Академический Документы
Профессиональный Документы
Культура Документы
1.
2.
3.
PROGRAMME 3 BEET
SECTION /
GROUP
DATE
1.
NAME OF
INSTRUCTOR(S)
2.
2.0 EQUIPMENT
Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting,
analysis, software and communications protocol development, and education. Originally named
Ethereal, in May 2006 the project was renamed Wireshark due to trademark issues.
A network packet analyzer will capture network packets and display the packet data as
detailed as possible. You could think of a network packet analyzer as a measuring device used to
examine what's going on inside a network cable, just like a voltmeter is used by an electrician to
examine what's going on inside an electric cable.
Menu
Main Toolbar
Filter Toolbar
Packet List
Pane
Packet Detail
Pane
Packet Bytes
Pane
Status Bar
Figure 1.1 – Main Interface of Wireshark
Wireshark's main window consists of parts that are commonly known from many other GUI programs.
The main toolbar provides quick access to frequently used items from the menu.
The filter toolbar provides a way to directly manipulate the currently used display filter.
The packet list pane displays a summary of each packet captured. By clicking on packets in
this pane you control what is displayed in the other two panes.
The packet details pane displays the packet selected in the packet list pane in more detail.
The packet bytes pane displays the data from the packet selected in the packet list pane, and
highlights the field selected in the packet details pane.
The status bar shows some detailed information about the current program state and the
captured data.
In this lab, Wireshark will be used to examine and analyze packets captured by a NIC and then save as
a file, known as trace file.
4.0 RESULTS
Part A
1.
2.
(a) What is the total number of packets in this trace file?
- 59
(b) What is the number of packets being displayed?
- 59
3.
4.
(a) How many bytes of data have been captured for this frame?
- 339bytes captured
(b) What is the destination MAC address?
-
(c) What is the source port number?
- Src port : sip (5060)
5.
6.
2. What is the number of packets being displayed in the Packet List pane?
- 15
3.
4. (a) What is the number of the RIP packets being displayed now?
- 519
5.
(a) What is the total number of ICMP and RTCP packets in the trace file?
- 12
10.
(a) What is the IP address that send(s) out packet with a UDP source port number 5060?
- 192.168.10.12 and 192.168.10.100
(b) What is/are the IP address send(s) out packet with a TCP source port number of 139
- 192.168.10.3
11.
12.
(a) Application layer protocol of the packets?
-RTCP
PART C
1.
2.
(a) How many percent of packets belongs to TCP traffic?
- 18.16%
(b) How many bytes are RTP traffic?
- 108524 bytes
(c) What are the layer 3 protocols in the trace file?
- i. Transmission Control Protocol
- ii. User Datagram Protocol
- iii. Internet Protocol version 6
3.
(a)
(d)
(e)
4.
(a)
(b)
5.
8.
(a)
10.
(a)
Part D
2.
a) b) c)
4.
a) b) c)
6.
a) b) c) d)
9.
10.
11.
(a)
12.
QUESTIONS
1. Refer to the “status bar” (at the bottom of the Wireshark window) and answer the
following question:
a. What is the total number of packets in this trace file?
- 59 Packets
b. What is the number of packets being displayed?
- 59 Packets
2. In the “Packet List Pane” as shown in Figure 4.1, click on frame “No. 5” in Wireshark. The
selected frame will be highlighted. Answer the following question:
a. What is the highest layer protocol in this frame?
-5
b. What is the destination IP address in this frame?
-192.168.10.100
3. Refer to the “Packet Detail Pane” of the same frame No. 5, as shown in Figure 4.2 (Note:
If another frame in Packet List pane is highlighted, the content in Packet Detail pane will
change). Answer the following question:
a. How many bytes of data have been captured for this frame?
-339 byte
b. What is the destination MAC address?
-00:23:8b:fc:36:77
c. What is the source port number?
-Sip(5060)
4. Click on the ‘+’ sign next to “User Datagram Protocol”, and more information will be
displayed. Answer the following question:
6. Refer to the “Packet Bytes Pane” (at the bottom of Wireshark) of the same frame No. 5, as
shown in Figure 4.3. Answer the following question:
a. Double click on the value “49 4e 56 49 54 45” (line #”0130”, as shown in Figure 4.3), and
refer to “Packet Detail Pane”. Which protocol field do these hexadecimal numbers belong to?
- IN VITE , SIP layer
1. In the “Filter Toolbar”, type “sip” as shown in Figure 4.5 and click “Apply” at the right of
the “Filter Toolbar”.
a. What is the number of packets being displayed in the Packet List pane? (Please refer to the
status bar)
1. Type “rtp” this time in the Filter text box and then click “Apply”. After answering the
question, please click on “Clear” again.
a. What is the number of RIP packets being displayed now? (Please refer to the status bar)
- Displayed: 519
2. Figure 4.6 shows the logical operator of the display filter. In Figure 4.7, the “or”
operator is used in “icmp || rtcp”. The filter will select either ICMP or RTCP. The resultant
displayed packets should include both icmp and rtcp.
a. What is the total number of ICMP and RTCP packets in the trace file?
- 12
4. After clicking “OK”, the expression will appear in the Filter text box. Click “Apply”. Click
“Clear” after the questions have been answer.
a. What is/are the IP address(es) that send(s) out packet with a UDP source port number of
5060?
- 192.168.10.12 @ 192.168.10.100
b. Using the similar concept illustrated above, what is/are the IP address send(s) out packet
with a TCP source port number of 139 (Hint: tcp.srcport == 139)?
