Http www wireshark org docs wsug_html_chunked

Lab 1:

Installing and Using Wireshark

Packet Capture Software

by

Date Report Due: Nov 3, 2013

Date Report Submitted: Nov 3, 2013

Table of Contents

3 Descriptive Abstract

4 Introduction

Screen Shot 1 5

6 Screen Shot 2

Purpose of WinPcap 6

Conclusion 7

8 References

Running Glossary 8

Descriptive Abstract
The purpose of this lab assignment is to learn working on Wireshark packet capture software. Wireshark is an open-source network packet analyzer software, which capture network packets and display the packet data with details of that packet. This software is available for UNIX and Windows operating system.

The main use of Wireshark packet capture software is in troubleshooting problems related to network or for testing of protocol implementations. Time, source IP address, destination IP address, protocol, length, and some other information are the main information which this software provides regarding a packet travel on network.

In this lab assignment, we first installed the Wireshark on local machine. In the first run after stopping the capturing of packets I analyze some of the packets and check what protocol they follow, length of that and other basic information. After the first few random searches, I traced some packets related to http://www2.gibson.com . In the report, I have included some screen captures of wireshark software with the analysis of different sections on the screen shot.

Introduction
The lab is related to installation and understanding of the Wireshark packet analyzer software. Wireshark is important because it provides many details regarding network packets like length, what protocol the packet follow, what is the source and destination IP address for that packet etc. The MIS 272 is a networking class and the data communication in a network happen in the form of packets so it is mandatory to have an understanding about packets.

This software is mainly used by network administrator to troubleshoot network problems, by network security engineers to examine security problems and developers use this to test a new protocol implementation, or use it to learn about network packets and related details. The main study material for this course is "Managing and Troubleshooting Networks", so by name itself it is clear that it is about how to manage and troubleshoot networks. By analyzing the packet related information provided by Wireshark we can easily identify that where is the problem.

Software used for this lab assignment:

1) Windows 7

2) Wireshark packet analyzer software

3) Web browser

4) Video player

5) Some other system and application software mainly related and controlled by OS.

Hardware used for this lab assignment:

1) A laptop

2) Internet connection

3) A network router

To complete the lab activity, first install the wireshark network packet analyzer software. After installation we need to choose the connection type for example, Bluetooth Network Connection, Wi-Fi, Ethernet, wireless connection 1, local area network, other connections and then click on the start icon just above that. As soon as we click on this start icon, the software starts analyzing network packet and starts showing the details regarding the packet with the protocol information. First it will provide the information regarding the connection between laptop and the Wi-Fi router, and then between the Wi-Fi router and servers of different connected sites. It is interesting that for one website we can get different IPs because big sites are handled more than one server.

After some random analysis, I closed all the browsers and stopped the process of the packet analyzer. Then I started www2.gibson.com to analyze, in the meantime I started wireshark again. The system was showing some new IPs and some of the packets are black color marked. Depending on the packet's protocol and packets are delivered successful or lost is the way the colors vary from packet to packet.

After completion of entire process, I got mainly these IP addresses:

1) 71.83.242.128 (My IP address, when I use LAN)

2) 192.168.1.19 (My IP address, when I use Wi-Fi)

2) 207.171.185.201 (Amazon web services IP)

3) 117.195.114.185 (This is for Wi-Fi router settings)

4) 173.194.33.195 (One of the Google's server IP address)

5) 174.129.4.54 (www2.gibson.com IP address)

With these IP addresses there were some invalid IP addresses too which I think are IP addresses of intermediate servers and routers which come between the destination and source.

Screen shot 1

image1.png

Menu bar: Provides different options like save, start, stop, analyze, statistics for captured packets etc.

Option bar: Provides direct access to frequently using options.

Filter bar: Gives the ability to search within results by using different criteria.

Packet Trace Window: All the information about catured packets are displayed in this window.

Source IP address & Destination IP address: Gives information about the source and destination of the packet.

OSI Layer Info: This window provides details regarding different layers communication, how and what versions layers are following, what is the exact communication, type of packet, protocol working, fields details of packet header etc.

Besides these there is other information also like packet number, total number of packets captured, length of packet, data details of communication between layers etc.

