networking and wireshark app, computer science assignment help
Me E« yiew So Capture analyze sattelKs Help Bit a* a at tf PSXSS ' ^ * <*• s.
H|H
a.
o.
ED at M ^ &, a " Expresston...
gear Apply 2dO 3 53212 72.14.207.1 49 221403 155.97 243 201 64.
k-42 Wln-64298 ston > rrctps [ACK] seq-1 Ack serv-http > http [ACK] Seq-li^o ACK»14^3 WTn-&55ii Ler /comp1ete/search?r4«www.
goog lea/out put-tool bar &c1 1ent-t serv-http > http [ACK} seq-2044 Ack-1896 wln-65074 Ler 2O 4b65 65 70 2d 41 6c 69 76 65 Od Oa 43 6f 33 64 34 32 30 35 36 39 65 36 3a 54 * (http.host).
22 byte* Packets:
1 -13Displayed:
H3MatfcatfcODropped:
0 I Profile:
Default Figure 5-3: Captured packets.
24.
Scroll down until you see a line that has "GET / HTTP/1.1" in the Info column. (You may have to try more than one until you get to the packet that shows "www.Google.com" in the bottom pane.) 25.
Select that row.
26. In the bottom pane you will see a bunch of numbers to the left.
(It's the packets contents in hexadecimal.) Just to the right you will see the content of the packet in a column.
27.
Select the text: www.Google.com.
28.
Take a screenshot.
Note:
You just picked packets off your network and looked at their contents. There may have been a lot of traffic that you couldn't interpret.
Don't worry about the information on your screen that is difficult to understand.
In the next project you will use a filter to capture only Web traffic going over port 80.
1.
What do the different colors mean?
2. Why does your computer get packets that are addressed to another machine?
3.
How many packets does your computer send/receive in a single mouse click when you visit a Web site?
4.
Could you organize or filter the traffic to make it easier to understand?
Now you are going to filter out all the "extra" packets you captured and just look at Web traffic.
Too often you will capture much more information than you will ever want or need. Being able to filter out the traffic you don't want is an important skill. Before you can filter packets you need to understand a little bit about "ports." Ports are like doors and windows on your house. Your house has several points of entry (including doors, windows, chimneys, etc.) through which people could enter your house. Computers work the same way.
Each point of entry on a computer is called a port. Information comes into a computer through a port.
Each port is given a specific number so it's easier to remember. Below are some of the more common port numbers that you'll need to know: Port 80 - Web Port 20 - FTP (data) Port 21 - FTP (supervisory) Port 23 - Telnet Port 143 - IMAP (email) Port 25 - Email Port 443 - SSL (encrypted) Port 110-POP (email) Your house has an address to locate it and a front door for people to enter. Your computer works the same way.
It has an IP address to locate it and a port to enter.
You can filter packets by IP address or by port number.
A thorough understanding of TCP/IP will greatly aid your understanding of how packet filtering works.
There are many great tutorials available on the Web that will teach you the basics of TCP/IP.
Below are instructions on how to filter out all packets EXCEPT Web traffic by creating a filter for just port 80.
This will capture all the Web traffic going to ALL the computers on your local network. Reread the last sentence. Yes, you read that correctly, it may even capture Web traffic intended for other computers on your network. This is one of the reasons why packet sniffers are important to learn.
1.
With Wireshark open click Capture and Options.
2. If you haven't already done so, select your Network Interface Card (NIC) in the Interface drop- down menu at the top of the screen. (Your NIC will undoubtedly have a different name.) 3.
Enter "tcp port 80" in the box next to Capture Filter. (See Figure 5-4.) Capture Interface:
-RealtekRTL8139/810x Family Fast Ethernet NIC IP address; 155.97.243.201 Buffer size:
1 0 Capture packets in promiscuous mode O Limit each packet to [Capture Filter:] tcp port SCij Capture File(s) File:
D Use multiple files bytes £, megabyte(s) Display Options 0 Update list of packets in real time 0 Automatic scrolling in live captut e 0 Hide capture info dialog Name Resolution 0 Enable MAC name resolution CH Enable network name resolution 0 Enable transport name resolution Figure 5-4:
Configuring Wireshark to capture port 80 traffic.
130 Pa Edit »ew go Capture Analyze « « & it M B x Statistics s> BiQ Source 155.97.243.201 155.99.22.200 155.97.243.201 155.97.243.201 Destination Protocol 155.99.22.200 HTTP 155.97.243.201 HTTP 155.99.22.200 TCP al55-99-22-200.deploy HTTP a!55-99-22-200.deploy 155.97.243.201 HTTP 155.97.243.201 a!55-99-22-200.deploy TCP 155.97.243.201 64.233.167.147 TCP 64.233.167.147 155.97.243.201 TCP 155.97.243.201 64.233.167.147 TCP GET /guest/rush!
1mb/rushSLIC'E/New750x470/750tax HTTP/1.1 304 Not Modified 1nformatlk-lm > http [ACK] Seq-696 Ack-160 w1n« GET /gue5t/rushl1mb/rushSLIDE/New750x470/750tv.' HTTPA-1 304 Not Modified 1nformat1k-lm > http [ACK] seq-1387 Ack-319 wiri e1con-slp > http [SYN] seq-0 w1n-65535 Len-0 MS http > eicon-slp [SYN, ACK] Seq-0 Ack-1 wln-572 12 16.040354 64.233.167.147 http > eicon-slp [ACK] seq-1 Ack-918 w1n-7336 u [TCP segment of a reassembled PDU] 1416.040408 155.97.243.201 64.
233.167.147 TCP elcon-slp > http [ACK] seq-918 Ack-1381 w1n-655 1616.040456 155.97.243.201 e1con-slp > http [ACK] seq-918 Ack-2953 win-655 GET /1ntl/en ALL/imaaes/loao.a1f HTTP/I.1 I GET / HTTP/I.IV\ [truncated] Accept:
image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application Accept-Language:
en-us \ UA-CPU:
x86 \ Accept-Encoding:
gzip, deflate \ [truncated] user-Agent:
Mozilla/4.0 (compatible; MSIE 7.0; window:
Host:
www.google.com \ connection:
Keep-Alive \ cookie:
PREF=ID«c7fdc9el74534f7b:TB=2:TM=1209657598:LM»1209657598 \ NT 5.1; Mozilla/4.0 (compatible; MSIE 6.0; windo'!
