Istanbul Technical University Electrical Electronical Faculty Computer Engineering Department

Advanced Topics in Computer Networks

Homework: Using Wireshark

504081557 Muamer BAJRIC 22 Feb 2009

1. Objective of the Assignment

Ones understanding of network protocols can often be greatly deepened by seeing protocols in action and by playing around with protocols observing the sequence of messages exchanged between two protocol entities, going deep down into the details of protocol operation, and causing protocols to perform certain actions and then observing these actions and their consequences. This can be done in simulated scenarios or in a real network environment such as the Internet. The basic tool for observing the messages exchanged between executing protocol entities is called a network packet sniffer or network packet analyzer. Wireshark is perhaps one of the best open source packet analyzers available today. The main objective of this assignment is to become familiar with the basic functions of Wireshark and using it to get and analyze sent or received packets on our computer which is part of the network.

2. Introduction
2.1 Wireshark Basics

Figure 2.1.1: Wireshark captured packets' screen shot The packet-listing window displays a one-line summary for each packet captured, including the packet number (assigned by Wireshark), the time at which the packet was captured, the packets source and destination addresses, the protocol type, and protocol-specific information contained in the packet. The packet-header details window provides details about the packet selected (highlighted) in the packet listing window. These details include information about the Ethernet frame and IP datagram that contains this packet. If the packet has been carried over TCP or UDP, TCP or UDP details will also be displayed. Finally, details about the highest level protocol that sent or received this packet are also provided (ex: Hypertext Transfer Protocol, Domain Name System etc.)

The packet-contents window displays the entire contents of the captured frame, in both ASCII and hexadecimal format. 2.2 Frame protocol Frame protocol isn't a real protocol itself, but used by Wireshark as a base for all the protocols on top of it. It shows information from capturing, such as the exact time a specific frame was captured. The frame protocol will not be analyzed nor mentioned in the further text. 2.3 Ethernet Ethernet is the most common local area networking technology. Ethernet sends network packets from the sending host to one (Unicast) or more (Multicast/Broadcast) receiving hosts.

Figure 2.3.1: Physical Ethernet packet1 2.4 Internet Protocol The Internet Protocol provides the network layer (layer 3) transport functionality. The IP protocol is used to transfer packets from one IP-address to another. The user of this layer will give a packet and a remote IP address, and IP is responsible to transfer the packet to that host.

Figure 2.4.1: IP Header2

1 2

http://wiki.wireshark.org/Ethernet?action=show&redirect=Protocols%2Feth http://en.wikipedia.org/wiki/IPv4#Header

2.5 Transmission Control Protocol The Transmission Control Protocol (TCP) is one of the core protocols of the Internet Protocol Suite. Whereas IP handles lower-level transmissions from computer to computer as a message makes its way across the Internet, TCP operates at a higher level, concerned only with the two end systems, for example a Web browser and a Web server. In particular, TCP provides reliable, ordered delivery of a stream of bytes from one program on one computer to another program on another computer.

Figure 3.2.1: TCP segment structure3 2.6 User Datagram Protocol With UDP, computer applications can send messages, sometimes known as datagrams, to other hosts on an Internet Protocol (IP) network without requiring prior communications to set up special transmission channels or data paths. UDP uses a simple transmission model without implicit hand-shaking dialogues for guaranteeing reliability, ordering, or data integrity. Thus, UDP provides an unreliable service and datagrams may arrive out of order, appear duplicated, or go missing without notice.

Figure 2.6.1: UDP packet structure4

3 4

http://en.wikipedia.org/wiki/Transmission_Control_Protocol#TCP_segment_structure http://en.wikipedia.org/wiki/User_Datagram_Protocol#Packet_structure

3. Capturing Packets
3.1 Packet Analyzing Capturing packets in Wireshark was started at 22:38:12 and stopped at 22:41:31. In this period of time 628 packet were captured. 234 packet of all were SSDP5 (Simple Service Discovery Protocol) protocol typed. By filtering packets with below filtering-string
(http contains ssdp) and (ip.dst == 239.255.255.250)

we obtain list as shown in Figure 3.1.1.

