UNIVERSITI MALAYSIA PERLIS

SCHOOL OF COMPUTER &

COMMUNICATIONS ENGINEERING

EKT 332/4 COMPUTER NETWORK

LABORATORY MODULE

LAB 2

NETWORK PROTOCOL ANALYZER

(SNIFFING AND IDENTIFY PROTOCOL USED IN LIVE NETWORK)
UniMAP COMPUTER NETWORK (EKT 332/4)

Lab 2 : Network Protocol Analyzer (Sniffing and Identify Protocol used in Live Network)

Objectives
• To learn some basics of Ethernet
• To sniff various types of packet and identify various types of protocol

Background

1. Getting Started
One’s understanding of network protocols can often be greatly deepened by “seeing protocols in
action” and by “playing around with protocols” – observing the sequence of messages exchanged
between two protocol entities, delving down into the details of protocol operation, and causing
protocols to perform certain actions and then observing these actions and their consequences. This
can be done in simulated scenarios or in a “real” network environment such as the Internet.
In these WIRESHARK labs, we’ll take the latter approach. You’ll be running various network
applications in different scenarios using a computer on your desk, at home, or in a lab. You’ll observe
the network protocols in your computer “in action,” interacting and exchanging messages with
protocol entities executing elsewhere in the Internet. Thus, you and your computer will be an integral
part of these “live” labs. You’ll observe, and you’ll learn, by doing.
The basic tool for observing the messages exchanged between executing protocol entities is called a
packet sniffer. As the name suggests, a packet sniffer captures (“sniffs”) messages being
sent/received from/by your computer. It will also typically store and/or display the contents of the
various protocol fields in these captured messages. A packet sniffer itself is passive. It observes
messages being sent and received by applications and protocols running on your computer, but never
sends packets itself. Similarly, received packets are never explicitly addressed to the packet sniffer.
Instead, a packet sniffer receives a copy of packets that are sent/received from/by application and
protocols executing on your machine.

Figure 1 shows the structure of a packet sniffer. At the right of Figure 1 are the protocols (in this case,
Internet protocols) and applications (such as a web browser or ftp client) that normally run on your
computer. The packet sniffer, shown within the dashed rectangle in Figure 1 is an addition to the
usual software in your computer, and consists of two parts. The packet capture library receives a copy
of every link-layer frame that is sent from or received by your computer.

2
UniMAP COMPUTER NETWORK (EKT 332/4)

Messages exchanged by higher layer protocols such as HTTP, FTP, TCP, UDP, DNS, or IP all are
eventually encapsulated in link-layer frames that are transmitted over physical media such as an
Ethernet cable. In Figure 1, the assumed physical media is an Ethernet, and so all upper layer
protocols are eventually encapsulated within an Ethernet frame. Capturing all link-layer frames thus
gives you all messages sent/received from/by all protocols and applications executing in your
computer.

Figure 1 : Packet sniffer structure

The second component of a packet sniffer is the packet analyzer, which displays the contents of all
fields within a protocol message. In order to do so, the packet analyzer must “understand” the
structure of all messages exchanged by protocols. For example, suppose we are interested in
displaying the various fields in messages exchanged by the HTTP protocol in Figure 1. The packet
analyzer understands the format of Ethernet frames, and so can identify the IP datagram within an
Ethernet frame. It also understands the IP datagram format, so that it can extract the TCP segment
within the IP datagram. Finally, it understands the TCP segment structure, so it can extract the HTTP
message contained in the TCP segment. Finally, it understands the HTTP protocol and so, for
example, knows that the first bytes of an HTTP message will contain the string “GET,” “POST,” or
“HEAD,”.

We will be using the Wireshark packet sniffer [http://www.wireshark.com] for these labs, allowing us
to display the contents of messages being sent/received from/by protocols at different levels of the
protocol stack. (Technically speaking, Wireshark (Ethereal) is a packet analyzer that uses a packet
capture library in your computer).

3
UniMAP COMPUTER NETWORK (EKT 332/4)

2. What is Wireshark (Ethereal)?

Wireshark, formerly known as Ethereal, is one of the most powerful tools in a network
security analyst's toolkit. As a network packet analyzer, Wireshark can peer inside the
network and examine the details of traffic at a variety of levels, ranging from connection-
level information to the bits comprising a single packet. This flexibility and depth of
inspection allows the valuable tool to analyze security events and troubleshoot network
security device issues. It's also priced right: it's free!
Wireshark (Ethereal) is a network packet analyzer or packet sniffer. A network packet analyzer will
try to capture network packets and tries to display that packet data as detailed as possible. You could
think of a network packet analyzer as a measuring device used to examine what's going on inside a
network cable, just like a voltmeter is used by an electrician to examine what's going on inside an
electric cable (but at a higher level, of course). In the past, such tools were either very expensive,
proprietary, or both. However, with the advent of Wireshark (Ethereal), all that has changed.
Wireshark (Ethereal) is perhaps one of the best open source packet analyzers available today.

i. Some intended purposes

Here are some examples people uses Wireshark (Ethereal) for:
• network administrators use it to troubleshoot network problems

• network security engineers use it to examine security problems

• developers use it to debug protocol implementations

• people use it to learn network protocol internals

ii. Features

• Live capture from many different network media

Despite its name, Wireshark (Ethereal) can capture traffic from network media other than
Ethernet. Which media types are supported, depends on many things like the operating
system you are using.
• Many protocol decoders
There are protocol decoders (or dissectors, as they are known in Ethereal) for a great many
protocols. A comprehensive list of all protocols and protocol fields can be found at
ttp://www.wireshark.com/docs/dfref/