S-hI9qaIzGrxcui3XO; NID=10-eoKAADljz4CwM8lEQUwnwe CLR 3.0 .04506.3 0; infop ath.2; .
NET CLR 3.0.0450 6.648; . NET CLR 3.5.2102 2)..5 U'iliWiflJ>lll^i*'ll Mconriec tic ep-Alive ..cookie :
PREF=I D-c7fdc9 e!74534f 7b:TB=2:
TM-12096 57598:LM 3d^68 49 =1209657 598:S=hI 40 Marked:
0 Dropped:
0 Profile:
Default Figure 5-5:
Viewing the contents of a packet.
4.
Close ALL other programs you currently have open except your word processing program (Microsoft Word, OpenOffice Writer, etc.).
5.
Click Start.
6.
Open a Web browser and go to www.Google.com.
7.
Click Capture and Stop.
8.
Scroll down until you see a line that has GET / HTTP/1.1.
(You may have to try more than one until you get to the www.Google.com packet.) 9.
Select that row.
10.
In the bottom pane you will see a bunch of numbers to the left.
(It's the contents of the packet in hexadecimal.) Just to the right you will see the contents of the packet in a column.
11.
Select the text www.Google.com.
12.
Take a screenshot. (See Figure 5-5.) Pagej 131 Capture Interface:
Local ivl RealtekRTLS 139/81 Ox IP address:
155,97.243.202 [ | Capture packets in pcap-ng format (experimental) D Limit each packet to !
• bytes [Capture Filter:
I ' tcp port 80 and host www.microsoft.ee Capture File(s) File:
I [firowse.
D Use multiple files Stop Capture...
':
D ...
after D ...after ,, D ...after [ Help ~] Family Fast Ethernet NIC [ ^ ) 1 ' - Buffer size:
!
1 £i megabyte(s) E3 Display Options jj 0 Update list of packets in real time ' 0 Automatic scrolling in live capture 0 Hide capture info dialog Name Resolution [3 Enable MAC name resolution EH Enable network name resolution 0 Enable transport name resolution j Start j | Cancel | Fife £dit tfew £o Capture Analyze Statistics Telephony Tools tlelp • wwaiac^BixeM ^ > * *> w a p|a| Filler:
j | " Expression..
No. - Time Source Destination Protocol 220619094 155.97.243.202 65.55.21.250 TCP 23 0 619624 65.55.21.250 155.97.243.202 HTTP 24 0 622996 155.97.243.202 65.55.21.250 TCP 250623034 155.97.243.202 65.55.21.250 HTTP 26 0 640693 65.55.21.250 155.97.243.202 TCP 27 0 640750 155.97.243.202 65.55.21.250 TCP 290645476 65.55.21.250 155.97.243.202 HTTP 300872140 155.97.243.202 65.55.21.250 TCP 322605263 65.55.21.250 155.97.243.202 TCP 332618986 65.55.21.250 155.97.243.202 HTTP 1 .
.
.
> j it Frame 1 (66 bytes on wire, 66 bytes captured) a Ethernet II, Src:
Micro-st_52 :74 :35 (00:13:d3:52:74 :35), Dst:
it internet Protocol, Src:
155.97.243.202 (155.97.243.202), Dst:
n Transmission control Protocol, src Port; 24119 (24119), ost P 1 :0000 00 If 29 71 bf Of 00 13 d3 52 74 35 08 00 45 00 .
.
)q.
.
Q.
q.
Q ED dear Apply Info i" 24121 > http [F:
HTTP/1.1 200 OK [TCP segment of GET /global/en/i http > 24121 [F:
24121 > http [AI HTTPA-1 304 NO , HTTPA.l 304 NO' L>J Hew1ettP_71:bf :0f (C 65.
55.21.250 (65.
55.
ort:
http C80), Seq:
>F .
.Rt5..E.
0010 00 34 Oa 9c 40 00 80 06 09 cb 9b 61 f3 ca 41 37 .4..
IB a..A7 , :0020 15 fa 5e 37 00 50 6d 94 d7 02 00 00 00 00 80 02 ..A7.Pm V O'R«altekRTL8139/810x Family Fast Ethernet NIC Packets.
34 Displayed 34 Marked fproffe- Default Figure 5-6:
Capture filter to include www.microsoft.com.
Figure 5-7:
Captured packets.
13.
Click Capture and Options.
14.
Enter "tcp port 80 and host www.microsoft.com" in the box next to Capture Filter.
(See Figure 5- 6.) 15.
Click Start.
16.
Open a Web browser and go to www.Google.com.
(You shouldn't pick up any packets.) 17.
Go to www.Microsoft.com in your Web browser.
(You should pick up several packets.) 18.
Click Capture and Stop.
19.
Take a screenshot.
(See Figure 5-7.) Capture Interface:
ILocal !
v 1 RealtekRTL8139/810x IP address:
155.97.243.202 d Capture packets in promiscuous mode, 1 1 Capture packets in pcap-ng format (experimental) CH Lj"* each packet to i :
bytes [Capture Filter:
| ! tcp port 80 and host www.microsoft.ee Capture File(s) File:
Browse.
D Use multiple files Stop Capture . .
, D ...after D ...after D...
after [ Help Family Fast Ethernet NIC p*7] Buffer size:
; 1 £!
megabyte(s) m and src port 80 [ ^ j Display Options j H Update list of packets in t eal time 0 Automatic scrolling In live capture PI Hide capture info dialog Name Resolution - 0 Enable MAC name resolution D Enable network name resolution 0 Enable transport name resolution [ Start j | Cancel File Edit View Jo Capture Analyze Statistics Tetephony_ Tools Help SKHttftitt '-* El X »2 ei> \> C ife ^F HL Filter No.
.
Time Source Destination 34 0.478941 64.
.31.252 155 97 2 3.202 35 0.528130 64.
.31.252 155 97 2 3.202 36 0.528158 64.
.31.252 155 97 2 3.202 37 0.530202 64.
