wireshark analysis of trace file-utar
DESCRIPTION
lab work about Wireshark AnalysisTRANSCRIPT
UEEN2013 TCP/IP Network Fundamentals
Lab 0 8 :Wireshark Analysis of Protocols – Trace Files
Instructions:1. Read the “Introduction” section for the background 2. Perform all the lab exercises, starting with exercise 13. Follow all the steps.4. Record the results in all italic bold actions.5. Paste your screen captures on a Word Document and save it.6. Answer all the questions in italic and in blanks based on the observation of the results.7. Write your answer in the same Word Document.8. Please follow the sequence of the exercises, and don’t skip any step.9. Please try your best to understand the steps of this lab.10. Please refer to the appendix for more details on HTTP
Introduction to Wireshark
In this lab, you will learn how to use Wireshark to examine packets captured by a NIC and then save as a file, known as trace file.
Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, in May 2006 the project was renamed Wireshark due to trademark issues.
A network packet analyzer will capture network packets and display the packet data as detailed as possible.You could think of a network packet analyzer as a measuring device used to examine what's going on inside a network cable, just like a voltmeter is used by an electrician to examine what's going on inside an electric cable.
Here are some examples that people use Wireshark for: network administrators use it to troubleshoot network problems network security engineers use it to examine security problems developers use it to debug protocol implementations people use it to learn network protocol internals
Exercise 1: Getting familiar with the “Pane” of Wireshark
Wireshark's (v1.2.10) main window consists of parts that are commonly known from many other GUI programs.
The menu is used to start actions.
The main toolbar provides quick access to frequently used items from the menu.
1
The filter toolbar provides a way to directly manipulate the currently used display filter.
The packet list pane displays a summary of each packet captured. By clicking on packets in this pane you control what is displayed in the other two panes.
The packet details pane displays the packet selected in the packet list pane in more detail.
The packet bytes pane displays the data from the packet selected in the packet list pane, and highlights the field selected in the packet details pane.
The statusbar shows some detailed information about the current program state and the captured data.
MenuMain Toolbar
Filter Toolbar
Packet List Pane
Packet DetailPane
Packet Bytes Pane
Status Bar
1. Go to “menu” =>“File” =>“open” Lab_08_Ex01.pcap.
2
2. Refer to the “status bar” and answer the following question:
a. What is the total number of packets (or frames) in this file?
_________________________________________________ (318)
b. What is the number of packets being displayed?
_________________________________________________ (318)
3. In the “Packet List Pane”, click on frame “No. 5”. A grey bar will highlight the selected frame, as shown in the following figure. Answer the following question:
a. What is the highest layer protocol in this frame?
_________________________________________________ (ICMP)
b. What is the destination IP address in this frame?
_________________________________________________ (192.168.1.3)
4. Refer to the “Packet Detail Pane” of the same frame No. 5, and answer the following question:
a. What is the size (in bytes) of this frame?
_________________________________________________ (70 bytes)
3
b. What is the source MAC address of 192.168.1.1?
_________________________________________________ (00:1e:40:9a:b5:13)
5. Click on the ‘+’ sign next to “Internet Control Message Protocol”, and more information is shown. Answer the following question:
a. What are the values of the Type and Code of the ICMP?
_________________________________________________ (Type = 3, Code = 0)
b. Based on this ICMP message (and the frame), which IP address (192.168.1.1 and 192.168.1.3) is more likely to be the router?
_________________________________________________ (192.168.1.1)
c. Refer to the ICMP again, what is the value of socket (IP:port) that is unreachable?
_________________________________________________ (192.33.4.12:53)
d. What is the IP address of this “Wireshark-installed” PC?
_________________________________________________ (192.168.1.3)
6. Refer to the “Packet Bytes Pane” of the same frame No. 5, and answer the following question:
a. Double click on the value “c0 a8” (last two bytes of the second line), and refer to “Packet Detail Pane”. Which field do these numbers belong to?
_________________________________________________ (destination of IP)
b. Double click on the value “89 c8” (5th and 6th bytes of the third line), and refer to “Packet Detail Pane”. Which field do these numbers belong to?
_________________________________________________ (checksum of ICMP)
4
Exercise 2: Display Filter
A very common problem when you launch Wireshark with the default settings is that you will get too much information on the screen and thus will not find the information you are looking for.Too much information kills the information. Instead of showing all the display traffic, you may use the filter toolbar to display the data selectively.
