This set of exercises should give you a start on getting to know the protocol analyzer
(also known as a packet sniffer) Wireshark.
Keep a list of questions you'd like me to address during our next class period, and hand them in after class.
Assuming you're in WCC138 during the winter term of 2018, start by booting into Mac and launching
our Kali virtual machine. Then, launch Wireshark. (You can select the Applications menu in the upper left of Kali's
desktop, then "Sniffing & Spoofing", then Wireshark. Alternatively, you can type "wireshark &" in a terminal window.
As you play with Wireshark, it's useful to know the port numbers usually associated
with various internet protocols. Here is a
list
of the "well-known ports". We'll be using the
daytime protocol right away, which you can
see is normally supported on server port 13 when it's supported at all.
Asking a NIST time server for the current time.
The first thing we want to observe is a minimal TCP interaction: handshake
followed by a server response of some kind followed by connection termination.
Fortunately, the daytime protocol gives us a
readily available service that involves just that.
- Choose a time server from this list
of National Institute of Standards and Technology time servers.
- In Wireshark, go to the Capture→Options menu. In the resulting dialog, select
your Ethernet interface (e0 or e1, probably), and then enter "tcp port 13" in the
Capture Filter blank. The blank should turn green to indicate a valid filter.
Then hit the Start button.
- At the Windows command prompt, type
nc [domain-or-IP] 13
where "[domain-or-IP]" is the domain name or IP address of the NIST time server you selected.
- Wait for the time server to respond. During my experiments, it has been taking
several seconds to get a response.
- Once you get a response, go to Wireshark and click on the red square Stop button.
- Study the list of network frames/packets shown in the main Wireshark display.
Can you identify the parts of the TCP 3-way handshake? Can you see where the NIST time
server sent the human-readable time information? Can you tell where the TCP connection
was terminated? What else do you see?
Navigating to a web page.
- Start a new capture (Capture→Options) with the filter "host 137.22.4.23" (which
will only capture packets where either the sender or the destination are the host cs.carleton.edu).
- In a web browser in Kali, navigate to my CS home page
http://cs.carleton.edu/faculty/jondich/index.html.
- Hit the Wireshark stop button.
- Study the captured packets. How many TCP connections were opened? Can you see the
HTTP GET query? Does it have the form you expected? Can you find your browser's User-Agent string?
Were there any other GET queries besides the one for /faculty/jondich/index.html? What were they
for, and why and when were they issued? etc.
Start your homework
- Read the description of your
next assignment.
- Try capturing and saving the relevant packets. You can, of course, work in WCC138
any time it's not in use for other purposes. But you can also try installing Wireshark
on your own computer. By saving your captured packets in a .pcap file, you can send that
to yourself and open it in Wireshark wherever you happen to have a copy of Wireshark installed.
- This is a slightly more complicated exercise than the ones above, with a considerably
more detailed investigation of the captured packets. Get started, ask lots of questions,
and have fun!
By the way, here is a
very nice discussion of Wireshark and its uses. There are lots of tutorials online, of course.