.31.252 155 97 2 3.202 38 0.535438 64.
.31.252 155 97 2 3.202 39 0.535545 64.
.31.252 155 97 243.202 40 0.535657 64.
.31.252 155 97 243.202 410.535786 64.
.31.252 15597243.202 42 0.535820 64.
.31.252 155 97 243.202 44 0.881139 64.
.31.252 155 97 243.202 45 0.881180 64.4.31.252 155 97 243.202 t Frame 1 (60 bytes on wire, 60 bytes captured) t!
Ethernet II, src:
HewT ett P_71 :
bf :
Of (00:lf :29:71:bf :
a Transmission control Protocol, Src Port:
http (80), 0000 00 13 d3 52 74 35 00 If 29 71 bf Of 08 00 45 00 0010 00 28 76 a3 40 00 32 06 e3 00 40 04 If fc 9b 61 0030 fd 5C e8 91 00 00 00 00 00 00 00 00 O RealtekRTL8139/810xFairtlyFastahernetNIC.., i PacketsMS Displayed; 45 Marked Expression...
Protocol HTTP TCP HTTP TCP TCP TCP TCP TCP HTTP <±i 61 Q, 0 , » Clear.
Apply Info u?J IIL.H ieyrneni.
ui [TCP segment of HTTP/1.
1 200 OK http > 24013 [A( HTTP/1.1 304 NO' http > 24015 [A!
[TCP segment of [TCP segment of [TCP segment of [TCP segment of f HTTPA-1 200 OK !
TCP [TCP segment of ! I HTTP/XML HTTPA-1 200 OK Of), Dst:
Micro-St_52:74:35 (C Dst Port :
.
.
.
Rt 5 .
.(v.e.2 \3 (24013), Seq:
' .
)qV.:.E.
. .
.e.
.
.
.a i T + 5&v .
P .
Profile:
Default Figure 5-8:
Capture filter to include "src port 80." Figure 5-9:
Captured packets from one source IP.
20.
Click Capture and Options.
21.
Enter "tcp port 80 and host www.microsoft.com and src port 80" in the box next to Capture Filter.
(See Figure 5-8.) 22.
Click Start.
132 Pa^e 23. Go to www.Microsoft.com in your Web browser. (You should pick up several packets with the same source IP.) 24.
Click Capture and Stop.
25.
Take a screenshot. (See Figure 5-9.) Capture Interface:
Local v IP address:
155,97.243.202 [ 1 Capture packets in pcap-ng fc ! !
ymft each packet to Capture File(s) File:
| D Use multiple files Stop Capture...
D .-after CH after 1 ~*|P ~] Realtek RTLS139/310X Family Fast Ethernet NIC [^J rmat (experimental) .e ^ , , .
Buffer size:
1 £ megabyte(s) bytes Display Options [Browse...
| r£] yp^g |i5l:
of pacKets In real time 0 Hide capture info dialog Name Resolution 0 Enable MAC name resolution D Enable network name resolution 0 Enable transport name resolution I Start 1 1 Cancel ] File Edit H M 8 Filter No.
.
2 3 4 5 7 8 9 10 11 12 1 14 - Quer 0000 00 0010 00 0030 00 View £o Capture Analyze Statistics i at * T,me 0.001527 0.001980 0.002356 0.003673 0.005060 0.007405 0.007476 0.007585 0.075365 0.081577 les Name:
c.m Type:
A ( class:
IN If 29 71 3d 75 e8 00 00 00 O Query Name (dns.qry.na Sour 155 155 155 155 155 155 155 155 icroso fOxOO bf Of 00 00 X Si ce 97.243.
97.243.
97.243.
101.201 101.201 101.201 101.201 ft .
com ddress) 01) 00 13 80 11 da 202 202 202 10 10 10 10 13 52 11 ?h Pac Telephony look Help '- - Oest 155 155 155 155 155 155 155 74 35 9b 61 KtXfl nation 101.
101.
101.
97 2 97 2 97 2 97 2 08 C f3 c »«• r ;\ Q ^ ^ ^ u •" Expression...
Clear Apply Protocol Info 201.10 DNS Standard query ,:
201.10 DNS standard query ,; 201.10 DNS standard query , 3 202 DNS standard query 3 202 DNS Standard query 3 202 DNS standard query 3 202 DNS standard query ^ v * 0 45 00 .
.)q Rt5.
.E.
a 9b 65 .=u + a ..e '.
'" Figure 5-10:
Capture filter for port 53.
Figure 5-11:
Captured DNS packets.
26.
Click Capture and Options.
27.
Enter "port 53" in the box next to Capture Filter. (See Figure 5-10.) 28.
Click Start.
29. Go to www.Microsoft.com in your Web browser. (You should pick up several packets colored blue by default. These are DNS requests.) 30.
Click Capture and Stop.
31.
Click on the first row.
32.
Highlight the Microsoft entry in the Packet Contents pane.
33.
Take a screenshot.
(See Figure 5-11.) In this project you learned how to 1) capture packets going to a specific port, 2) capture traffic addressed to a specific host (or IP address), 3) capture only the source/destination port, and 4) capture DNS traffic.
For a list of the possible ports you can specify you can go to the following link:
http://wiki.wireshark.org/PortReference.
By filtering only Web traffic (port 80) there was much less information to capture. There was even less traffic if you specified a particular Web site.
You can even look at only one side of the conversation by specifying a source or destination port. Wireshark's wiki (http://wiki.wireshark.org/FrontPage) has a lot of information about how to capture specific kinds of traffic and even provides some sample captures.
THOUGHT QUESTIONS 1.
Why does your computer send so many packets?
Why not send just one really big packet?
2.
What do SYN, ACK, FIN, GET mean?
3. Can you capture all of the packets for an entire network?
4. Can Wireshark automatically resolve the IP address into host names?
Pa ee i 133 5.3 PACKET INSPECTION In the prior project you learned how to capture specific types of traffic.
In this project you will look at the parts of a packet. Each packet comes with a lot of information that the end user never sees. Each packet has 1) both source and destination IP addresses, 2) both source and destination MAC addresses, 3) a TTL, and 4) both source and destination port numbers.
In addition, they also have information about window size, IP version, timings, sequence numbers, etc.