- 192.168.10.3
3. The following feature is also useful to filter on the vendor identifier part (OUI) of the
MAC address. Frames from a specific device manufacturer can be selected, (e.g. for Huawei
equipment only): eth.src[0:3] == 54:39:df, as shown in Figure 4.10. The notation stands for
the first 3 bytes of the source MAC address. The [0:3] means 3 bytes starting from offset 0 (in
bytes).
a. Which IP address(es) is/are having Huawei MAC address? (Click “Clear” after this)
- 192.168.10.10
4. Displays the packets with destination IP address equals to 192.168.10.100 and source
IP address equals to 192.168.10.30, as shown in Figure 4.11.
a. Which is the application layer protocol of these packets? (Click “Clear” after this)
- RTCP
Part C: Basic Statistics of the Trace File
1. In the “menu”, click on “Statistics” and then “Summary”. After answering the question,
close the “Summary” dialog box.
a. What is the “average packets per second” of the trace files?
- 16.817 sec
b. What is the “average bytes per second” of the trace files?
- 3489.733 sec
2. Click on “Statistics” and then “Protocol Hierarchy”. The protocol hierarchy dialog pops up
as shown in Figure 4.12. The protocol hierarchy shows a dissection per OSI layer of the
displayed data. After answering the question, close the dialog box. (Note: Click on the ‘+’ to
obtain more information)
2. Click on “Statistics” and then “Conversations”. For TCP/IP suite, there are five active
tabs for Ethernet, IPv4, IPv6, TCP and UDP conversations, as shown in Figure 4.13. A
"conversation" represents the traffic between two hosts. The number in the tab after the
protocol indicates the number of conversations. After answering the question, close the dialog
box.
a. Click on the “Ethernet” tab. How many different MAC addresses are there?
- 5 differences
c. In “IPv4” tab, which IP address has sent out the most packets?
- 192.168.10.100 - 300 packets
d. Click on the “TCP” tab. Which pair of IP addresses were having SSH conversation?
- 192.168.10.100 - 192.168.10.10
e. Click on the “UDP” tab. Which pair of IP addresses were having SIP conversation?
- 192.168.10.12 - 192.168.10.100
3. Click on “Statistics” and then “Endpoints”. The endpoints provide statistics about
received and transmitted data on a per machine base. The number after the protocol indicates
the number of endpoints. After answering the question, close the dialog box.
a. Click on the “IPv4” tab. How many packets are received by IP = 192.168.10.101?
-4
b. Click on the “UDP” tab. Which socket (IP:port) has transmitted the most bytes?
- 192.168.10.10 , Transmit Byte=64024
4. The following Graph Analysis window pops up, showing the graph flow of SIP and
RTCP, as shown in Figure 4.17.
a. Based on the graph, which IP address is most likely the SIP server? Which IP
addresses are SIP clients (IP phones)? (Close the graph flow windows after this)
- 192.168.10.12
6. A “Follow UDP Stream” content window will pop up. (Close the windows after answering
the question)
a. What is the name of User Agent (Hint: Click on the “Find” button and type in User-Agent.)
- Huawei OpenEye V3.1
Part D: Telephony
1. Go to “Telephony” => “SIP”. A small dialog box will pop up. Leave the Filter text box
blank, and click on “Create Stat”. A SIP statistics window will be shown. Answer the
following questions:
a. How many SIP packets are there in the trace file?
- 7 packets
b. How many SIP success packets are there in the trace file?
- 2 packets
c. What are the SIP request methods found in the trace file?
-ACK, INVITE, BYE
1. Go to “Telephony” => “RTP” => “Show all streams”. A “RTP Streams” windows will
pop up, as shown in Figure 4.20. Click on the first line (Source Address = 192.168.10.100,
highlighted) and then click on “Analyze”.
a. Which packet has the maximum delta, and what is the value of the maximum delta?
- Packet 134, 22.00ms
b. Which packet has the maximum skew, and what is the value of the maximum skew?
- Packet 70, 15.56ms
2. Lastly, go to “Telephony” => “VoIP Calls”. The “VoIP dialog box” will pop up, as
shown in Figure 4.25.
For part B, we were required to show the filter of wireshark. There two kind of filter
which is “capture filter” and “display filter”. The capture filter is utilized as to restrict the
span of caught information to abstain from producing a vast follow record. The display filter
is utilized to dissect the caught information and license the client to look precisely the client
need. In the accompanying activity, the reason for this step is the display filter. At the filter
there were a shortterm like and, or, xor and not. Every one of this had diverse capacity and
short key. Filter essentially to alter the bundle turns out to be more fix and straightforward.
It’s simply show just the one that we have to see.
In spite of the fact that, in part C we were going to do the essential statistics of the
follow file. Wireshark provides a wide scope of network statistics. These statistics run from
general data about the loaded capture file (like the quantity of captured parcels), to statistics
about explicit conventions General statistics, for example, "Summary about the capture file",
"Convention Hierarchy of the captured packets", "Conversations for example traffic between
explicit IP addresses", "Endpoints for example traffic to and from an IP locations" and "IO
Graphs visualizing the quantity of parcels (or comparable) in time".
Last but not least, for part D we were required to do telephony in wireshark.
Wireshark gives a wide scope of telephony related network statistics which can be gotten to
by means of the Telephony menu. These statistics run from explicit signalling protocols, to
analysis of signalling and media streams. Whenever encoded in a good encoding the media
stream can even be played.
7.0 CONCLUSION
From the lab session, we are able to explore the functionality of Wireshark software.
Besides that, we are also able to study about the basic protocol analysis with Wireshark
software. Lastly, we are able to analyse the basic VoIP data flow and related protocols such as
SIP and RTP. We have learned many important knowledge in this lab session.