Lab Assignment-2

Weightage: 5%
Due date: 10th November 2017
Introduction to Wireshark

Instructions: The lab assignment is on Wireshark. For each of the questions you have to
provide suitable screenshot for the command you run and the output you get. For example:
point no. 3 says “Go to Capture->interfaces.” You must provide the following screenshot.

Note: No extensions will be provided as regards to the last date for submission.
Submissions should be made in the portal only. Submission through e-mail will not
be accepted.

Then Q3a asks “How many interfaces does your system have?” Here you must
provide the answer. For example: for my system it is 1.

Wireshark is a free and open source packet analyzer. It is used for network troubleshooting,
analysis, software and communications protocol development, and education. Wireshark is
cross-platform, using the Qt widget toolkit in current releases to implement its user interface,
and using pcap to capture packets; it runs on Linux, macOS, BSD, Solaris, some other Unix-
like operating systems, and Microsoft Windows. There is also a terminal-based (non-GUI)
version called TShark.

1. Install Wireshark using the following command. If already installed, then please go to
step.2.
(One can also install from Ubuntu Software Center).
sudo apt-get update
sudo apt-get install wireshark
2. One needs administrator privileges to work with Wireshark. Run Wireshark with sudo
privileges (Type “sudo wireshark” in the Terminal). Ignore any error message.
3. Go to Capture->interfaces. This will show all the interfaces available in the system.
a. How many interfaces does your system have?
b. Identify the IP address of “lo” interface.
4. Go to Capture->Options menu.
a. Check “eth0” interface and uncheck all other interfaces.
b. Uncheck “Use promiscuous mode on all interfaces”.
5. Do packet capturing by clicking Capture->Start button. Now, the captured packets
are shown in the center window. Browse one or more websites. After a while (15 to
20 seconds), stop capturing (Capture->Stop button).
a. What is promiscuous mode of operation?
b. There are several protocol packets captured by your system. Write down
the names of five of them?
6. Filters – There are display filters and capture filters. Display filters can be used on
already captured packets. Specify any one of the following items in the display filter
and press “Apply”.
a. tcp
b. udp
What is the observation?
7. Capture filters is used to restrict the type of packets to capture. Capture filters can be
specified in Capture->Options by typing in “Capture Filter” textbox.
For each of the following filters, type them in the text space for Capture Filter and
start a new capture. Note your observation.
a. tcp
b. udp
c. tcp port 22
8. Coloring rules – Depending on the protocol (IP, TCP, ARP, etc.) the color of a
packet is different. These rules can be changed accordingly ( View->Coloring Rules ).
9. By observing the packets in Wireshark, identify your own IP address and the IP
address of the website you visited.
10. Saving the output while capturing: After stopping the capture, do it from File->Save
As.
a. Close the file and try to open the pcap file in Wireshark.
Filters

1. Type the following filter commands in the filter bar and click on “Apply” button.
Note your observations.
 a. ip.addr == Your IP address
b. ip.src == Your IP address
c. ip.dst == Your IP address
d. dns and http
e. tcp.port == 443
f. tcp.analysis.flags
g. !(arp or dns or icmp)
h. tcp contains facebook
i. udp contains facebook
j. http.request
k. http.response.code == 200
l. tcp.flags.syn == 1
m. tcp.flags.reset == 1
n. sip && rtp

Statistics in Wireshark
1. Start a new capture in Wireshark.
2. Browse a couple of websites.
3. Stop the capture after a while (30 to 40 seconds).
4. Explore Statistics -> Endpoints to identify entities involved in capture.
a. How many ethernet endpoints are visible? Is your PC’s MAC address part of the
ethernet endpoints?
b. How many IP address are visible? Is your PC’s IP address part of the IPv4
endpoints?
5. Explore Statistics->Conversations to cover flows (pair of end points).
a. Sort on different columns in TCP –e.g. Duration, Packets, Address A, Rel Start
etc.
b. You may also experiment with “Follow Stream” button on the popup dialog
which adds a Display filter.
6. Explore Statistics -> Flow Graph to understand sequence of events for the filtered
capture.
7. Explore Statistics -> Packet Lengths to get a list of different packet size ranges and
its statistics.
8. Explore Statistics -> IO Graph for complete communication, and after filtering for
TCP communication.
a. Compare two TCP flows – e.g. stream 6 and 4 below.
b. Observe the time slider below the graph.