Beruflich Dokumente
Kultur Dokumente
Topology
Objectives
Part1:PrepareWiresharktoCapturePackets
SelectanappropriateNICinterfacetocapturepackets.
Part2:Capture,Locate,andExaminePackets
Captureawebsessiontowww.google.com.
Locateappropriatepacketsforawebsession.
Examineinformationwithinpackets,includingIPaddresses,TCPportnumbers,andTCPcontrolflags.
Background/Scenario
Inthislab,youwilluseW iresharktocaptureandexaminepacketsgeneratedbetweenthePCbrowserusing
theHyperTextTransferProtocol(HTTP)andawebserver,suchasw ww.google.com.W henanapplication,
suchasHTTPorFileTransferProtocol(FTP)firststartsonahost,TCPusesthethreewayhandshaketo
establishareliableTCPsessionbetweenthetwohosts.Forexample,whenaPCusesawebbrowsertosurf
theInternet,athreewayhandshakeisinitiatedandasessionisestablishedbetweenthePChostandweb
server.APCcanhavemultiple,simultaneous,activeTCPsessionswithvariouswebsites.
Note:ThislabcannotbecompletedusingNetlab.ThislabassumesthatyouhaveInternetaccess.
RequiredResources
1PC(Windows7,Vista,orXPwithacommandpromptaccess,Internetaccess,andW iresharkinstalled)
Part1: PrepareWiresharktoCapturePackets
InPart1,youstarttheW iresharkprogramandselecttheappropriateinterfacetobegincapturingpackets.
Step1: RetrievethePCinterfaceaddresses.
Forthislab,youneedtoretrieveyourPCsIPaddressanditsnetworkinterfacecard(NIC)physicaladdress,
alsocalledtheMACaddress.
a. Openacommandpromptwindow,typeipconfig/allandthenpressEnter.
b. WritedowntheIPandMACaddressesassociatedwiththeselectedEthernetadapter,becausethatisthe
sourceaddresstolookforwhenexaminingcapturedpackets.
ThePChostIPaddress:
___192.168.1.130_____________________________________________________
ThePChostMACaddress:
____c80aa9fade0d_________________________________________________
Step2: StartWiresharkandselecttheappropriateinterface.
a. ClicktheWindowsStartbuttonandonthepopupmenu,doubleclickWireshark.
b. AfterWiresharkstarts,clickInterfaceList.
c. IntheWireshark:CaptureInterfaceswindow,clickthechecktheboxnexttotheinterfaceconnectedto
yourLAN.
Note:Ifmultipleinterfacesarelistedandyouareunsurewhichinterfacetocheck,clickDetails.Clickthe
802.3(Ethernet)tab,andverifythattheMACaddressmatcheswhatyouwrotedowninStep1b.Closethe
InterfaceDetailswindowafterverification.
Part2: Capture,Locate,andExaminePackets
Step1: ClicktheStartbuttontostartthedatacapture.
a. Gotowww.google.com.MinimizetheGooglewindow,andreturntoWireshark.Stopthedatacapture.You
shouldseecapturedtrafficsimilartothatshownbelowinstepb.
Note:Yourinstructormayprovideyouwithadifferentwebsite.Ifso,enterthewebsitenameoraddress
here:
____________________________________________________________________________________
b. Thecapturewindowisnowactive.LocatetheSource,Destination,andProtocolcolumns.
Step2: Locateappropriatepacketsforthewebsession.
