pre-Lab 

• Read the lecture slides on Wireshark (Introduction to Wireshark) 
• What this video and download Wireshark - just open a terminal (Ctrl + Alt + T) and type sudo apt-get install <package name>.
• Read about Wireshark & install it on your machine- read about Wireshark
• Make sure you can run Wireshark on your station or computer at home - click on teh icon or use sudo wireshark from the command line.
• Watch Introduction to Wireshark
• Go to here is you have any issues: http://www.wireshark.org/
• Read about Ping command.

Lab Assignment

Part 1: Practicing with Wireshark and learning about HTTP

1. Complete the mod_Wireshark_HTTP.pdf lab. Answer all the questions. All questions must be clearly shown.

2. Capturing password on an unsecure web page:
   • Using Wireshark, show that it is possible to capture the password for this website.
   • Using your terminal execute: ftp ftp.aitislab.org
   • Enter your last name as your password. Can you see your last name? What is happening? What does it tell you?
   • Show a snapshot of your results.
   • Can you display your sonoma.edu password using Wireshark? Explain your answer.

Part II: Wireshark

Study the demo example. HTTP protocol (download example: http.cap) . Answer the following questions:

1. Who initiated the TCP termination. Explain your answer.
2. What is the flag definition (HEX value) for ACK message?
3. What version of HTTP transfer protocol is using? Explain your answer.
4. How many bytes are in a TCP SYN Frame? Using a rectangular frame show the size of all embedded segments, frames, data, flags, etc. Use a computer to draw.
5. What version of IP is a SYN frame using?
6. How many HTTP requests (GETs) can be found in this example?
7. Use tcp.stream eq 0 as the filter. This indicates the first stream. What is the maximum average throughput (hint: go Statistics-->TCP StreamGraph)? Show a snap shot of the results.
8. How many TCP streams exist in this test file?
9. What is the IP address of the client requesting from the http server?
10. How many duplicated packets and retransmission can be found in this transaction?
11. Which TCP stream the retransmitted packets belong to?

Part III: Services

1. Ping a computer (not yours! say your friend's computer) ONE time. Compare the obtained Average/Min/Max Round Trip Delay with when you ping google.com or wordpress.com. Record your results.
2. How do you ping a specified IP address 3 time such that the PING packet size is only 9 bytes and the time interval between each PING is 5 seconds. You must ensure the content of the PING is 2F. Show the command.
3. In the case above how can you verify the content of your PING command?