Wireshark capture filter source and destination ip

Practice Assignment Answers

Question-1. A company has been assigned a class B address. A subnet of this company has network address 136.24.80.0 and direct broadcast address 136.24.85.63. a) Based on the previous information, provide the two smallest network addresses that can be assigned to subnets of this company. b) Provide the smallest and largest IP address that can be assigned to a host in each one of the subnets of previous question “a)”. c) Provide the two largest network addresses that can be assigned to subnets of this company. d) Provide the smallest and largest IP address that can be assigned to a host in each one of the subnets of previous question “c)”. You must provide the values of all derived network address and IP addresses in Dotted Decimal Notation. You must show your

derivations.

Net address: 136.24.0101 0000 . 0000 0000

Broadcast address: 136.24.0101 0101 . 0011 1111

Since the blue bits are 0 in the net address and 1 in the broadcast address, they are host bits. Thus, the red bits are net bits

Smallest 2 Net Addresses

NNNN NHNH NNHH HHHH

IP addresses assigned to hosts

136.24.0000

0000. 0000 0000

136.24.0.0

Smallest IP

136.24.0000

0000. 0000 0001

136.24.0.1

Largest IP

136.24.0000

0101. 0011 1110

136.24.5.62

136.24.0000

0000. 0100 0000

136.24.64.0

Smallest IP

136.24.0000 0000. 0100 0001

136.24.0.65

Largest IP

136.24.0000

0101. 0111 1110

136.24.5.126

…………………………………………………………………………………………………….

Largest 2 Net Addresses

IP addresses assigned to hosts

136.24.1111

1010. 1000 0000 136.24.250.128

Smallest IP 136.24.1111 1010. 1000 0001 136.24.250.129

Largest IP

136.24.1111

1111. 1011 1110 136.24.255.190

136.24.1111

1010. 11 00 0000

136.24.250.192

Smallest IP 136.24.1111 1010. 11 00 0001 136.24.250.193

Largest IP

136.24.1111

1111. 11 11 1110 136.24.255.254

Question-2.

Start your Bt5, Kali (or other Linux virtual machine) that has hping3 tool installed. Now use ifconfig to find its IP

address; to find the IP address of your host OS you can also use ifconfig (if it is Linux) or ipconfig (if it is

Windows). Capture screenshots of your ifconfig (or ipconfig) commands and corresponding outputs; showing the

two IP addresses. Now start Wireshark in both Bt5 and host OS and select non-promiscuous mode. In both Bt5

and host OS Wireshark add a SrcPort and a DestPort column in the Packet List Pane. In the Wireshark of the

host OS, apply a capture filter that will capture only the TCP packets whose source IP address is the one of Bt5.

Type this capture filter. Also capture a screenshot of this filter in the Wireshark filter box of the host OS. In the

Wireshark of Bt5 apply a packet capture filter that will capture only TCP packets that have ALL of the following

properties: a) destination port 77, b) TCP SYN, PSH, ACK, RST bits set to 1, c) IP Identification field 4572,

d) 1320 TCP data bytes, e) a TCP window size 26000. Type this capture filter. Also capture a screenshot of this

applied filter in the Wireshark filter box of the Bt5. Now start the packet capturing process in both host OS and Bt5

Wiresharks. Next, use (in Bt5) one hping3 command that will transmit 6 TCP packets to the Host OS with

destination ports 74, 75, 76, 77, 78, 79 and 80. Moreover, each one of these packets must have the SYN, PSH,

ACK and RST bits set to 1, its IP Identification field equal to 4572, 1320 TCP data bytes and a TCP window of

26000 bytes. Type the hping3 command you have used. Also capture a screenshot of this hping3 command and its

output. Stop the packet capturing process in both Wiresharks. Capture a screenshot of the packet list pane of the

Bt5 Wireshark and a screenshot of the packet list pane of the Host OS Wireshark showing the captured packets.

Your screenshots in Bt5 and Host OS must show the port numbers of the transmitted packets. How many packets

have been captured by Bt5 Wireshark and how many by the Host OS Wireshark? Is that what you expected?

Explain why or why not.

SOLUTION

Start your Bt5, Kali (or other Linux virtual machine) that has hping3 tool installed. Now use ifconfig to find its IP address; to find the IP address of your host OS you can also use ifconfig (if it is Linux) or ipconfig (if it is Windows). Capture screenshots of your ifconfig (or ipconfig) commands and corresponding outputs; showing the two IP addresses.

