7.2.1.8 lab - using wireshark to observe the tcp 3-way handshake
TRANSCRIPT
-
L
T
O
B
R
P
S
2013 Cisco and
Lab - Us
Topology
ObjectivesPart 1: Pr
SelecPart 2: Ca
Captu Locat Exam
BackgrounIn this labthe Hypersuch as Hestablish the Internserver. A
Note: This
Required R1 PC (Win
Part 1: PIn Part 1,
Step 1: Re
For this laalso called
a. Open
d/or its affiliates.
sing Wir
repare Wires
ct an appropri
apture, Loca
ure a web ses
te appropriate
mine informatio
nd / Scenarb, you will userText Transfe
HTTP or File Ta reliable TCet, a three-waPC can have
s lab cannot b
Resources ndows 7, Vist
Prepare Wyou start the
etrieve the P
ab, you need td the MAC ad
a command
All rights reserve
eshark t
shark to Capt
ate NIC interf
ate, and Exam
ssion to www.
e packets for a
on within pac
rio Wireshark tor Protocol (HTTransfer ProtoP session betay handshake multiple, sim
be completed
a, or XP with
WiresharkWireshark pr
PC interface
to retrieve yoddress.
prompt windo
ed. This docume
to Obse
ture Packets
face to captur
mine Packets
.google.com.
a web sessio
kets, includin
o capture andTTP) and a wocol (FTP) firstween the twoe is initiated a
multaneous, ac
d using Netlab
a command
k to Capturogram and se
e addresses
ur PCs IP ad
ow, type ipco
ent is Cisco Publi
erve the
s
re packets.
s
n.
g IP addresse
examine pacweb server, sust starts on a o hosts. For eand a sessionctive TCP ses
b. This lab ass
prompt acces
ure Packeelect the app
s.
ddress and its
onfig /all and
ic.
TCP 3-W
es, TCP port
ckets generatuch as www.ghost, TCP us
example, when is establishessions with va
sumes that yo
ss, Internet ac
ets ropriate interf
s network inte
then press E
Way Han
numbers, an
ted between tgoogle.com. Wses the three-en a PC uses ed between tharious web sit
ou have Inter
ccess, and W
face to begin
erface card (N
Enter.
ndshake
d TCP contro
the PC browsWhen an appl-way handshaa web brows
he PC host antes.
rnet access.
Wireshark insta
capturing pa
NIC) physical
Page 1 of 6
e
ol flags.
ser using lication, ake to ser to surf nd web
alled)
ckets.
address,
-
L
S
Lab - Using W
2013 Cisco and
b. Write sourc
The P
The P
Step 2: Sta
a. Click
b. After W
c. In theyour L
Wireshark to
d/or its affiliates.
down the IP ce address to
PC host IP ad
PC host MAC
art Wiresha
the Windows
Wireshark sta
e Wireshark: LAN.
Observe the
All rights reserve
and MAC addlook for when
dress:
address:
rk and sele
Start button
arts, click Inte
Capture Inte
e TCP 3-Way
ed. This docume
dresses asson examining c
ct the appro
and on the p
erface List.
erfaces windo
y Handshake
ent is Cisco Publi
ciated with thcaptured pack
opriate inte
op-up menu,
ow, click the c
e
ic.
he selected Etkets.
erface.
double-click
check the box
thernet adapt
Wireshark.
x next to the i
ter, because t
nterface conn
Page 2 of 6
that is the
nected to
-
L
P
S
S
Lab - Using W
2013 Cisco and
Note:802.3the In
Part 2: C
Step 1: Cli
a. Go toYou s
Note:here:
b. The c
Step 2: Lo
If the comentire proSystem (Dpackets thdefault ga
a. Framewww.send
What
b. Frame
c. Find tstart o
Wireshark to
d/or its affiliates.
If multiple int3 (Ethernet) taterface Detai
Capture, L
ck the Start
www.googleshould see ca
Your instruct
capture windo
cate approp
mputer was reccess in the caDNS), and thehe computer mateway; theref
e 11 shows thgoogle.com tthe first pack
is the IP add
e 12 is the res
the appropriatof the TCP th
Observe the
All rights reserve
terfaces are lab, and verifyls window aft
Locate, a
t button to s
.com. Minimizaptured traffic
tor may provi
ow is now acti
priate packe
cently startedaptured outpue TCP three-wmust get to wfore, it started
he DNS queryto the IP addret to the web
ress of the D
sponse from
te packet for ree-way hand
e TCP 3-Way
ed. This docume
isted and youy that the MACter verification
nd Exam
start the da
ze the Googlesimilar to tha
de you with a
ve. Locate th
ets for the w
d and there haut, including thway handsha
www.google.cod with the DN
y from the PCress of the weserver.