Understanding the contents of a packet helps you understand how TCP/IP (and the Internet) works in the real world. Each field in a packet serves a purpose. There are also different types of packets (UDP, ICMP, etc.) that perform different functions.
You will also walk through a TCP connection in this project.
Understanding these fundamental components is critical to becoming a good network administrator.
1.
With Wireshark open click Capture and Options.
2. If you haven't already done so, select your Network Interface Card (NIC) in the Interface drop- down menu at the top of the screen.
3.
Enter "tcp port 80" in the box next to Capture Filter. (See Figure 5-12.) Capture Interface:
; Realtek RTL3139/81CK Family Fast Ethernet NIC IP address: 155.97.243.201 (Microsoft's Ps fjj[] Buffei e: 1 1^1 Capture packets in proi [D Limit each packet to Capture File(s) File:
O Use multiple files :£i megabyte(s) Display Options PI ypdate list of packets in real time 0 Automatic scrolling in live capture (3 Hide capture info dialog Name Resolution 0 Enable MAC name resolution [ 1 Enable network name resolution 0 Enable transport name resolution J | Cancel This wizard helps you to create shortcuts to local or network programs, files, folders, computers, or Internet addresses.
Type the location of the item:
\| Click Next to continue I Njext> I [ Cancel Figure 5-12:
Configuring Wireshark to capture port 80 packets. Figure 5-13:
Captured packets for www.Google.com.
4.
Close ALL other programs you currently have open except your word processing program.
5.
Right-click anywhere on your desktop.
6.
Select New and Shortcut.
7.
Enter "www.Google.com". (See Figure 5-13.) 8.
Click Next.
9.
Enter "Google" for the name. (See Figure 5-14.) 10.
Click Finish.
134 Patie < Back Finish _ Cancel it View £o Capture Analyze Stati at & # ,^ a x s Telephony lools tJelp 1 0.000000 155.97 2 0.024056 74.125 3 0.024108 155.97 5 u.049793 6 0.059043 7 0.059087 8 0.059114 9 0.059128 11 0.158304 155.97.243.202 tp [ACK] Seq-649 Figure 5-14: Naming the shortcut.
Figure 5-15:
GET request showing Google's hostname.
11.
Close all other Web browsers. (This will reduce the number of packets you capture.) 12.
Go back to Wireshark and click Start.
13.
Double-click the Google shortcut on your desktop.
14.
Wait for the page to load.
15.
Close your Web browser.
16.
Go back to Wireshark and click Stop.
17.
Click on the line that has Get in the Info field.
(In this example it was the 4th packet.
See Figure 5- 15.) 18.
In the Packet Details pane (the middle pane) click on the line labeled "Ethernet II." 19.
Click on the line labeled "Source." 20.
Take a screenshot. (See Figure 5-16.) 21.
Open a command prompt by clicking Start and Run.
22.
Type CMD 23.
Type ipconfig /all 24.
Take a screenshot. (Notice that the MAC and IP addresses are the same as those shown in the Wireshark capture.
In this case the MAC address was 00-13-D3-52-74-35.
See Figure 5-17.) Fife Edit View Go Capture Analyze Statist &&&&>$ I'HSCpgfta Filler No.
.
Time 1 0.000000 3 0.024108 BBEBSEEHsBtiBI 5 0.049793 6 0.059043 7 0.059087 8 0.059114 10 0.144161 Source 155.97 243 202 155.97 243 202 mfUfmctmaxsiafti 74.125 155 103 74.125 155 103 74.125 1 5 103 155.97 2 3 202 155.97 2 3 202 s Telephony lools Help 's , '•> 0, ?
,2 Bid Q Q.
Q, » T Expression... Clear Apply Destination 74.125 155.103 BBmE£Stti$S12 155.97 243.202 155.97 243.202 155.97 243.202 74.125 155.103 74.125 155.139 74.125 155.103 t Frame 4 (702 bytes on wire, 702 bytes captured) -.
Ethernet II, Src:
Mlcro-st_52 :74 :35 (00:13 :d3 :
52 :
* Destination:
Hew!
ett P_71 :
bf :
Of (00:lf :29:71:bf :
Type:
IP (0x0 0000 00 If 29 71 :0010 02 bO db 4b :0030 80 00 d3 C6 0040 2f 31 2e 31 0 Source Hardware Addres 800) hf nf !iTiBilHBB9HI 40 00 80 06 a?
00 00 47 45 54 Od Oa 48 6f 73 (eth.src), 6 bytes fftKBffl °8 o° 5 eta 9b 61 f3 ca a 20 2f 20 48 54 4 74 3a 20 77 77 7 Packets:
26 Displayed: 2...
Protocol TCP MESij3H TCP TCP TCP TCP HTTP TCP HTTP Info 26929 > http [Sj 26929 > http [A; I http > 26929 [A "' [TCP segment of [TCP segment of 26929 > http [A HTTP/1.1 200 OK 26930 > http [S GET /CS1?V=3&S- 74:35), Dst:
HewlettP_71:ti i of) 00 . .
)q 7d . .
r- 50 :g11 :e /l.l Profile:
Default I > S a"}] GE T / HTTP .HO St WWW v Figure 5-16:
Source MAC address on a packet.
Figure 5-17:
DOS prompt showing MAC addresses.
Page 135 25. In the Packet Details pane (the middle pane) click on the line labeled "Hypertext Transfer Protocol." 26.
Click on the line labeled "Cookie." 27.
Take a screenshot. (See Figure 5-18.) 28. In the File menu click Analyze and Follow TCP Stream.
29.
Take a screenshot. (See Figure 5-19.) View So £«*ife £naly« Statistics Tetaphony^ loo & m •!
i--< s * a is ^ ' - ' 1 0.000000 74.125.155.138 155.97.243.202 Figure 5-18:
Cookie within a packet.
Figure 5-19:
Contents of a TCP stream.
Note:
In the next part of this project you are going to identify the three parts of a TCP transaction.
You will identify 1) connection establishment, 2) data transfer and acknowledgement, and 3) connection termination.
You will identify these parts of the TCP process by looking in the Info column of the capture you just performed.