IfthecomputerwasrecentlystartedandtherehasbeennoactivityinaccessingtheInternet,youcanseethe
entireprocessinthecapturedoutput,includingtheAddressResolutionProtocol(ARP),DomainNameSystem
(DNS),andtheTCPthreewayhandshake.ThecapturescreeninPart2,Step1showsallthepacketsthe
2013Ciscoand/oritsaffiliates.Allr ightsr eserved.T hisdocumentisCiscoPublic. Page3of6
LabUsingWiresharktoObservetheTCP3WayHandshake
computermustgettowww.google.com.Inthiscase,thePCalreadyhadanARPentryforthedefault
gatewaytherefore,itstartedwiththeDNSquerytoresolvewww.google.com.
a. Frame11showstheDNSqueryfromthePCtotheDNSserver,attemptingtoresolvethedomainname,
www.google.comtotheIPaddressofthewebserver.ThePCmusthavetheIPaddressbeforeitcansend
thefirstpackettothewebserver.
WhatistheIPaddressoftheDNSserverthatthecomputerqueried?_192.168.111___________________
b. Frame12istheresponsefromtheDNSserverwiththeIPaddressofwww.google.com.
c. Findtheappropriatepacketforthestartofyourthreewayhandshake.Inthisexample,frame15isthestart
oftheTCPthreewayhandshake.
WhatistheIPaddressoftheGooglewebserver?___192.168.1.130_______________________________
d. IfyouhavemanypacketsthatareunrelatedtotheTCPconnection,itmaybenecessarytousethe
Wiresharkfiltercapability.EntertcpinthefilterentryareawithinW iresharkandpressEnter.
Step3: ExamineinformationwithinpacketsincludingIPaddresses,TCPportnumbers,and
TCPcontrolflags.
a. Inourexample,frame15isthestartofthethreewayhandshakebetweenthePCandtheGoogleweb
server.Inthepacketlistpane(topsectionofthemainwindow),selecttheframe.Thishighlightstheline
anddisplaysthedecodedinformationfromthatpacketinthetwolowerpanes.ExaminetheTCP
informationinthepacketdetailspane(middlesectionofthemainwindow).
b. Clickthe+icontotheleftoftheTransmissionControlProtocolinthepacketdetailspanetoexpandthe
viewoftheTCPinformation.
c. Clickthe+icontotheleftoftheFlags.Lookatthesourceanddestinationportsandtheflagsthatareset.
Note:YoumayhavetoadjustthetopandmiddlewindowssizeswithinW iresharktodisplaythenecessary
information.
WhatistheTCPsourceportnumber?_49523_________________________
Howwouldyouclassifythesourceport?____random____________________
WhatistheTCPdestinationportnumber?__http(80)_____________________
Howwouldyouclassifythedestinationport?____http_________________
Whichflag(orflags)isset?_____noflagsareset___________________
Whatistherelativesequencenumbersetto?__0__________________
d. Toselectthenextframeinthethreewayhandshake,selectG
oontheW iresharkmenuandselectNext
PacketInConversation.Inthisexample,thisisframe16.ThisistheGooglewebserverreplytotheinitial
requesttostartasession.
Whatarethevaluesofthesourceanddestinationports?______________________________________
Whichflagsareset?
_____acknowlagement______________________________________________________________
Whataretherelativesequenceandacknowledgementnumberssetto?
_______________0_____________________________________________________________________
e. Finally,examinethethirdpacketofthethreewayhandshakeintheexample.Clickingframe17inthetop
windowdisplaysthefollowinginformationinthisexample:
Examinethethirdandfinalpacketofthehandshake.
Whichflag(orflags)isset?
_acknowledgment____________________________________________________________
Therelativesequenceandacknowledgementnumbersaresetto1asastartingpoint.TheTCPconnection
isnowestablished,andcommunicationbetweenthesourcecomputerandthewebservercanbegin.
f. ClosetheW iresharkprogram.
Reflection
1. TherearehundredsoffiltersavailableinWireshark.Alargenetworkcouldhavenumerousfiltersandmany
differenttypesoftraffic.W hichthreefiltersinthelistmightbethemostusefultoanetworkadministrator?
_______________________________________________________________________________________
2. WhatotherwayscouldWiresharkbeusedinaproductionnetwork?
_______________________________________________________________________________________
_______________________________________________________________________________________