That's why filters are important, they will help us to target the packets/frames that you are looking for.
Capture filters : Used to select the data to record in the logs. They are defined before start-ing the capture.
Display filters : Used to search inside the captured logs. They can be modified while data is captured.
So when should I use the capture or the display filter?
The goals of the two filters are different. The capture filter is used as a first large filter to limit the size of captured data to avoid
generating a log too big. The display filter is much more powerful (and complex); it will permit you to search ex-
actly the data you want. In this exercise, we focus only display filter.
The display filter follows certain syntax. If the filter syntax is correct, it will be highlighted in green, otherwise if there is a syntax mistake it will be highlighted in red.
1. In the “Filter Toolbar”, type “http” as shown in the following figure and click “Apply” at the far right of the “Filter Toolbar”.
a. Whatis the number of packets being displayed? (Please refer to the status bar)
_________________________________________________ (23)
5
2. In the “Filter Toolbar”, click “Clear”. Type “icmp” this time and then click “Apply”. After answering the question, please click on “Clear” again.
a. Whatis the number of packets being displayed now? (Please refer to the status bar)
_________________________________________________ (46)
3. The above table shows the “logical expression” of the “Filter Toolbar”. Let's take an example with the following display filter: “dns || arp”. This means displaying packet with protocol dns or arp. Please remember to click “Apply”.
4. For more specific and complex filter conditions, we can use the “Expression” of “Filter Toolbar”. For example, if we want to look for the IP address of the web server in the trace file, we can form the following filter expression:tcp.srcport == 80. Click on “Expression”. Scroll down until you see TCP. Click on ‘+’ next to TCP to expand all the options. Click on “tcp.srcport”. Click on “==”, and then key in “80” in value. Click “Ok”.
6
a. Whatis the IP address of the web server?
_________________________________________________ (128.42.182.20)
b. Using the similar concept illustrated above, whatis the IP address of the DNS server? (Hint: use UDP source port equal to 53)
_________________________________________________ (202.188.0.133)
5. The following feature is also useful to filter on the vendor identifier part (OUI) of the MAC address. Thus you may restrict the display to only packets from a specific device manufacturer,(e.g. for Unispher machines only): eth.src[0:3] == 00:90:1a. The notation stands for the first 3 bytes of the source MAC address. The [0:3] means 3 bytes starting offset 0 (in bytes).
6. Displays the packets with destination IP address not equals to 60.53.75.52 and source IP address not equal to 128.42.182.20. After viewing, click “Clear”.
7
Exercise 3: Basic Statistics of the Trace File
Wireshark provides a lot of different statistics which can be consulted if you click on the "statistics" field on the top of the screen.
1. In the “menu”, click on “Statistics” and then “Summary”. After answering the question, close the “Summary” dialog box.
a. Whatis the “average bytes per second”?
_________________________________________________ (987.404)
2. In the “Filter Toolbar”, enter “http”, and then click “Apply”. After that, click on “Statistics” and then “Summary”. After answering the question, close the “Summary” dialog box and clear the filter.
a. Whatis the “average bytes per second” of the displayed packets?
_________________________________________________ (195.165)
b. Whatis the “average packets per second” of the displayed packets?
_________________________________________________ (0.272)
3. Click on “Statistics” and then “Protocol Hierarchy”. The protocol hierarchy shows a dissection per OSI layer of the displayed data.After answering the question, close the dialog box.
a. How many packets contain “point-to-point protocol”?
_________________________________________________ (259)
8
b. How many percents of packets belong to TCP (Transmission Control Protocol) traffic?
_________________________________________________ (66.98%)
c. How many bytes for Compuserve GIF?
_________________________________________________ (2584)
4. Click on “Statistics” and then “Conversations”. If you use TCP/IP suite application or protocol, you should find four active tabs for Ethernet, IP, TCP and UDP conversations. A "conversation" represents the traffic between two hosts. The number in the tab after the protocol indicates the number of conversations. After answering the question, close the dialog box.
a. Click on the “Ethernet” tab. How many MAC addresses are there in the trace file?
_________________________________________________ (3)
b. Click on “IPv4” tab. How many bytes have been sent from 60.53.75.52 to 128.42.182.20?