NS server tha
the DNS serv
the start of yodshake.
y Handshake
ent is Cisco Publi
u are unsure wC address man.
mine Pack
ata capture.
e window, andat shown belo
a different web
e Source, De
web sessio
as been no ache Address Rke. The captuom. In this caS query to re
C to the DNS seb server. The
at the comput
ver with the IP
our three-way
e
ic.
which interfacatches what y
kets
d return to Wow in step b.
bsite. If so, en
estination, a
n.
ctivity in acceResolution Proure screen in ase, the PC alsolve www.go
server, atteme PC must ha
ter queried?
P address of w
y handshake.
ce to check, cyou wrote dow
Wireshark. Sto
nter the webs
nd Protocol
essing the Inteotocol (ARP),Part 2, Step lready had anoogle.com.
mpting to resolave the IP add
www.google.c
In this examp
click Details. wn in Step 1b
p the data ca
site name or a
columns.
ernet, you can Domain Nam1 shows all thn ARP entry f
lve the domadress before
com.
ple, frame 15
Page 3 of 6
Click the b. Close
apture.
address
n see the me he for the
in name, it can
5 is the
-
L
S
Lab - Using W
2013 Cisco and
What
d. If youWires
Step 3: ExTC
a. In ourserveand dinform
b. Click view o
c. Click
Note:neces
Wireshark to
d/or its affiliates.
is the IP add
have many pshark filter cap
amine inforCP control fl
r example, frar. In the packisplays the de
mation in the p
the + icon to of the TCP inf
the + icon to
You may havssary informa
Observe the
All rights reserve
ress of the G
packets that apability. Enter
rmation withlags.
ame 15 is the ket list pane (tecoded informpacket details
the left of theformation.
the left of the
ve to adjust thtion.
e TCP 3-Way
ed. This docume
oogle web se
are unrelated r tcp in the filt
hin packets
start of the thtop section ofmation from ths pane (middle
e Transmissio
e Flags. Look
he top and m
y Handshake
ent is Cisco Publi
erver?
to the TCP coter entry area
s including
hree-way hanf the main winhat packet in e section of th
n Control Pro
at the source
iddle window
e
ic.
onnection, it a within Wires
IP addresse
ndshake betwndow), select the two lowerhe main wind
otocol in the p
e and destinat
ws sizes within
may be neceshark and pre
es, TCP por
ween the PC athe frame. Thr panes. Exam
dow).
packet details
tion ports and
n Wireshark to
ssary to use tess Enter.
rt numbers,
and the Googhis highlights mine the TCP
s pane to expa
d the flags tha
o display the
Page 4 of 6
the
, and
le web the line
P
and the
at are set.
-
L
Lab - Using W
2013 Cisco and
What
How w
What
How w
Which
What
d. To sePackeinitial
What
Wireshark to
d/or its affiliates.
is the TCP so
would you cla
is the TCP d
would you cla
h flag (or flags
is the relative
elect the next et In Conversrequest to sta
are the value
Observe the
All rights reserve
ource port nu
assify the sou
estination por
assify the des
s) is set?
e sequence n
frame in the tsation. In thisart a session.
es of the sour
e TCP 3-Way
ed. This docume
mber?
rce port?
rt number?
tination port?
umber set to?
three-way hans example, th.
rce and destin
y Handshake
ent is Cisco Publi
?
?
ndshake, selehis is frame 16
nation ports?
e
ic.
ect Go on the6. This is the
e Wireshark mGoogle web
menu and seleserver reply t
Page 5 of 6
ect Next to the
-
L
R1
2
Lab - Using W
2013 Cisco and
Which
What
e. Finallywindo
Exam
Which
The reconnebegin
f. Close
Reflection 1. There are
different ty
2. What othe
Wireshark to
d/or its affiliates.
h flags are se
are the relati
y, examine thow displays th
mine the third a
h flag (or flags
elative sequeection is now .
e the Wiresha
e hundreds of ypes of traffic
er ways could
Observe the
All rights reserve
et?
ve sequence
he third packehe following in
and final pack
s) is set?
ence and acknestablished, a
rk program.
filters availabc. Which three
d Wireshark b
e TCP 3-Way
ed. This docume
and acknowl
et of the threenformation in
ket of the han
nowledgemenand commun
ble in Wireshae filters in the
e used in a p
y Handshake
ent is Cisco Publi
edgement nu
e-way handshthis example:
ndshake.
nt numbers arication betwe
ark. A large nlist might be
production net
e
ic.
umbers set to
ake in the ex:
re set to 1 as een the source
network could the most use
twork?
?
xample. Clicki
a starting poe computer a
have numeroeful to a netwo
ng frame 17 i
int. The TCP and the web s
ous filters andork administra
Page 6 of 6
in the top
server can
d many ator?
1: 192.168.1.52: 00-24-21-A2-E3-523: www.google.com4: 200.107.10.525: http://173.194.46.84/6: 547347: Puerto dinmico o privado8: 809: Puerto bien conocido10: Seq y Len11: 012: Source Port: 80 Dst Port: 5473413: Seq, Ack y Len14: 1 y 2415: Seq, Ack y Len16: ICMP, TCP y ARP17: Para identificar que aplicacin es la que ms utiliza la red