Getting started with Wireshark
File: wireshark.txt (or .md, .docx, .pdf)
Work alone or with a partner of your choosing.
Goals
- Start using the protocol analyzer / packet sniffer Wireshark
- Observe the network traffic associated with some simple protocols
- Try to make sense of the information Wireshark gives you
Rubric
1 - put your name(s) in wireshark.txt
6 - daytime questions
3 - HTTP questions
Experiments to perform
- Launch and login to Kali.
- Launch Wireshark. Select the Applications menu in the upper left of Kali's desktop, then "Sniffing & Spoofing", then Wireshark. Alternatively, you can type "wireshark &" in a terminal window.
Ask a National Institute of Standards and Technology (NIST) time server for the current time.
The first thing we want to observe is a minimal TCP interaction: handshake followed by a server response of some kind followed by connection termination. Fortunately, the daytime protocol gives us a readily available service that involves just that.
- Choose a time server from this list of National Institute of Standards and Technology time servers.
- In Wireshark, go to the Capture→Options menu. In the resulting dialog, select
your Ethernet interface (probably
eth0), and then entertcp port 13in the Capture Filter blank. The blank should turn green to indicate a valid filter. Then hit the Start button. - Open a terminal and type
nc [domain-or-IP] 13where
[domain-or-IP]is the domain name or IP address of the NIST time server you selected from the list of time servers. - Wait for the time server to respond. Sometimes it takes a few seconds to respond. You'll be able to tell that the server has responded once the date and time are printed in your terminal.
- Once you get a response, go to Wireshark and click on the red square Stop button.
- Examine the list of network frames/packets shown in the main Wireshark display, and answer the questions listed in the What to hand in section below.
Navigate to a web page.
- Start a new capture (Capture→Options) with the filter "host IP_ADDRESS", where
IP_ADDRESS is the address of
cs338.jeffondich.com. This filter selection will cause wireshark to only capture packets where either the sender or the destination are the hostcs338.jeffondich.com. - In a web browser in Kali, navigate to this special page: http://cs338.jeffondich.com/index.html.
- Watch out: If you try this a second time, your browser might decide not to retrieve the page over the network, but instead just display the copy of index.html that it retrieved the first time and stored in the browser cache. One way to make sure you get a fresh HTTP query each time is to open a new Private or Incognito window and navigate to the page from there.
- Hit the Wireshark Stop button.
- Examine the list of network frames/packets shown in the main Wireshark display, and answer the questions listed in the What to hand in section below.
- Start a new capture (Capture→Options) with the filter "host IP_ADDRESS", where
IP_ADDRESS is the address of
Possibly handy information
- Here's a
list of the "well-known ports"
(that is, standard ports associated with common services). (You can also get a list of well-known
ports by running
cat /etc/serviceson any Unix system such as Kali or macOS or WSL.) - Here's the specification for the daytime protocol. In the list of well-known ports, note that daytime is normally supported on port 13 when it's supported at all.
Here is a very nice discussion of Wireshark and its uses. There are lots of tutorials online, of course, and sometimes an LLM can answer questions correctly.
What to hand in
- Put your answers in your repository in a text file named wireshark.txt.
Start this file with your name and your partner's name. Please make
make this report in a common format like
wireshark.txt,wireshark.md,wireshark.docx, orwireshark.pdf. - Study the list of network frames/packets shown in the main Wireshark display for the
daytime protocol experiment. In wireshark.txt, add a heading
(like
===== DAYTIME =====) to show me where your daytime protocol answers are, and then give brief answers to the following questions:- Identify the parts of the TCP 3-way handshake by listing the frame summaries of the
relevant frames. Your summaries should looks something like this:
3 10.0.2.15 129.6.15.27 TCP [SYN]...(i.e. the frame number 3, the source IP address, the destination IP address, the protocol, and the "Info" for the frame).
- What port number does the client (i.e. nc on your Kali computer) use for this interaction?
- Why does the client need a port?
- What frame contains the actual date and time? (Show the frame summary as in question 1 above.)
- What do [SYN] and [ACK] mean?
- Which entity (the nc client or the daytime server) initiated the closing of the TCP connection? How can you tell?
- Identify the parts of the TCP 3-way handshake by listing the frame summaries of the
relevant frames. Your summaries should looks something like this:
- Study the list of network frames/packets shown in the main Wireshark display for the
web browser experiment. Add a heading like
===== HTTP =====and then give brief answers to the following questions:- How many TCP connections were opened? How can you tell?
- Can you tell where my homepage (index.html) was requested? (If not, why not? If so, include frame summaries and/or other info that supports your answer.)
- Can you tell where my photograph (
jeff-square-colorado.jpg) was requested? (If not, why not? If so, include frame summaries and/or other info that supports your answer.)
- Add one more heading like
===== QUESTIONS =====, and write down a few questions that you would like answered about how to interpret Wireshark output.