_________________________________________________ (13377)
9
c. Click on the “TCP” tab. What is the dominant application layer protocol (or service) for the TCP traffic? (Hint: PortB)
_________________________________________________ (HTTP)
d. Click on the “UDP” tab. What is the dominant application layer protocol (or service) for the UDP traffic? (Hint: PortB)
_________________________________________________ (DNS)
5. Click on “Statistics” and then “Endpoints”. The endpoints provide statistics about received and transmitted data on a per machine base. The number after the protocol indicates the number of endpoints. After answering the question, close the dialog box.
a. Click on the “IPv4” tab. How many bytes are received for IP = 192.5.5.241?
_________________________________________________ (280)
b. Click on the “UDP” tab. How many bytes are transmitted by IP = 202.188.0.133?
_________________________________________________ (254)
6. Click on “Statistics” and then “IO Graphs”. Basic graphics can be obtained under the "IO graphs" section. Multiple graphics can be added in the same window on a per display filter base. Key in “udp”, “dns”, and “icmp” in the filter box as shown in the following figure. You can display the graph line by clicking on “Graph x” button (works like a toggle).
10
Exercise 4 : Expert Info
Wireshark provides “Expert Info” in which certain errors and anomaly can be highlighted in the network. It is rather useful for troubleshooting the network.
1. In the “menu”, click on “Analysis” and then “Expert Info Composite”. After answering the question, close the dialog box.
a. Whatare the warnings? (Hint: “Warnings” tab, Summary)
_________________________________________________ (Previous segment lost)
b. How many type of Chats and what is the packet count? (Hint: Just look at the “Chat” tab)
_________________________________________________ (19, 62)
Exercise 5 : Basic HTTP GET/Response Interaction
With the introductory exercise in Wireshark, we’re now ready to use Wireshark to investigate protocols inoperation. In this exercise, we’ll explore several aspects of the HTTP.
1. Let’s begin our exploration of HTTP by opening “Lab08_Ex05.pcap”.
11
2. Type “http” in the “Filter Toolbox” window and click “Apply”. The Packet Listing Pane should show the HTTP messages that werecaptured: the GET message and the response message from the server to your browser. The Packet-DetailPane shows details of the se-lected message (in this case the HTTP GETmessage, which is highlighted in the Packet-List Pane).
3. Highlight the line with HTTP GET /ethereal-labs/HTTP-ethereal-file1.html
4. Click on the ‘+’ next to “Hypertext Transfer Protocol”. By looking at the information in the HTTP header, answer the followingquestions:
a. Is your browser running HTTP version 1.0 or 1.1?
_________________________________________________ (HTTP 1.1)
b. What languages (if any) does your browser indicate that it can accept from the web server?
_________________________________________________ (en – US, en)
c. What is the name of the “host”?
_________________________________________________ (gaia.cs.umass.edu)
5. Highlight the line with HTTP HTTP/1.1 200 OK
6. Click on the ‘+’ next to “Hypertext Transfer Protocol”. By looking at the information in the HTTP header, answer the followingquestions:
a. What is the status code returned from the server to your browser?
_________________________________________________ (200 OK)
b. What is the “Server” type of the web page?
_________________________________________________ (Apache/2.0.52 (CentOS))
c. How many bytes of content are being returned to your browser?
_________________________________________________ (126 bytes)
d. What is contained in the “Line-based text data: text/html”?
12
_________________________________________________ (Congratulations. You've downloaded the file \n….)
Exercise 6 : Retrieving Longer HTTP Document
In this exercise, we’ll see what happens when we download a longer HTML file.
1. Open “Lab08_Ex06.pcap” with Wireshark.
2. Type “http || tcp” in the “Filter Toolbox” window and click “Apply”.
3. Highlight the line with HTTP HTTP/1.1 200 OK. (Frame 12). Answer the following questions:
a. What is the content length of the text file? (The text can be displayed by clicking the ‘+’ next to “Line-based text data: text/html”)
_________________________________________________ (4500)
b. How many segments have been reassembled?
_________________________________________________ (5)
c. What is the size (total bytes) of the reassembled segments?
_________________________________________________ (4810 bytes)
d. What is the size of the HTTP Header?
_________________________________________________ (4810-4500 = 310 bytes.)
e. What is the maximum size of the TCP segment?
