CS 231: Computer Security

Getting started with Wireshark

Files: tools/wireshark.txt

Do this assignment with the partner I assign you. I will post partner assignments on Slack under #announcements.

Goals

• Start using the protocol analyzer / packet sniffer Wireshark
• Observe the network traffic associated with some simple protocols
• Try to make sense of the information Wireshark gives you

Experiments to perform

• Launch and login to Kali. (If you're using REMOTELAB, the user name and password are both "kali". If you installed Kali yourself, you specified a user name and password during the setup.)
• Launch Wireshark. Select the Applications menu in the upper left of Kali's desktop, then "Sniffing & Spoofing", then Wireshark. Alternatively, you can type "wireshark &" in a terminal window.

• Ask a National Institute of Standards and Technology (NIST) time server for the current time.

  The first thing we want to observe is a minimal TCP interaction: handshake followed by a server response of some kind followed by connection termination. Fortunately, the daytime protocol gives us a readily available service that involves just that.

  • Choose a time server from this list of National Institute of Standards and Technology time servers.
  • In Wireshark, go to the Capture→Options menu. In the resulting dialog, select your Ethernet interface (e0 or e1, probably), and then enter "tcp port 13" in the Capture Filter blank. The blank should turn green to indicate a valid filter. Then hit the Start button.
  • Open a terminal and type
    nc [domain-or-IP] 13
    where "[domain-or-IP]" is the domain name or IP address of the NIST time server you selected from the list of time servers.
  • Wait for the time server to respond. Sometimes it takes a few seconds to respond. You'll be able to tell that the server has responded once the date and time are printed in your terminal.
  • Once you get a response, go to Wireshark and click on the red square Stop button.
  • Examine the list of network frames/packets shown in the main Wireshark display, and answer the questions listed in the What to hand in section below.

• Navigate to a web page.

  • Start a new capture (Capture→Options) with the filter "host 45.79.89.123" (which will only capture packets where either the sender or the destination are the host cs231.jeffondich.com.
  • In a web browser in Kali, navigate to this special page: http://cs231.jeffondich.com/index.html.
  • Watch out: If you try this a second time, your browser might decide not to retrieve the page over the network, but instead just display the copy of index.html that it retrieved the first time and stored in the browser cache. The way to make sure you get a fresh HTTP query each time is to open a new Private or Incognito window and navigate to the page from there.
  • Hit the Wireshark Stop button.
  • Examine the list of network frames/packets shown in the main Wireshark display, and answer the questions listed in the What to hand in section below.

Possibly handy information

• Here's a list of the "well-known ports" (that is, standard ports associated with common services).
• Here's the specification for the daytime protocol. In the list of well-known ports, note that daytime is normally supported on port 13 when it's supported at all.

Here is a very nice discussion of Wireshark and its uses. There are lots of tutorials online, of course.

What to hand in

• Put your answers in your repository in a text file named tools/wireshark.txt. Start this file with your name and your partner's name.
• Study the list of network frames/packets shown in the main Wireshark display for the daytime protocol experiment. In tools/wireshark.txt, add a heading (like "===== DAYTIME =====") to show me where your daytime protocol answers are, and then give brief answers to the following questions:
  1. Identify the parts of the TCP 3-way handshake by listing the frame summaries of the relevant frames. Your summaries should looks something like this:
     3 10.0.2.15 129.6.15.27 TCP [SYN]...
     (i.e. the frame number 3, the source IP address, the destination IP address, the protocol, and the "Info" for the frame).
  2. What port number does the client (i.e. nc on your Kali computer) use for this interaction? And why does the client need a port?
  3. What frame contains the actual date and time? (Show the frame summary as in question 1 above.)
  4. What is the full content (not counting the Ethernet, IP, and TCP headers) of the frame? What do each of the pieces of the frame content represent? (Most of the frame content is things like the year, month, day, hour, etc., but there's a little more info, too.)
  5. What does [SYN] mean?
  6. What does [ACK] mean?
  7. What does [FIN] mean?
  8. Which entity (the nc client or the daytime server) initiated the closing of the TCP connection? How can you tell?
• Study the list of network frames/packets shown in the main Wireshark display for the web browser experiment. In tools/wireshark.txt, add a heading (like "===== HTTP =====") to show me where your HTTP/browser answers are, and then give brief answers to the following questions:
  1. How many TCP connections were opened?
  2. Can you tell where my homepage (index.html) was requested? (If not, why not? If so, include frame summaries and/or other info that supports your answer.)
  3. Can you tell where my photograph (jeff_square_head.jpg) was requested? (If not, why not? If so, include frame summaries and/or other info that supports your answer.)
• Put one more heading in wireshark.txt (like "===== QUESTIONS ====="), and write down a few questions that you would like answered about how to interpret Wireshark output.