30. In the File menu click View and Packet Details. (This should make the middle pane disappear.) 31.
In the File menu click View and Packet Bytes. (This should make the bottom pane disappear.) 32.
Maximize the Wireshark window so you can clearly see the column labeled Info.
33.
Click on the row that has the first [SYN] occurrence in the Info column.
(In this case it was row 1 in the list.
It may be farther down in your list of captured packets.) 34.
Take a screenshot. (See Figure 5-20.) 136 File Edit View Go Capture Analyze Statistics Filter:
No. - Time 2 0.024056 3 0.024108 4 0.025727 5 0.049793 6 0.059043 7 0.059087 8 0.059114 9 0.059128 10 0.144161 11 0.158304 12 0.168459 13 0.168505 14 0.168729 15 0.192S17 16 0.192978 17 0.221706 18 0.262909 19 0.345198 20 0.447716 21 3.260627 22 3.260718 23 3.284628 24 3.284668 25 3.2S4694 26 3.284707 Source 74.125.155.103 155.97.243.202 155.97.243.202 74.125.155.103 74.125.155.103 74.125.155.103 155.97.243.202 74.125.155.103 155.97.243.202 155.97.243.202 74.125.155.139 155.97.243.202 155.97.243.202 74.125.155.139 74.125.155.139 74.125.155.103 74.125.155.103 155.97.243.202 155.97.243.202 155.97.243.202 155.97.243.202 74.125.155.139 155.97.243.202 74.125.155.103 155.97.243.202 Telephony Tools Help Destination 155.97.243.202 74.125.155.103 74.125.155.103 155.97.243.202 155.97.243.202 155.97.243.202 74.125.155.103 155.97.243.202 74.125.155.139 74.125.155.103 155.97.243.202 74.125.155.139 74.125.155.139 155.97.243.202 155.
97.243.202 155.97.243.202 155.97.243.202 74.125.155.139 74.125.155.103 74.125.155.139 74.125.155.103 155.97.243.202 74.125.155.139 155.97.243.202 74.125.155.103 Expression.., Clear Apply Protocol TCP TCP HTTP TCP TCP TCP TCP HTTP TCP HTTP TCP TCP HTTP TCP HTTP TCP HTTP TCP TCP TCP TCP TCP TCP TCP TCP JO Me:
"C:\DOCUME~l\HP_ADM~l\LOCALS~l\Te...' Packets:
26 Displayed:
26 Marked:
0 Dropped:
0 Info http > 26929 [SYN, ACK] Seq-0 Ack=l win 26929 > http [ACK] Seq=l Ack=l win=6553 GET / HTTP/1.1 http > 26929 [ACK] Seq=l Ack=649 win=70 [TCP segment of a reassembled PDLQ [TCP segment of a reassembled PDU] 26929 > http [ACK] Seq-649 Ack=2761 win HTTP/1.1 200 OK (text/html) 26930 > http [SYN] seq=0 Win=65535 Len= GET /csi?v=3&s=webhp&action=&srt=254&e= http > 26930 [SYN, ACK] seq-0 Ack=l win 26930 > http [ACK] Seq=l Ack-1 Win=6553 GET /generate_204 HTTP/1.1 http > 26930 [ACK] Seq-1 Ack-612 win=69 HTTP/1.1 204 NO content http > 26929 [ACK] seq=3466 Ack=1386 Wi HTTP/1.1 204 No content 26930 > http [ACK] seq=612 Ack=147 win= 26929 > http [ACK] Seq-1386 Ack=3702 Wi , 26930 > http [FIN, ACK] Seq-612 Ack=147 26929 > http [FIN, ACK] seq=1386 Ack-37 http > 26930 [FIN, ACK] Seq=147 Ack=613 26930 > http [ACK] Seq=613 Ack=148 Win= http > 26929 [FIN, ACK] Seq=3702 Ack=13 26929 > http [ACK] seq=1387 Ack-3703 Wi v Profile: Default Figure 5-20: Captured SYN packet.
35.
Double-click on the next row that has the first [SYN, ACK] occurrence in the Info column.
(In this case it was row 2. See Figure 5-21.) 36.
Expand the tree for Transmission Control Protocol.
37.
Expand the tree for [SEQ/ACK analysis].
38.
Highlight the row that indicates that this [SYN, ACK] packet is an acknowledgement to the prior packet.
39.
Take a screenshot. (See Figure 5-22.) 91 W 4< ft « r1 H K © & 's :•< -> o,< ?F 2, SiQ Q Q. Q.
E 81 B » Fifcer:
- Expression,., Cleat Apply 1 0.000000 155.97.243.202 74.125.155.103 TCP 26929 > http [STN] Seq-0 w 5 0.
049793 74.125 6 0.059043 74.125 7 0.
059087 74.125 10 0.144161 155.97 11 0.158304 155.97 12 0.168459 74.125 13 0.168505 155.97 14 0.168729 155.97 15 0.192817 74.125 16 0.192978 74.125 18 0.262909 74.125 19 0.345198 155.97 20 0.447716 155.97 25 3.284694 74.125 O fit-cAooajwE-iw AOM-HLOCAI 155 1 5 2 3 1 5 2 3 2 3 1 5 2 3 1 5 103 155.97 103 155.97 202 74.125 139 155.97 202 74.125 202 74.125 103 155.97 202 74.125 103 155.97 243 2 3 1 5 2 3 1 5 1 5 243 155 243 103 HTTP GET / HTTP/1.1 ' 202 TCP [TCP segment of a reassemb 202 TCP [TCP segment of a reassemb 103 TCP 26929 > http [ACK] Seq-649 !
103 HTTP GET /cs1?v-34s-webhp4act 1oi:
, 202 TCP http > 26930 [SYN.
ACK] Se> 139 TCP 26930 > http [ACK] Seq-1 A.
139 HTTP GET /generate_204 HTTP/1.1 202 HTTP HTTP/1.1 204 No Content 139 TCP 26930 > http [ACK] Seq-612 202 TCP http > 26929 [FIN, ACK] Se.