Figure 3.1.1: Filtering captured packets

5

SSDP is the basis of the discovery protocol of Universal plug-and-play. SSDP provides a mechanism which network clients can use to discover network services. The multicast address is 239.255.255.250 in IPv4.

Reversing the filtering-string we obtain clear list of packets that will be used for observing and analyzing.
!(http contains ssdp) and (ip.dst != 239.255.255.250)

Figure 3.1.2: Showing only packets that will be used for observing and analyzing. From the filtered list (Figure 3.1.2), randomly selected few packets (both of TCP and UDP transport protocol) will be analyzed and explain in details.

3.2 TCP Packet Analyzing The packet that will be analyzed is shown in Table 3.2.1 and its header details are shown in Figure 3.2.2. Table 3.2.1: Selected packets summary
No. 224 Time 95.499142 Source ew-inf127.google.com Destination 192.168.2.101 Protocol HTTP Info HTTP/1.1 200 OK (GIF89a)

Figure 3.2.2: Selected packets header details window

Step by step analyzing: 3.2.1 Ethernet II, Src: USRoboti_08:b4:b0 (00:14:c1:08:b4:b0), Dst: Inventec_2a:b2:38 (00:a0:d1:2a:b2:38)
0000 00 a0 d1 2a b2 38 00 14 c1 08 b4 b0 08 00 : 00:a0:d1:2a:b2:38 (See Figure 4.1) : 00:14:c1:08:b4:b0 (See Figure 4.2) : IP (0x0800)

Destination MAC address is Source MAC address is Type

Ethernet interfaces usually does not supply Preamble and (FCS) to wireshark. 3.2.2 Internet Protocol, Src: ew-in-f127.google.com (74.125.77.127), Dst: 192.168.2.101
0000 0010 45 00 01 71 72 22 00 00 36 06 b6 5b 4a 7d 4d 7f c0 a8 02 65

Version : 4 Header length : 20 bytes Differentiated Services Field : 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length : 369 Identification : 0x7222 (29218)

Flags

: 0x00 0... = Reserved bit: Not set .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset : 0 Time to live : 54 Protocol : TCP (0x06) Header checksum : 0xb65b [correct] Source : ew-in-f127.google.com (74.125.77.127) Destination : 192.168.2.101 (192.168.2.101)

3.2.3 Transmission Control Protocol, Src Port: http (80), Dst Port: ridgeway2 (2777), Seq: 1, Ack: 845, Len: 329
0000 0010 00 50 0a d9 76 bc 5b 7a cb ef 0b 9e 50 18 1a 60 62 78 00 00

Source port : http (80) Destination port : ridgeway2 (2777) Sequence number : 1 (relative sequence number) Next sequence number : 330 (relative sequence number) Acknowledgement number : 845 (relative ack number) Header length : 20 bytes Flags : 0x18 (PSH, ACK) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...1 .... = Acknowledgment: Set .... 1... = Push: Set .... .0.. = Reset: Not set .... ..0. = Syn: Not set .... ...0 = Fin: Not set Window size Checksum : 6752 : 0x6278 [correct]

Rest of the data represents HTTP response header received from the server (ew-in-f127.google.com) and GIF content.