_________________________________________________ (1440 bytes.)
4. Right click on any TCP “frame”, and then choose “Follow TCP Stream”.
13
5. The following dialog box should appear.
6. Highlight the content beginning with <html> until </html>. After the highlight, right click on the content to “copy” it. (Hint: the blue portion without the HTTP header)
14
7. Open Notepad and paste the “copied” content on it.
8. Save the file as “try.html”.
9. Use a web browser to open the “try.html”, and you should see the “Bill of Rights” in browser format.
15
Exercise 7 : Reading Unencrypted Passwords from HTTP
In this exercise, try to look for the unencrypted passwords from two trace files.
1. Open “Lab08_Ex07-1.pcap” with Wireshark. Based on the above diagram and answer the following question:
a. What is the password with the login name of “student1054”? (Hint: Use display filter = “http” to hunt for it)
_________________________________________________ (mengapasaya)
2. Open “Lab08_Ex07-2.pcap” with Wireshark. Based on the above diagram and answer the following question:
a. What is the password with the login name of “cisco_router”? (Hint: Use display filter = “http” to hunt for it)
_________________________________________________ (wertyuio)
16
Appendix
HTTP(HyperText Transfer Protocol) Header
The Hypertext Transfer Protocol (HTTP) is a networking protocol for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web.
HTTP functions as a request-response protocol in the client-server computing model. In HTTP, a web browser, for example, acts as a client, while an application running on a computer hosting a web site functions as a server. The client submits an HTTP request message to the server. The server, which stores content, or provides resources, such as HTML files and images, or generates such content on the fly, or performs other functions on behalf of the client, returns a response message to the client. A response contains completion status information about the request and may contain any content requested by the client in its message body.
An HTTP request made using telnet. The request, response headers and response body are high-lighted.
17
HTTP Request
A HTTP request is a collection of lines sent to the server by the browser. It includes: A request line: This is a line specifying the type of document requested, the method
which must be applied, and the version of the protocol used. The line is made up of three elements which must be separated by a space:
o The methodo The URLo The version of the protocol used by the client (generally HTTP/1.0)
The request header fields: This is a collection of optional lines allowing additional infor-mation about the request and/or the client to be given (browser, operating system, etc.). Each of these lines is composed of a name describing the header type, followed by a colon (:) and the value of the header
The body of the request: This is a collection of optional lines which must be separated from preceding lines by an empty line and for example allowing data to be sent by a POST command during the sending of data to the server using a form
A HTTP request therefore has the following syntax (<crlf> meaning carriage return and line feed):
METHOD URL VERSION<crlf>HEADER: Value<crlf>...HEADER: Value<crlf>Empty line <crlf>BODY OF THE REQUESTHere is an example of a HTTP request: GET http://en.kioskea.net/ HTTP/1.0Accept: text/htmlIf-Modified-Since: Saturday, 15-January-2000 14:37:11 GMTUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 95)
CommandsHEAD Asks for the response identical to the one that would correspond to a GET
request, but without the response body. This is useful for retrieving meta-information written in response headers, without having to transport the entire content.
GET Requests a representation of the specified resource. Note that GET should not be used for operations that cause side-effects, such as using it for taking actions in web applications. One reason for this is that GET may be used arbitrarily by robots or crawlers, which should not need to consider the side effects that a request should cause. See safe methods below.
POST Submits data to be processed (e.g., from an HTML form) to the identified resource. The data is included in the body of the request. This may result in the
18
creation of a new resource or the updates of existing resources or both.PUT Uploads a representation of the specified resource.DELETE Deletes the specified resource.TRACE Echoes back the received request, so that a client can see what (if any) changes
or additions have been made by intermediate servers.OPTIONS Returns the HTTP methods that the server supports for specified URL. This
can be used to check the functionality of a web server by requesting '*' instead of a specific resource.
CONNECT Converts the request connection to a transparent TCP/IP tunnel, usually to facilitate SSL-encrypted communication (HTTPS) through an unencrypted HTTP proxy.
PATCH Is used to apply partial modifications to a resource.
HTTP servers are required to implement at least the GET and HEAD methods and, whenever possible, also the OPTIONS method.