Te Packets:
26 Displayed:
26 Maritad:
0 Droppe .
ProMe:
Default .+ Frame 2 (66 bytes on wire, 66 bytes captured) .
t, Ethernet II, Src:
Hewlett P_71:bf :0f (00:lf :29:71:bf :0f), Dst :
Micro- a Internet Protocol, Src:
74.125.155.103 (74.125.155.103), Dst:
155.97 Source port:
http (80) Destination port:
26929 (^6929) :
sequence number:
0 (relative sequence number) Acknowledgement number:
1 (relative ack number) Header length:
32 bytes a Flags:
0x12 (SYN, ACK) ' window size:
5720 * checksum:
OxlbfS [validation disabled] a options:
(12 bytes) i-i [SEQ/ACK analysis] [The RTT to ACK the segment was:
0.024056000 seconds] i ':» | > 0000 00 13 d3 52 74 35 00 If 29 71 bf Of 08 00 4 5 00 .
. .
Rt 5 .
.
)q 0010 00 34 c3 d2 00 00 31 06 50 el 4a 7d 9b 67 9b 61 .4....1.
P.
0020 f3 ca 00 50 69 31 fe Ic Oc 4b c6 2c 8d dp 80 12 ...Pnl..
.
K 0030 16 58 Ib f5 00 00 02 04 05 64 01 01 04 02 01 03 .X d:v !
"B * Figure 5-21:
Captured SYN/ACK packet.
Figure 5-22:
Noting the acknowledgement (ACK) to a segment.
40.
Double-click on the next row that has an [ACK] occurrence after the [SYN, ACK] packet in the Info column.
(In this case it was row 3. See Figure 5-23.) 41.
Expand the tree for Transmission Control Protocol.
42.
Expand the tree for [SEQ/ACK analysis].
43.
Highlight the row that indicates that this [ACK] packet is an acknowledgement to the prior [SYN, ACK] packet you just looked at.
44.
Take a screenshot. (This was the 3-way opening.
See Figure 5-24.) Pa «e| 137 & w a a « 1 0.000000 4 0.025727 5 0.049793 6 0.059043 7 0.059087 8 0.059114 9 0.059128 11 0.158304 12 0.168459 3 0.168505 5 0.192817 7 0.221706 8 0.262909 0 0.447716 1 3.260627 2 3.260718 i •- [— n ^ ^ i ui *• ta Source 3 £ 74.125.1 5.103 74.125.1 5.103 155.97.2 3.202 155.97.2 3.202 74.125.1 5.139 155.97.2 3.202 74.125.1 5.139 74.125.1 5.103 74.125.1 5.103 155.97.243.202 155.97.243.202 24 3.284668 155.97.243 25 3.284694 74.125.155 26 3.284707 155.97.243 Q.
Fte:
•C:\DOCUME~HHP_AOM~HIOCAL5~1 103 202 Ics Tetephorrjf loot belt Deshnarjoo 155.97.243.202 155.97.243.202 74.125.155.139 155.97.243.202 155.97.243.202 155.97.243.202 74.125.155.139 3.
n|QS Q.
GJ.
GI.
Q WEI » * Expression...
Cleat Apply Protocol Info TCP http > 26929 [SYN, ACK] Se.
HTTP GET / HTTPA.l TCP [TCP segment of a reassemb i TCP [TCP secjnent of a reassemb TCP http > 26930 [SYN, ACK] Sei TCP 26930 > http [ACK] seq-l A ' TCP http > 26930 [ACK] S6q-l A i TCP http > 26929 [ACK] seq-346i HTTP HTTPA.l 204 No content TCP 26930 > http [FIN, ACK] Sei 74.125.155.103 TCP 26929 > http [ACK] Sfiq-138 v) Packets:
26 Displayed:
26 Marked:
ODroppe.
Profile:
Oefaot 9 iti Frame 3 (54 bytes on wire, 54 bytes captured) tti Ethernet II, src:
Micro-st_52 :74 :35 (00:13 :d3 :52 :74 .
-35), Dst:
Hewle ffi Internet Protocol, Src:
155.97.243.202 (155.97.243.202), Dst:
74.
i; B Transmission Control Protocol, Src Port:
26929 (26929), Dst Port:
fj source port:
26929 (26929) Destination port:
http (SO) [stream index:
0] Sequence number:
1 (relative sequence number) Acknowledgement number:
1 (relative ack number) Header length:
20 bytes ±1 Flags :
0x10 (ACK) window size:
65536 (scaled) ±1 checksum: Oxf2cd [validation disabled] d [SEQ/ACK analysis] [The RTT to ACK the segment was:
0.000052000 seconds] !
»i 1 !>'!
!QOOO 00 If 29 71 bf Of 00 13 d3 52 74 35 08 00 45 66 )q 0010 00 28 db 4a 40 00 80 06 aa 74 9b 61 f3 ca 4a 7d .(.39...
..
, 0020 9b 67 69 31 00 50 c6 2c 8d de fe Ic Oc 4c 50 10 .
gil.
P. , .' '> 0030 80 00 f 2 Cd 00 00 |v" Figure 5-23: Captured ACK packet.
Figure 5-24: Acknowledgement (ACK) to the 3-way opening.
45.
Double-click on the next row that has an [ACK] occurrence after the GET request in the Info column.
(In this case it was row 5. See Figure 5-25.) 46.
Expand the tree for Transmission Control Protocol.
47.
Expand the tree for [SEQ/ACK analysis].
48.
Highlight the row that indicates that this [ACK] packet is an acknowledgement to the prior GET request.
(In this case it was frame 4.) 49.
Take a screenshot. (This is an acknowledgement of a data transfer.
See Figure 5-26.) E«e Ed* iie* 50 61 M W JH • 1 0 000000 2 0 024056 3 0 024108 6 0 059043 7 0 059087 8 0 059114 10 0 144161 11 0 158304 8 0 262909 9 0 345198 0 0 447716 3 3 284628 Capture Analyze Statistic fe H « & a 74.125.155.103 155.97.243.202 74.125.155.103 155.97.243.202 155.97.243.202 155.97.243.202 74.125.155.103 155.97.243.202 155.97.243.202 74.125.155.139 25 3 234694 74.125.155.103 26 3 284707 155.97.243.202 © Fte:X:\DCX:UME~nHP_ftDM~l\I.OCALS~lUe 'p Telephony Tools Help 155.97.243.202 TCP 74.125.155.103 TCP 155.97.243.202 TCP 74.125.155.103 TCP 74.125.155.139 TCP 74.125.155.103 HTTP 155.97.243.202 HTTP 74.125.155.139 TCP 155.97.243.202 TCP 155.97.243.202 TCP 74.125.155.103 TCP ackets:
26 Displayed:
26 Marked:
0 Droppe 3fi...
Clear.
