This set of exercises should give you a start on getting to know the protocol analyzer
(also known as a packet sniffer) Wireshark.
Keep a list of questions you'd like me to address on Wednesday, and hand them in after class.
Assuming you're in WCC138 during the fall term of 2016, start by booting into Windows,
and then use the command entry/search form in the Start menu to find and execute Wireshark.
Also, open a
Windows command prompt.
As you play with Wireshark, it's useful to know the port numbers usually associated
with various internet protocols. Here is a
list
of the "well-known ports". We'll be using the
daytime protocol right away, which you can
see is normally supported on server port 13 when it's supported at all.
Activate the telnet command.
- Go to this helpful page
and scroll down to "Enabling the telnet client through the graphical user interface".
Follow the instructions.
- In the "I'm Cortana" blank by the start menu, enter "cmd" to launch a Windows command prompt.
- At the command prompt, enter "telnet" to test telnet. It should give you a
"Microsoft Telnet>" prompt. Type "quit" at that prompt to exit the telnet interactive mode.
(Don't believe what the on-screen text says about CTRL+] -- that works in Unix terminals, but
apparently not on Windows.)
Asking a NIST time server for the current time.
The first thing we want to observe is a minimal TCP interaction: handshake
followed by a server response of some kind followed by connection termination.
Fortunately, the daytime protocol gives us a
readily available service that involves just that.
- Choose a time server from this list
of National Institute of Standards and Technology time servers.
- In Wireshark, go to the Capture→Options menu. In the resulting dialog, select
your Ethernet interface (e0 or e1, probably), and then enter "tcp port 13" in the
Capture Filter blank. The blank should turn green to indicate a valid filter.
Then hit the Start button.
- At the Windows command prompt, type "telnet [ip] 13", where "[ip]" is the IP
address of the NIST time server you selected.
- Wait for the time server to respond. During my experiments, it has been taking
several seconds to get a response.
- Once you get a response, go to Wireshark and click on the red square Stop button.
- Study the list of network frames/packets shown in the main Wireshark display.
Can you identify the parts of the TCP 3-way handshake? Can you see where the NIST time
server sent the human-readable time information? Can you tell where the TCP connection
was terminated? What else do you see?
Navigating to a web page.
- Start a new capture (Capture→Options) with the filter "host 137.22.4.23" (which
will only capture packets where either the sender or the destination are the host cs.carleton.edu).
- In a web browser, navigate to my CS home page
http://cs.carleton.edu/faculty/jondich/index.html.
- Hit the Wireshark stop button.
- Study the captured packets. How many TCP connections were opened? Can you see the
HTTP GET query? Does it have the form you expected? Can you find your browser's User-Agent string?
Were there any other GET queries besides the one for /faculty/jondich/index.html? What were they
for, and why and when were they issued? ...
Start your homework
- Read the description of your
next assignment.
- Try capturing and saving the relevant packets. You can, of course, work in WCC138
any time it's not in use for other purposes. But you can also try installing Wireshark
on your own computer. By saving your captured packets in a .pcap file, you can send that
to yourself and open it in Wireshark wherever you happen to have a copy of Wireshark installed.
- This is a slightly more complicated exercise than the ones above, with a considerably
more detailed investigation of the captured packets. Get started, ask lots of questions,
and have fun!
By the way, there was a
sore-of-introduction
to Wireshark published just yesterday (18 Sep 2016) on Ars Technica. Might be worth reading.