3.3 UDP Packet Analyzing (Out / Request) The packet that will be analyzed is shown in Table 3.3.1 and its header details are shown in Figure 3.3.2. Table 3.3.1: Selected packets summary
No. 36 Time 17.144696 Source 192.168.2.101 Destination resolver1.opendns.com Protocol DNS Info Standard query A ewin-f127.google.com

Figure 3.3.2: Selected packets header details window

Step by step analyzing: 3.3.1 Ethernet II, Src: Inventec_2a:b2:38 (00:a0:d1:2a:b2:38), Dst: USRoboti_08:b4:b0 (00:14:c1:08:b4:b0)
0000 00 14 c1 08 b4 b0 00 a0 d1 2a b2 38 08 00 : 00:14:c1:08:b4:b0 (See Figure 4.2) : 00:a0:d1:2a:b2:38 (See Figure 4.1) : IP (0x0800)

Destination MAC address is Source MAC address is Type

Ethernet interfaces usually does not supply Preamble and (FCS) to wireshark. 3.3.2 Internet Protocol, Src: 192.168.2.101, Dst: resolver1.opendns.com (208.67.222.222)
0000 0010 45 00 00 43 59 dc 00 00 80 11 6e 9e c0 a8 02 65 d0 43 de de

Version : 4 Header length : 20 bytes Differentiated Services Field : 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length : 67 Identification : 0x59dc (23004)

Flags

: 0x00 0... = Reserved bit: Not set .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset : 0 Time to live : 128 Protocol : UDP (0x11) Header checksum : 0x6e9e [correct] Source : 192.168.2.101 (192.168.2.101) Destination : resolver1.opendns.com (208.67.222.222)

3.3.3 User Datagram Protocol, Src Port: 2194 (2194), Dst Port: domain (53)
0000 08 92 00 35 00 2f 19 bf : : : : 2194 (2194) domain (53) 47 0x19bf [correct]

Source port Destination port Length Checksum

Rest of the data represents Domain Name System query request sent to the server (DNS lookup for ewin-f127.google.com: type A, class IN)

3.4 UDP Packet Analyzing (In / Response) The packet that will be analyzed is shown in Table 3.4.1 and its header details are shown in Figure 3.4.2. Table 3.4.1: Selected packets summary
No. 37 Time 17.229149 Source resolver1.opendns.com Destination 192.168.2.101 Protocol DNS Info Standard query response A 74.125.77.127

Figure 3.4.2: Selected packets header details window

Step by step analyzing: 3.4.1 Ethernet II, Src: USRoboti_08:b4:b0 (00:14:c1:08:b4:b0), Dst: Inventec_2a:b2:38 (00:a0:d1:2a:b2:38)
0000 00 a0 d1 2a b2 38 00 14 c1 08 b4 b0 08 00 : 00:a0:d1:2a:b2:38 (See Figure 4.1) : 00:14:c1:08:b4:b0 (See Figure 4.2) : IP (0x0800)

Destination MAC address is Source MAC address is Type

Ethernet interfaces usually does not supply Preamble and (FCS) to wireshark. 3.4.2 Internet Protocol, Src: resolver1.opendns.com (208.67.222.222), Dst: 192.168.2.101
0000 0010 45 00 00 53 00 00 40 00 3a 11 ce 6a d0 43 de de c0 a8 02 65

Version : 4 Header length : 20 bytes Differentiated Services Field : 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length : 83 Identification : 0x0000 (0)

Flags: 0x04 (Don't Fragment) 0... = Reserved bit: Not set .1.. = Don't fragment: set ..0. = More fragments: Not set Fragment offset : 0 Time to live : 58 Protocol : UDP (0x11) Header checksum : 0xce6a [correct] Source : resolver1.opendns.com (208.67.222.222) Destination : 192.168.2.101 (192.168.2.101)

3.4.3 User Datagram Protocol, Src Port: domain (53), Dst Port: 2194 (2194)
0000 00 35 08 92 00 3f 08 74 : : : : domain (53) 2194 (2194) 63 0x0874 [correct]

Source port Destination port Length Checksum

Rest of the data represents Domain Name System query response sent from the server (DNS lookup result for ew-in-f127.google.com: type A, class IN, addr 74.125.77.127)

4. Computer and Router Information

Figure 4.1: Computer network configuration

Figure 4.2: Router configuration

5. References
1. Wireshark Wiki - http://wiki.wireshark.org 2. Wikipedia - http://en.wikipedia.org

3. UMASSCS - http://cs.umass.edu