4
UniMAP COMPUTER NETWORK (EKT 332/4)

• Open Source Software

Wireshark (Ethereal) is an open source software project, and is released under the GNU
General Public Licence (GPL). You can freely use Wireshark (Ethereal) on any number of
computers you like, without worrying about license keys or fees or such. In addition, all
source code is freely available under the GPL. Because of that, it is very easy for people to
add new protocols to Wireshark (Ethereal), either as plugins, or built into the source, and they
often do!

iii. What Wireshark is not

Just as with any tool, Wireshark can be used for some things and not others. Here is a list of some of
the things Wireshark cannot do:

1. It cannot be used to map out a network. Take a look at the NMAP tool for that functionality.
2. It does not generate network data – it is a passive tool. Tools like NMAP, ping, and traceroute
are examples of tools that generate network data. These tools are active.
3. It can only show detailed information about protocols it actually understands. The good news
is that it understands a great many protocols. It is also extensible, so you can add protocol
support for ones it doesn’t understand. Otherwise you will only be able to see a hexdump of
data it has captured.
4. It can only capture data as well as the OS\Interface\Interface driver supports. An example of
this is capturing data over wireless networks. This does not work well (or at all) for some
software and hardware combinations.

5
UniMAP COMPUTER NETWORK (EKT 332/4)

Practical work
Before you start wireshark you must log in as root. Ask the technician for root password. You
can start Wireshark by giving the command wireshark on the command line. This opens a
window, which is a GUI interface to wireshark's packet capture utility as shown in figure 2.
(You'll want to make this window bigger.)

Figure 2 : Wireshark window

To start scanning, choose Interfaces from the Capture menu. You'll see a pop-up window
similar to the one below:

Figure 3: Capture action window

6
UniMAP COMPUTER NETWORK (EKT 332/4)

If you'd like to configure advanced options -- like capturing a file, resolving MAC addresses
and DNS names, or limiting the time or size of the capture -- click the Options button
corresponding to the interface you wish to configure. Many of these options can help to
improve the performance of Wireshark. For example, you can adjust settings to avoid name-
resolution issues, as they will otherwise slow down your capture system and generate large
numbers of name queries. Time and size limits can also place limitations on unattended
captures. Otherwise, simply click the Start button next to the name of the interface on which
you wish to capture traffic. The Wireshark screen will immediately begin filling up with
traffic seen on the network interface, as shown below:

Figure 4: Capture data window

7
UniMAP COMPUTER NETWORK (EKT 332/4)

Interpreting the results

 Each line in the top pane of the Wireshark window corresponds to a single packet
seen on the network.
 The default display shows the time of the packet (relative to the initiation of the
capture), the source and destination IP addresses, the protocol used and some
information about the packet.
 You can drill down and obtain more information by clicking on a row. This causes
the bottom two window panes to fill with information.
 The middle pane contains drill-down details on the packet selected in the top frame.
The "+" icons reveal varying levels of detail about each layer of information
contained within the packet.
Example : I've selected a DNS response packet. I've expanded the DNS response
(application layer) section of the packet to show that the original was requesting a
DNS resolution for www.cnn.com, and this response is informing us that the
available IP addresses include 64.236.91.21. The bottom window pane shows the
contents of the packet in both hexadecimal and ASCII representations.

Notice in the example above that each row is color-coded. The darker blue rows correspond
to DNS traffic, the lighter blue rows are UDP SNMP traffic, and the green rows signify
HTTP traffic. Wireshark includes a complex color-coding scheme (which you can
customize). The default settings appear below:

Figure 5: Capture data window

8
UniMAP COMPUTER NETWORK (EKT 332/4)

That sums up the basics of using Wireshark to capture and analyze network traffic. The best way to
become an expert quickly is to get your hands dirty and start capturing network traffic. There's no
doubt you'll find that it can be a helpful tool for everything from configuring firewall rules to spotting
an intrusion. Remember, however, that you must always have permission from the network owner
before capturing traffic on any network.

Exercise 1:
Click on one of the HTTP packets and examine it in detail in the middle section of the Wireshark
window. You can confirm that the structure of the packet is HTTP data wrapped in a TCP segment,
which is wrapped in an IP datagram, which is wrapped in an Ethernet frame. If you click one of the
little triangles in front of the word "Ethernet", your view of the Ethernet header will be expanded to
show the content of the header. Similarly for the "Internet Protocol," "Transmission Control
Protocol," and "Hypertext Transfer Protocol" lines. If you click on any of the lines in the middle
section of the window, the corresponding data in the display in the bottom third of the window will be
highlighted. Based on all this, answer the following questions:

Question 1: What does an Ethernet address look like, and what is the Ethernet address of your
computer?
Question 2: How many bytes are there in an Internet header?
Question 3: What is the IP address of the server computer? How did you find this out by looking at
info in the packet?
Question 4: The HTTP server communicates on port 80. What port number on your computer was
used for the communication? How did you find this out?

Exercise 2:
Now, enter "not ip" as the display filter. This lets you see non-IP packets. What protocols do you see?
Describe some of the things that you can discover or guess about these protocols, just from
information available in the Wireshark window.

9
UniMAP COMPUTER NETWORK (EKT 332/4)

Exercise 3:
Close all internet browsers. Restart packet capturing. Open your terminal window. Ping the computer
next to you using this command: $ ping xx.xxx.x.xxx
Open your internet browser and go to http://www.wireshark.com/. Click on introduction option. Stop
the capture session. Trace back all of the activities that you have done starting from you ping the
computer next to you until you stop the capture session. Copy all of the activities that you have traced
and paste it in notepad. Print the result and attach it with your report.

Reference:
i. Ethereal User's Guide V2.00 for Ethereal 0.10.5 Richard Sharpe, NS
Computer Software and Services P/L Ed Warnicke, Ulf Lamping,
ii. http://www.wireshark.com/

10