Transcript Lab1 - Polyu.edu.hk

COMP2322 Lab 1
Wireshark
Steven Lee
Jan. 25, 2017
Packet capture
• Why do we need to capture packets?
– Troubleshoot network problems
– Examine security problems
– Debug protocol implementations
– Learn network protocol internals
2
Existing packet capture tools/sniffers
• Classic tools
– Wireshark
– tcpdump
• Other tools
–
–
–
–
–
–
Ettercap
dsniff
ntop
Kismet
WinDump
TShark
3
What is Wireshark?
• An open source network protocol analyzer
– Capture network packets
– Display packet data
• Supports 2157 protocols (as of v2.2.3)
• Supports command-line and GUI interfaces
• Supports multiple platforms including Windows,
macOS, Linux and Unix
• Wireshark User’s Guide
(https://www.wireshark.org/download/docs/user
-guide-a4.pdf)
4
libpcap and WinPcap
• Libraries for network traffic capture
• Provide the core functions of packet capturing
• Linux/Unix: libpcap
(http://www.tcpdump.org/)
• Windows: WinPcap
(http://www.winpcap.org)
5
Practice 1
• Y:\Win32\WiresharkPortable_1.4
• Select the right interface.
• Start packet capture for 10 seconds and save
the trace
• Question 1 (4 marks)
a) How many interface(s) do you see? What are
they?
b) Which interface have you chosen and why?
6
Filters
• Capture filters
– Only packets that meet the rule(s) are captured and
decoded
– Syntax:
https://www.wireshark.org/docs/wsug_html_chunked
/ChCapCaptureFilterSection.html
• Display filters
– Do not affect what packets are captured
– Only affect which captured packets are displayed
– https://www.wireshark.org/docs/wsug_html_chunked
/ChWorkBuildDisplayFilterSection.html
7
Some other features
• Follow TCP stream
– Analyze → Follow → TCP Stream
• Statistics
– Capture File Properties: statistics on this capture file
– Conversations: statistics on captured conversations
• A conversation is the traffic between two specific endpoints
– Endpoints: traffic statistics on end hosts
– IO Graph: visualization of captured network packets
8
Practice 2
• Visit http://www4.comp.polyu.edu.hk/~comp2322/
• Question 2 (22 marks)
a)
b)
c)
d)
e)
f)
g)
h)
i)
j)
k)
What capture filter can be used to capture only HTTP traffics?
What display filter can be used to display only HTTP traffics?
What is your IP address?
What is the server’s IP address?
What is the HTTP version?
What is the HTTP request method?
How many HTTP request(s) is/are sent to the server? Mark the request
packet(s) by right-clicking it/them and select Mark/Unmark Packet.
What is/are the status code(s) in the response(s)?
How many application protocol(s) is/are captured while accessing the
website?
What protocol(s) does HTTP rely on?
What is the relationship between HTTP and the World Wide Web (WWW)?
9
Practice 3
• Visit https://www.google.com/
• Question 3 (4 marks)
a) What port does HTTPS use?
b) How is a HTTPS connection established?
10
Practice 4
• Visit https://www.facebook.com/
• Question 4 (4 marks)
a) What are the IP addresses of Facebook when
visited at home and on campus?
b) Are the IP addresses the same? If not, can you
guess why? (Hint: content delivery network
(CDN))
11