Part 1 What is wireshark?

The previous name of wireshark was ethereal, is a network packet analyzer tool used by experts all over the world. Wireshark is used for troubleshooting, protocol analysis and for education. Wireshark is an excellent tool to understand true behavior of network protocols. This means how actually they work over internet. To illustrate this, individual can use this tool to detect amount of data received or transferred by his system. In order to implement user interface, it uses widget toolkit. Apart from that, there is also another version used for packet analysis named as TSHARK but non-gui. Features of wireshark Analysis can be done by capturing data from the running connection or from a pcap file that contains information about captured packets. Different types of network are supported by wireshark such as point to point (ppp), Ethernet and loopback. Editing and conversion of captured files can be done very easily by using command line switches. The different types of plug-ins can be created for examining new protocols. Wireshark has capability to detect VoIP calls in the traffic captured by it. If it is encoded compatible mode even media flow can be played. Wireshark can refine data display with the help of display filter. Raw USB network traffic can also be captured in this tool.

Exercise 1 a) The internet protocol address of the client is 131.247.95.216 b) The common name is www.google.com The following three IP addresses are given below: The first ip address is 64.233.161.99 The second ip address is 64.233.161.104 The third ip address is 64.233.161.147 c) In frame 3, Client send request for connection establishment to the server. The ip address of server is 64.233.161.99 and sequence number is 0. In frame 4, the server sends acknowledgement to the client that your request for connection establishment has received. The value of acknowledgment number is 1 and client ip address is 131.247.95.216 In frame 5, client sequence number becomes = 1 after returning acknowledgement to the server. d) The client is sending request to the server for uniform resource identifier (URI) in frame 6. In frame 7, server send acknowledgment back to the client for the request received in frame 6. e) Ignore f) In frame 9, acknowledgment is set by the server and sends back to the client. In frame 10, client is receiving required uniform resource identifier from the server. g) Packet 11 contains the acknowledgement to the packets received in previous frame i.e. frame 10.

h) The uniform resource identifier contains an image file (in gif format). This image was not sent by the server to the client and image was available in text format in frame 10. Hence, client sends another request that occurred automatically and ask for the image in another packet. i) Packet 13 contains the acknowledgement to packet 12. Packets 14 to 21 contain the requests and acknowledgments exchanged by client and server, related to requested image file. Client is receiving requested image in packet 22 that is sent by the server. j) In frame 23, again client sent automatic request to the server. Frame 24 is the acknowledgment to previous frame (frame 23). The image file is contained in frame number 25 that was requested by client. Frame number 26 is the acknowledgment for the packet received in previous frame (frame 25). k) Webpage www.google.com was accessed by the user. Exercise 2 a) The common name is yahoo.com. The ip addresses are given below: 216.109.117.106 216.109.117.109

b) It takes around 22 packets in order to receive that web page. c) The web site doesnt use qzip in order to compress its data for sending. Apart from that, the website doesnt write cookies. d) In packet 26, the server is sending query to another server.

In packet 27, the next server is responding to the main server. From the above discussion we concluded that every component of webpage is not coming from same server. This means smaller components are coming from other servers too. e) As you can see in wireshark, the DNS (domain name system) query made in packet 37 and 26 is different. f) In packet 42, host name is us.i1.yimg.com\r\n In packet 48, host name is us.i1.yimg.com\r\n So, in both packets host name is same.

Hence, the system doesnt need another DNS query in the same session. g) Packet 141 is not a part of packet 160. Packet 142 is not a part of packet 160. Packet 143 is a part of packet 160.

If a string of packets dont arrive in a continuous manner or in proper order, it doesnt have any negative effect on main packet. h) Frames 141 and 142 have same files and coming from same ip address. By using their stream index client knows which graphic should be match with each GET statement. Both frames have different stream index. The stream index of frame 141 is 6. The stream index of frame 142 is 5.