Screenshot-2-1: Bt5 ifconfig command and its output; Bt5 IP address is 192.168.183.129

image1.jpg

Screenshot-2-2: Windows (host OS) ifconfig command and its output; Windows IP address is 192.168.183.1

image2.jpg

Screenshot-2-3: Wireshark capture filter in Windows: ip[9]=6 and src host 192.168.183.129

image3.jpg

Bt5 Wireshark Capture Filter components:

a) packets with destination port 77 : tcp dst port 77 ; we can also use tcp[2:2] = 77

b) packets with TCP flgas SYN, PSH, ACK, RST bits set to 1: tcp[13] & 0x1e = 0x1e

c) packets IP Identification field 4572: ip[4:2]=4572

d) 1320 TCP data bytes; we must add 20 bytes TCP header & 20 bytes IP header for IP Total Length field: 1360

ip total length filter: ip[2:2]=1360

e) TCP Window 26000 bytes: tcp [14:2]=26000

Complete Capture Filter:

tcp[2:2] = 77 && (tcp[13] & 0x1e = 0x1e) && ip[4:2]=4572 && ip[2:2]=1360 && tcp [14:2]=26000

Screenshot-2-4: Shows a) eth4 is used in Bt5 with IP address 192.168.183.129, b) Capture Filter used

image4.jpg

Screenshot-2-5: Shows hping3 command and its output; 7 packets have been transmitted

image5.jpg

Screenshot-2-6: Shows that in Bt5 only packet with destination port number 77 has been captured.

image6.jpg

Screenshot-2-7: Shows that in Windows host OS all 7 packets (ports 74,75….78) have been captured.

image7.jpg

Question-3.

Start your Bt5 and host OS system and use ifconfig or ipconfig to find their IP addresses. Capture screenshots

of your ifconfig (or ipconfig) commands and corresponding outputs; showing the IP addresses of Bt5 and host OS.

In your Bt5, type the hping3 command that will transmit to the host OS one TCP packet that has only its SYN bit

set, 42000 TCP data bytes and a destination port number 2266. Type the hping3 command you must use. In your

Bt5, also apply a capture filter that will only capture the 12th and 26th fragments of the transmitted packet. Type

the capture filter you must use. Also capture a screenshot of this filter in the Wireshark filter box of Bt5. In the

host OS start Wireshark and apply a capture filter that will only capture TCP packets with source IP address,

the IP address of Bt5. Capture a screenshot of this filter. Now start both Wiresharks, in Bt5 and host OS and,

then, run the above hping3 command. Capture a screenshot of the hping3 command and the first 14 packets of its

output. Capture a screenshot of the packet list pane of the host OS Wireshark showing in the packet list pane the

first 14 packets. Finally, capture a screenshot of the Bt5 Wireshark showing in the packet list pane the captured

packets, and in the packet detailed pane the fragmentation offset of the 2

nd fragment.

SOLUTION

Start your Bt5 (or Kali) and host OS system and use ifconfig or ipconfig to find their IP addresses. Capture screenshots of your ifconfig (or ipconfig) commands and corresponding outputs; showing the IP addresses of Bt5 and host OS.

Screenshot-3-1: Bt5 ifconfig command and its output; Bt5 IP address is 192.168.183.129

image8.jpg

Screenshot-3-2: Windows (host OS) ifconfig command and its output; Windows IP address is 192.168.183.1

image9.jpg

In your Bt5, type the hping3 command that will transmit to the host OS one TCP packet that has only its SYN bit set, 42000 TCP data bytes and a destination port number 2266. Type the hping3 command you must use.

Bt5 Hping3 command: hping3 -I eth4 -p 2266 -c 1 -S -d 42000 192.168.183.1

In your Bt5, also apply a capture filter that will only capture the 12th and 26th fragments of the transmitted packet.

Type the capture filter you must use. Also capture a screenshot of this filter in the Wireshark filter box of Bt5.

Since the question does not mention IP options, the IP header will be 20 bytes. Since the max IP packet is 1500 bytes including IP header, each fragment will have 1480 IP data bytes. Note that the IP offset field uses unit 8. So the IP offset fields OF1,OF2,OF3,.. (of IP fragments 1,2,3,…) will be:

OF1=0, OF2=1480/8=185, OF3=2*1480/8=2*185, OF4=3*185 … OF12=11*185=2035, OF26=25*185=4625 So Bt5 Capture filter for capturing OF12 and OF26 fragments is: ip[6:2]&0x1fff=2035 or ip[6:2]&0x1fff =4625

In the host OS start Wireshark and apply a capture filter that will only capture TCP packets with source IP address, the IP address of Bt5.

Since the transmitted packets are TCP packets their IP protocol field (9th byte in IP header) will have value 6. So my Windows capture filter will is: ip[9]=6 and src host 192.168.183.1

Screenshot-3-3: Wireshark capture filter in Windows: ip[9]=6 and src host 192.168.183.129

image10.jpg

Screenshot-3-4: Bt5 capture filter: ip[6:2]&0x1fff=2035 or ip[6:2]&0x1fff =4625

image11.jpg

Screenshot-3-5: Bt5 hping3 command and its output

image12.jpg

Finally, capture a screenshot of the Bt5 Wireshark showing in the packet list pane the captured packets, and in the packet detailed pane the fragmentation offset of the 2nd fragment.

Screenshot-3-6: Shows the 2 fragments captured by Bt5 with offsets: 16280 and 37000 Note that 16280/8 = 2035 and 2035/185 = 11 which means this the 12th fragment

where 37000/8 = 4625 and 4625/185 = 25 which means this is the 26th fragment

Note also that in the Packet Byte Pane of Wreshark the fragmentation offset of the 1st captured packet is 0x7f3 whose decimal value is 2035

image13.jpg

Screenshot-3-7: Shows all the fragments captured by the Windows Wireshark with their corresponding fragmentation offset values.