Experiment No.

2
FRAME CAPTURING AND ANALYZING USING WIRESHARK
1. Objective(s):
The activity aims to introduce and familiarize students to the packet sniffing Wireshark software
and look on the Encapsulation process
2. Intended Learning Outcomes (ILOs):
The students shall be able to:
2.1 learn the general information of packet sniffing software called WireShark.
2.2 be familiar with the interface and features of WireShark
2.3 capture packets using WireShark
2.4 observe the encapsulation process
3. Discussion:
In this experiment, we use a packet-sniffer called Wireshark. Wireshark (formerly known as
ETHEREAL) is a free packet sniffer/analyzer which is available for both UNIX-like (Unix, Linux, Mac OS
X, BSD, and Solaris) and Windows operating systems. It captures packets from a network interface and
displays them with detailed protocol information. Wireshark, however, is a passive analyzer. It only
captures packets without manipulate them; it neither sends packets to the network nor does other active
operations. Wireshark is not an intrusion-detection tool either. It does not give warning about any
network intrusion. It, nevertheless, can help network administrators to figure out what is going on inside
a network and to troubleshoot network problems. In addition of being an indispensable tool for network
administrators, Wireshark is a valuable tool for protocol developers, who may use it to debug protocol
implementations. It is also a great educational tool for computer-network students who can use it to see
details of protocol operations in real time.
One usage of Wireshark is to analyze packets using the upper 4 layers of the TCP/IP protocol suite.
Encapsulation-decapsulation can be shown by this packet-sniffer. Wireshark works both as a packetcapturer and a packet-analyzer. The packet capturer seizes a copy of all outgoing and incoming frames
(at the data-link layer) and passes them to the packet-analyzer. The packet-analyzer can then extract
different headers and the ultimate message for analysis. Figure 1.1 shows the role of frame capturing
and packet analyzing in a packet-sniffer.

Figure 1.1 frame capturing and packet analyzing in a packet-sniffer

4. Resources:
Wireshark software; Windows OS PC (with Admin access); SOHO router or an internet connection
5. Procedure:
1. Downloading and Installing.
To download the Wireshark software, connect to the Internet using the website:
http://www.wireshark.org/download.html
After the downloading is complete, install the software on your computer.
2. Open the Wireshark program and observe the window and its sections. The Wireshark window is
made of seven sections: title bar, menu bar, filter bar, packet list pane, packet detail pane, packet
byte pane, and status bar. After taking time to examine the sections, briefly discuss the
functionality of each section on 6.1. (Do not go to step 3 without answering section 6.1).
3. Begin capturing packets by selecting the Capture from the pull down menu and click Options to
open the Wireshark capture options dialog box. You normally will use the default values in the
capture options dialog box, but there are some options that you may need to override the default.
In particular, you may want to uncheck Hide capture info dialog.
4. The network interfaces are shown in the Interface drop-down list at the top of the dialog box. Select
the network interface (or use the default interface chosen by Wireshark). If the IP address in the
dialog box is unknown, you must select a different interface; otherwise, the Wireshark will not
capture any packet. Select the LAN Card of your computer. After the above two steps, click Start.
Wireshark starts to capture packets that are exchanged between your computer and the network.
If, after a minute, Wireshark does not capture any packet, there must be a problem; check for
possible reason and troubleshooting. Write your observations on 6.2. (Do not go to step 3
without writing your observations on section 6.1).
5. Whenever you feel you have captured all the packets (frames) that you need to do your lab report,
you can stop capturing. To do so, you need to use the Capture pulldown menu and click Stop.
Wireshark stops capturing the frames. After you have stopped capturing, you may want to save the
captured file for future use.
6. If the LAN doesnt have internet connection, assign static IP address on the computer. (Refer to
board instructions). In this lab, we retrieve a web page and then, using Wireshark, capture packets.
Start up your web browser and clear the browser's cache memory but do not access any site yet.
7. To refresh Wireshark, close it and open the Wireshark and start capturing. Open your
browser in such a way that Wireshark window can still be seen. Use the filter box to capture
only frames that the source or the sink protocol is HTTP. Note that you need to type http in
lowercase in the filter box and click Apply.
8. Now, go back to your browser, access any website if there is internet connection or if there is none
the routers setup page can be accessed instead by typing http://192.168.10.1. Stop capturing and
save the captured file. Answer 6.3.

Course:
Group No.:
Group Members:

Experiment No.:
Section:
Date Performed:
Date Submitted
Instructor:

6. Data and Results:

6.1. WireShark seven sections:
a. title bar

b. menu bar

c. filter bar

d. packet list pane

e. packet detail pane

f.

packet byte pane

g. status bar

6.2. WireShark capture observations:

6.3. Using the first frame with the source protocol HTTP, answer the following question
6.3.1. How do you know if the frame is incoming or outgoing?
Is the frame an outgoing or an incoming frame?
6.3.2. What is the source IP address of the network-layer header in the frame?
6.3.3. What is the destination IP address of the network-layer header in the frame?
6.3.4. What is the total number of bytes in the whole frame?
6.3.5. What is the number of bytes in the Ethernet (data-link layer) header?
6.3.6. What is the number of bytes in the IP header?
6.3.7. What is the number of bytes in the TCP header?
6.3.8. What is the total byte in the message (at the application layer)?

7. Conclusion:

8.Assessment:
CRITERIA

BEGINNER
1

I. Laboratory Skills
Members do not
Manipulative
demonstrate needed
Skills
skills.
Members are unable
Experimental
to set-up the
Set-up
materials.
Members do not
Process Skills
demonstrate targeted
process skills.
Members do not
Safety
follow safety
Precautions
precautions.
II. Work Habits
Time
Members do not finish
Management /
on time with
Conduct of
incomplete data.
Experiment

Cooperative and
Teamwork

Members do not know

their tasks and have
no defined
responsibilities.
Group conflicts have
to be settled by the
teacher.

Neatness and
Orderliness

Messy workplace
during and after the
experiment.

Ability to do
independent
work

Members require
supervision by the
teacher.

Other Comments/Observations:

ACCEPTABLE
2
Members occasionally
demonstrate needed
skills
Members are able to
set-up the materials
with supervision.
Members occasionally
demonstrate targeted
process skills.
Members follow safety
precautions most of
the time.
Members finish on
time with incomplete
data.
Members have
defined
responsibilities most
of the time. Group
conflicts are
cooperatively
managed most of the
time.
Clean and orderly
workplace with
occasional mess
during and after the
experiment.
Members require
occasional
supervision by the
teacher.

PROFICIENT
3

SCORE

Members always
demonstrate needed skills.
Members are able to set-up
the material with minimum
supervision.
Members always
demonstrate targeted
process skills.
Members follow safety
precautions at all times.
Members finish ahead of
time with complete data
and time to revise data.
Members are on tasks and
have defined
responsibilities at all times.
Group conflicts are
cooperatively managed at
all times.
Clean and orderly
workplace at all times
during and after the
experiment.
Members do not need to be
supervised by the teacher.
Total Score