HeadersHeader name Description Accept Type of content accepted by the browser (for example text/html). See MIME
typesAccept-Charset
Character set expected by the browser
Accept-Encoding
Data coding accepted by the browser
Accept-Language
Language expected by the browser (English by default)
Authorization Identification of the browser to the serverContent-Encoding
Type of coding for the body of the request
Content-Language
Type of language in the body of the request
Content-Length
Length of the body of the request:
Content-Type Type of content of the body of the request (for example text/html). See MIME types
Date Date data transfer starts.Forwarded Used by intermediary machines between the browser and serverFrom Allows the client email address to be specifiedFrom Makes it possible to specify that the document must be sent if it has been
modified since a certain date.Link Link between two URLsOrig-URL URL from which the request originatedReferer Link URL from which the request has been madeUser-Agent String giving information about the client, such as the name and version of the
browser and the operating system
19
HTTP Response
A HTTP response is a collection of lines sent to the server by the browser. It includes: A status line: this is a line specifying the protocol version used and the status of the re-
quest being processed using a code and explanatory text. The line is made up of three ele-ments which must be separated by a space:
o The version of the protocol usedo The status code:o The meaning of the code
The response header fields: This is a collection of optional lines allowing additional in-formation about the response and/or the client to be given (browser, operating system, etc.). Each of these lines is composed of a name describing the header type, followed by a colon (:) and the value of the header
The body of the response: contains the requested document
A HTTP response therefore has the following syntax (<crlf> meaning carriage return and line feed):
VERSION-HTTP CODE EXPLANATION<crlf>HEADER: Value<crlf>...HEADER: Value<crlf>Empty line <crlf>BODY OF THE RESPONSEHere is an example of a HTTP response:HTTP/1.0 200 OKDate: Sat, 15 Jan 2000 14:37:12 GMTServer: Microsoft-IIS/2.0Content-Type: text/HTMLContent-Length: 1245Last-Modified: Fri, 14 Jan 2000 08:25:13 GMT
Response headersHeader name Description Content-Encoding
Type of coding for the body of the response
Content-Language
Type of language in the body of the response
Content-Length
Length of the body of the response
Content-Type Type of content of the body of the response (for example text/html). See MIME types
Date Date data transfer starts.Expires Data use by date
20
Forwarded Used by intermediary machines between the browser and serverLocation Redirection to a new URL associated with the documentServer Features of the server having sent the response
The response codesThese are the codes that you see when the browser cannot display the requested page. The re-sponse code is made up of three digits: the first indicates the status and the following two digits explain the exact nature of the error. Code Message Description10x Information message These codes are not used in version 1.0 of the protocol20x Success These codes indicate the smooth running of the transaction200 OK The request has been accomplished correctly201 CREATED This follows a POST command and indicates success, the
remaining body of the document indicates the URL where the newly created document must be located.
202 ACCEPTED The request has been accepted, the procedure which follows has not been accomplished
203 PARTIAL INFORMATION
When this code is received in response to a GET command it indicates that the response is not complete.
204 NO RESPONSE The server has received the request by there is no information to send back
205 RESET CONTENT The server tells the browser to delete the content in the fields of a form
206 PARTIAL CONTENT This is a response to a request consisting of the header range. The server must indicate the header content-Range
30x Redirection These codes indicate that resource is no longer in the location specified
301 MOVED The requested data has been transferred to a new address302 FOUND The requested data is at a new URL, but has however maybe
been moved since...303 METHOD This means that the client must try a new address, preferably
by trying another method to GET304 NOT MODIFIED If the client has carried out a conditional GET command (by
requesting if the document has been modified since the last time) and the document has not been modified it sends back this code.
40x Error due to the client These codes indicate that the request is incorrect400 BAD REQUEST The syntax of the request is badly formulated or is impossible
to satisfy401 UNAUTHORIZED The parameters of the message give specifications of
unacceptable forms of authorisation. The client must reformulate its request with the correct authorisation data
402 PAYMENT REQUIRED
The client must reformulate its request with the correct payment data
403 FORBIDDEN Access to the resource is quite simply denied
21
404 NOT FOUND Classic! The server has not found anything at the specified address. Left without leaving a forwarding address....:)
50x Error due to the server These codes indicate that there is an internal error in the server500 INTERNAL ERROR The server has encountered an unexpected condition which
prevented it from following up the request (just one of those things that happen to servers...)
501 NOT IMPLEMENTED
The server does not support the service requested (it cannot know everything...)
502 BAD GATEWAY The server has received an invalid response from the server which it is trying to access by acting as a gateway or proxy
503 SERVICE UNAVAILABLE
The server cannot respond to you at the present time since it is too busy (all your communication lines are busy, please try again later)
504 GATEWAY TIMEOUT
The response from the server has taken too long in relation to the time for which the gateway had been prepared to way (the time that was assigned to you has now passed...)
22