When we right click on the OSI layer info window we get other options like protocol help, disable protocol, some filter related options, which port is using for communication, port number for outgoing and port number for incoming etc.

Screen shot - 2

This screen shot is showing packet details when the router is communicating with www2.gibson.com.

image2.png

This is the part of the packet trace window while browsing different pages of gibson.com. When I examined later I found that 192.168.1.19 is my IP address, basically 192.168.1.1 is the default gateway because I was using a Wi-Fi connection at that time, and .19 is assigned to my laptop via the router. One more interesting thing I found is that if I switch off the router, and disconnect all the devices, restart the router again then it will reassign the IP address sometimes the same IP and sometimes a different IP address depending on the number of devices connected to the router at that time.

The packet number 399 is showing a HTTP request packet which is requesting a connection to gibson.com's server and the size of this request packet is 1386 bytes. There are many other packets which consist of some information regarding connections with gibson but having different IP addresses. Showing that those are intermediate routers which are used to route the request in the correct direction. For example, 103.245.222.134, when my IP address is in source IP address that is indicating that my system is sending a request to the destination where as if my IP address is a destination IP address that is indicating that my system is getting a response from the source.

While analyzing I got that there are many protocols used in this conversation for example HTTP, TCP, DNS etc. For every request of a new page first DNS protocol is used for communication between my laptop and the Wi-Fi router, then the Wi-Fi router communicates with gibson.com and uses TCP with HTTP protocols, HTTP protocol for the request and response from servers and TCP protocol to get assurance of the delivery of packets with the help of SYN, ACK and FIN flags.

The IP address for gibson.com is 174.129.4.54, and when I typed that in web browser and press enter it navigated me to http://www2.gibson.com/Gibson.aspx page.

While working on this I saw there is www2 used in this by which I was not much familiar, so I did some research on this and found that this is the same as www, and used for server load balancing.

Purpose of WinPcap (Windows Packet Capture)

WinPcap is basically a library which includes a driver to support capturing packets, since wireshark is a packet capturing software it needs a libpcap library which support in packet capturing. In windows operating system the role of libpcap library is done by WinPcap.

Conclusion

There were many topics from book covered in this, some are IP addresses, networking layers, packets, HTTP, TCP, FTP, DNS etc. protocols, network communication etc. With this it was a good experience to learn how packets travel on network, how one router communicate with other router, different TCP packet's flag like ACK, FIN, SYN etc.

The most important concept which I learn in this assignment is, how different protocols work on different packets and between different layers of network. I always had confusion regarding why we need these many layers in networking but it is clear now that this is a step-by-step process and at each step layers add some stuff on data to encrypt that and make that compatible for next layer input.

Installation of wireshark was quite easy but in starting I found it a bit problematic because there were too many IP addresses and whenever I type them in browser it used to show invalid page or error. But after sometime I realized that those were addresses of intermediate routers or servers which do not have any web page just use to redirect towards destination IP address.

References

3rd edition, Mike Meyers. Managing and Troubleshooting Networks. Published by:

McGraw Hill Publications.

Wireshark Download. Retrieved from:

http://www.wireshark.org/download.html

Wireshark user guide. Retrieved from:

http://www.wireshark.org/docs/wsug_html_chunked/

Wireshark wiki pages. Retrieved from:

http://wiki.wireshark.org/

Wireshark WinPcap. Retrieved from:

http://wiki.wireshark.org/WinPcap

Running Glossary
ACK: Acknowledgment regarding receipt of the packet, used in TCP

DNS: Domain Name System, naming systems for computer or devices use Internet

FIN: Finish, indicating that the transmission is done

HTTP: Hyper Text Transfer Protocol used for web related data communication for the WWW.

Open Source: A software for which license is not needed.

Server load balancing: Use to distribute load on more than one servers.

SYN: Sync packet used to establish a connection

TCP: Transmission Control Protocol used for reliable data communication

WinPcap: A library having packet capturing driver

Winshark: A network packet analyzer software

www2: Used for load balancing on server

Menu bar

Source IP address of the packet

Option bar

Filter bar

Data details of selected packet

OSI Layer Info

Packet's protocol

Packet Trace Window

Destination IP address of the packet

Information related to packet.