Apply Wo " http > 26929 [SYN, ACK] Sei j 26929 > http [ACK] Seq-l A.] [TCP segment of a reassemb 26929 > http [ACK] Seq-649 26930 > http [SYN] seq-0 w GET /cs1'v-3&5-webhp&act1oi http > 26930 [SYN, ACK] Sei HTTPA.l 204 No Content 26930 > http [ACK] seq-612 26929 > http [ACK] seq-138' 26929 > http [FIN, ACK] Sei http > 26930 [FIN, ACK] Sei i http > 26929 [FIN, ACK] Sei 26929 > http [ACK] Seq-138 .
ProHe:
Default [f * ^d;04979374^?±1^5.1031^i!?7^B!i^re^ftpv> 26929 [liCK]...
^S^j Si Frame 5 (60 bytes on wire, 60 bytes captured) i Si Ethernet II, Src:
Hew1ettP_71:bf :0f (00:lf :29:71:bf :0f ), Dst:
Micr S Internet Protocol, Src:
74.125.155.103 (74.125.155.103), Dst:
155.; ;a Transmission Control protocol, src Port:
http (80), ost Port:
2692; 1 Source port:
http (80) Destination port:
26929 (26929) [Stream index:
0] Sequence number:
1 (relative sequence number) Acknowledgement number:
649 (relative ack number) Header length:
20 bytes 1 IB Fl ags :
0x10 (ACK) window size:
7040 (scaled) is Checksum:
Ox6fd8 [validation disabled] a [SEQ/ACK analysis] [The RTT to ACK the segment was:
0.024066000 seconds] ;0000 00 13 d3 52 74 35 00 If 29 71 bf Of 08 00 45 00 . . . Rt 5 .
.
^0010 00 28 c3 d3 00 00 31 06 50 ec 4a 7d 9b 67 9b 61 .(....1.
, t 0020 f3 ca 00 50 69 31 fe Ic Oc 4c c6 2c 90 66 50 10 ...Pil..
' ', '0030 00 6e 6f d8 00 00 00 00 00 00 00 00 .no |vj Figure 5-25: Captured ACK packet.
Figure 5-26: Acknowledgement (ACK) to the data transfer.
50.
Double-click on the row that has the first [FIN/ACK] occurrence in the Info column with your IP address as the source.
(In this case it was row 21.
See Figure 5-27.) 51.
Expand the tree for Transmission Control Protocol.
52.
Expand the tree for [SEQ/ACK analysis].
53.
Highlight the row that indicates that this is a [FIN, ACK] packet.
54.
Take a screenshot. (This was the first part of the connection termination.
See Figure 5-28.) 138 Pasze SK U U 91 * Fter:
- Espresso...
Clear Apply 1 1 0 0 0 0 0 0 24 3 25 3 26 3 025727 55.97.243.202 74.125 155 05911.) 059128 144161 158304 192978 221706 284668 284694 284707 4.125.155.103 155.97 243 5.97.243.202 74.125 155 .125.155.103 155.97.243 5.97.243.202 74.125.155 .125.155.139 155.97.243 .125.155.103 155.97.2 3 5.97.243.202 74.125.155 1~l\LOCAL5~l\Te.
Packets .
26 Displayed Protocol Ma 103 HTTP GET / HTTP/1.
202 TCP [TCP segment 103 TCP 26929 > http 202 HTTP HTTP/1.1 200 139 TCP 26930 > http 202 HTTP HTTP/1.1 204 202 TCP http > 26929 SYNJ 5eq-0 W1n-6553!
ACK] Seq-1 «Ck-l W1| ACK] Seq-1 Ack-649 \ a reassembled PDU ATK] Seq-649 Ack-271 K (text/html) SYN] Seq-0 w1n-6553l 204 HTTP/1.1 ACK] 5eq-l Ack-612 \:
;ACK] seq-3466 Ack-i:
ACK] Seq-1386 Ack-3i FIN, ACK] Seq-3702 1 Default * Ethernet II, Src:
Micro-St_52 :74 :35 (00:13 :d3 :
52 :74 :35), D« .* Internet Protocol, src:
155.97.243.202 (155.
97.
243.
202), D< i a Transmission Control Protocol, src Port:
26930 (26930), Dst source port:
26930 (26930) Destination port:
http (80) [Stream index:
1] sequence number:
612 (relative sequence number) ' Acknowledgement number:
147 (relative ack number) :
Header length:
20 bytes s Flaigs:
Oxii CFIN, ACK) window size:
65390 (scaled) a checksum:
Oxblcb [validation disabled] sis iiiiP^1^™ I- Figure 5-27: Captured FIN/ACK packet from your computer.
Figure 5-28:
FIN/ACK segment from your computer.
55.
Double-click on the row that has the first [FIN, ACK] occurrence in the Info column with your IP address as the destination.
(In this case it was row 23. See Figure 5-29.) 56.
Expand the tree for Transmission Control Protocol.
57.
Expand the tree for [SEQ/ACK analysis].
58.
Highlight the row that indicates that this is a [FIN, ACK] packet and an acknowledgement to the first [FIN, ACK].
59.
Take a screenshot. (This was the second part of the connection termination.
See Figure 5-30.) 50 Captue Analyze « n K Telephony loots tjefc .000000 .024056 .024108 .049793 .059043 '.059087 '.
059114 '.059128 1.168459 .168505 1.168729 .192978 .221706 .262909 .345198 .447716 1 3.260627 55.103 155.9 55.103 155.9 55.103 155.9 4.125.1 55.9 55.97.2 5.103 155.97 3.202 74.125 3.202 74.125 [ACK] seq-1 «ck-649 i of a reassembled PDU [ACK] Seq-649 Ack-27i t/html) 553 &s-webhp&act-1 on-Asr [SYN, ACK] Seq-0 Ack [ACK] Seq-1 ACk-1 Wl !_204 HTTP/1.1 [ACK] Seq-1 Ack-612 [ACK] Seq-1386 Ack-31 Packets:
26 Displayed:', Ethernet II, Src:
HewlettP_71:bf:0f (00:lf:29:71:bf:Qf), Dst:
Mi< internet Protocol, Src:
74.125.155.139 (74.125.155.139), Dst:
15 :;~ Transmission control Protocol, Src Port:
http (80), Dst Port:
26' source port:
http (80) Destination port:
26930 (26930) [stream index:
1] sequence number:
147 (relative sequence number) Acknowledgement number:
613 (relative ack number) Header length:
20 bytes ±i flags:
Qxll (FIN, ACK) window size:
6976 (scaled) til checksum:
0x3115 [validation disabled] ;i, [SEQ/ACK analysis] FThis is an ACK to the segment in frame:
211 [The RTT to ACK the segment was:
0.024001000 seconds] 00 13 d3 52 74 35 00 It 29 71 Of Ot 08 00 28 cd 76 00 00 31 06 47 25 4a 7d 9b ?3 ca 00 50 69 32 d7 fe 15 6d 3a 71 10 6d 31 15 00 00 00 00 00 00 00 00 Figure 5-29: Captured FIN/ACK packet from the Web server.
Figure 5-30:
FIN/ACK segment from the Web server.
THOUGHT QUESTIONS 1.
Did the packets you captured have a TTL listed? Why?
2. Why do packets have both IP addresses and MAC addresses on them?
3.
Which packet had the html code for Google's page (Hint:
200)?
4.
What do all the letters and numbers in the bottom pane represent?
139 5.4 CONTENTS OF A PACKET (CAPTURE AN EMAIL) In this project you will capture a packet and look at its contents.
You will use Wireshark to capture packets containing an email message.
You will send an email to a generic Hotmail.com account and capture it as it's going over the network. Then you will look at the contents of the email without opening it in an email client.
Most email traffic has traditionally not been encrypted. However, many providers are starting to make encrypted email an option for their users.
A packet sniffer allows you to look at the contents of many different types of packets.
1.
With Wireshark open click Capture and Options.
2.
If you haven't already done so, select your Network Interface Card (NIC) in the Interface drop- down menu at the top of the screen. (Your NIC will undoubtedly have a different name.) 3.
Enter "tcp port 80" in the box next to Capture Filter.
(See Figure 5-31.) Capture Interface:
, Realtek RTL8I39/810* Family Fast Ethernet NIC (Microsoft's Ps \ \P address:
155.97.213.201 Buffersize:
1 -C megabyte(s) .- ..
-11.
El rantiire nj^kgts 'n yfnrni'-.r-i mi re mode (vrTlmit each packet to :
^^N.
; bytes Flle:
[Browse...] - [g ypdate |ist of packets m real time D Use multiple files El automatic scrolling in live capture El Hide capture info dialog Name Resolution Stop Capture ...
^3 Enable MflC name resolutlon LJ • • • after Q Enable network name resolution D...
after r-| after E) Enable transport name resolution [ Help | [ Start j [ Cancel File Edit View History Bookmarks Tools Help iHI " C ttj ' htl-p-y/mail live com/defai* aspv>»3=wagn • [G|* J ^&*W £* Windows Live* Home Profile People Mall Photos More » MSN' !.
t IPI l^rajhotmail.c D Sort by \ your &-rrai/ f> Inbr 0 m«;carje<; 1ml C dft Related places T H L IN tl f lendar V <] ~ JB ; > Done Figure 5-31:
Configuring Wireshark to capture port 80 packets.
Figure 5-32:
Hotmail.com inbox.
4.
Close ALL other programs you currently have open except your word processing program (e.g.
MS Word or OpenOffice Writer) and your Web browser.
5.
Enter "www.hotmail.com" into your Web browser.
(If you already have a hotmail account, skip to Step 11.) 6.
Click Sign Up.
7.
Click Get It (free).
8.
Under the Create a Windows Live® ID enter a fake Windows Live ID and a hotmail.com extension.
(Write down the information you enter.
In this example it was [email protected].) 9.
Enter information (fake or real) for all of the required fields marked with an asterisk.
(In this case it was John Doe, from Utah, and born in 1980.) 10.
Click "give me the classic version." (See Figure 5-32.) 11.
Click New. (This will start a new email.) 12.
In the "To:" field put your real email address. (You can also use the same email address you just created.) 13.
In the Subject line put TEST.
14.
In the body of the email put the words "EMAIL TEST" and copy/paste it until it fills up the body of the email message. (This will help you identify the packet when you see it. See Figure 5-33.) 1401 Paue Bookmarks look Help ^ i http ymail.live.conVdefault.aspx Home Profile People Mall Photos Mor Figure 5-33:
Sending a test email.
Figure 5-34:
Viewing the contents of the captured email.
15.
Go back to Wireshark.
16.
Click Start.
17.
Go back to your hotmail account.
18.
Click Send.
19.
Go back to Wireshark.
20.
Click Stop.
21.
Click on the line that has Post /mail/sendmessage in the Info field.
(In this example it was the seventh packet.) 22.
Click on the bottom window pane where you see a column of words saying EMAIL TEST.
(This is the body of the message you just sent.) 23.
Take a screenshot.
(See Figure 5-34.) You just picked up your email off the network that was on its way to www.hotmail.com. Unless specified your emails are NOT encrypted. Most people are unaware of this and send confidential information on a regular basis over unencrypted email systems.
Do NOT send sensitive information by email.
It's important to understand that Wireshark picked up your email from the network.
It can just as easily pick up ALL email traffic going over your network.
One of the main concepts you will learn by doing these projects is that you may not fully understand how computers (or information systems) work.
Hopefully knowing more about computers, networks, and information systems will help protect you.
1.
How many people do you think are unaware that their emails may be unencrypted?
2. Why wouldn't email be encrypted by default?
3.
Can you look at Web content just as easily as Web traffic?
4. Can you look at information being sent to/from your bank?
Page| 141
