Wireshark Capture Options
Download
Report
Transcript Wireshark Capture Options
1
Lab 3
Transport Layer
T.A. Youngjoo Han
2
Transport Layer
Providing logical
communication b/w
application processes
running on different
hosts
Transport Layer
Protocol
TCP
UDP
3
Objectives
Understanding role of transport layer
How to utilize toolkits to identify the TCP
operation and performance measurement of
underlying networks
4
Preparation for LAB 3
Wireshark is a network protocol analyzer for UNIX and Windows. We use this
tool in this LAB 3
Before installing Wireshark, we must install WinPcap. WinPcap is a library for
capturing packets and loock network status. WinPcap can be downloaded from
the following site.
http://www.winpcap.org/install/default.htm
We also can download Wireshark from
http://sourceforge.net/projects/wireshark/files/win32/all-versions/wireshark-win32-1.6.2.exe/download
We also can download Wireshark User’s guide on
http://www.wireshark.org/download/docs/user-guide-a4.pdf
5
Starting Wireshark (1)
6
Starting Wireshark (2)
Identifying TCP operation with Wireshark
After starting Wireshark, you can find a button
which is in above red box. Click the button.
7
Starting Wireshark (3)
Wireshark Capture Options
You don’t need to select Interface here.
You can select Interface when running
packet capture. See p10 of this ppt
“Promiscuous” means that
receiving all the packet in
all network related on this
computer
Pcap-ng format is “PCAP
Next Generation Dump File
Format”. But we don’t deal
with dump file in this lab.
8
Starting Wireshark (4)
Wireshark Capture Options (Cont.)
Update list of packets in real time
Automatic scrolling in live capture
This option allows you to control whether
or not Wireshark translates MAC address
into names
Enable network name resolution
If this option is checked, the capture info
dialog will be hidden
Enable MAC name resolution
This option allows you to specify that
Wireshare should scroll the packet list as
new packets come in, so you are always
looking at the last packet
Hide capture info dialog
This option allows you to specify that
Wireshark should update the packet list in
real time. If you do not specify this,
Wireshark does not display any packets
until you stop the capture
This option allows you to control whether
or not Wireshark translates network
address into names
Enable transport name resolution
This option allows you to control whether
or not Wireshark translates transport
address into names
9
Starting Wireshark (5)
Complete the following configuration as shown for this
lab.
Check
“Enable MAC name
resolution”
and
“Enable transport name
resolution”
10
Starting Wireshark (6)
Click the button to run
Click the start button where finding
packets increasing
11
Starting Wireshark (7)
After configuration, we can see the results.
• No.
The number of the packet in the
capture file.
• Time
The timestamp of the packet.
• Source
The address where this packet is
coming from.
• Destination
The address where this packet is
going to.
You can see the current packet in a
more detailed form
You can see the data of the current
packet in a hexdump style
• Protocol
The protocol name in a short
version.
• Info
Additional information about the
packet content
12
TCP MEASURE USING
APPLICATION
13
Lab 3 – Prerequisite (1)
Let’s measure packets between 143.248.6.69 and your
computer
Prerequisite step for Lab 3
VII.
Start Wireshark
Run to capture packets in Wireshark
Visit http://ancl.kaist.ac.kr/?page_id=402
Download installer_r16-windows.exe
After finishing download, stop running
You can see the result
Then, enter “tcp” on Filter box in Wireshark like
VIII.
Finally, you can see the result with only tcp like the figure in next page
I.
II.
III.
IV.
V.
VI.
14
Lab 3 – Prerequisite (2)
15
HOW TO TCP WORKS
*figures in following pages are based on the figure in previous page, Lab 3 – Prerequisite (2)
*143.248.6.69 is our homepage server
* 143.248.6.7 is TA’s computer
16
Lab 3-1 Understanding TCP Three-way
Handshaking
(1) How to check TCP Three-way Handshaking?
TCP connections are established with a set of three messages called the threeway handshaking. This is for reliable and connection-oriented communication
between server and client. Three-way handshaking follows these steps
First, client sends SYN packet to server. This segment requests the
establishment of the connection.
Second, server sends SYN packet and ACK packet to client. ACK packet is
for notifying well-receiving of packet that client sends.
Third, client sends ACK packet to server. Then, three-way handshaking ends
17
Operation of TCP Three-way Handshaking
A : 210. 107. 139. 224
B : 143. 248. 4. 223
SYN
SEQ:0, ACK:-
SYN+ACK
SEQ:0, ACK:1
ACK
SEQ:1, ACK:1
18
Lab 3-2 TCP Data Transmission
(2) Data Transmission
• PDU is Protocol Data Unit.
[TCP segment of a reassembled PDU] means that divided data of one
unit is transferred. This is because original one unit is too big to transfer
with one packet.
• We can also see 143.248.6.7 sends acknowledge to notify well-receiving
•
19
Lab 3-3 TCP Closing the connection (1)
(3) Closing the connection
Steps for closing TCP connection are like following.
First, client sends FIN packets to server to notifying close of connection.
Then, server sends ACK packets.
Second, server sends FIN packets to client to notifying close of connection.
Then, client sends ACK packets.
20
Operation of TCP Closing the connection
A : 210. 107. 139. 224
B : 143. 248. 4. 223
FIN
SEQ:222, ACK:-
ACK
SEQ:244, ACK:223
FIN
SEQ:244, ACK:223
ACK
SEQ:223, ACK:245
21
LAB 3 ASSIGNMENT
22
Lab Assignment)
IP address, server identification (1)
Let’s obtain an IP address for our machine. Our machine is running Windows
and we will open up command prompt. We will start a Wireshark trace and
then issued the following commands to command prompt.
DHCP: DHCP (Dynamic Host Configuration Protocol) is a network
configuration protocol for hosts on IP networks. Computers that are connected
to IP networks must be configured before they can communicate with other
hosts. The most essential information needed is an IP address, and a default
route and routing prefix. DHCP eliminates the manual task by a network
administrator. It also provides a central database of devices that are connected
to the network and eliminates duplicate resource assignments.
Operations of DHCP: DHCP discovery DHCP offer DHCP request
DHCP ACK
23
Lab Assignment)
IP address, server identification(2)
Ipconfig /release ipconfig /renew ipconfig /renew ipconfig /release
Ipconfig /release is used to cut the connection with devices currently connected.
IPconfig /renew is used to renew the address.
24
Lab Assignment)
IP address, server identification (3)
Packet 1817 is used to release the machine’s current IP address,
192.168.0.5. Notice that packet 1817 lists 192.168.0.5 as the source IP
address. After it is released, the machine has no valid IP address and
uses the address 0.0.0.0 as the source address in packet 1852.
25
Lab Assignment)
IP address, server identification(4)
we input ipconfig /renew twice.
DHCP Discovery: Especially, let’s look at packet 1852. Packet 1852 is a DHCP Discovery
message, and it is used by machines without an IP address to request one. It is sent to the
special broadcast address, 255.255.255.255. This address will reach all connected hosts
within a limited broadcast range. Logically, 255.255.255.255 means broadcast the entire
Internet, but this is never literally the case because routers will not forward such a
broadcast beyond the local network to avoid swamping the Internet with such requests.
DHCP Offer: DHCP server received DHCP Discovery message sends DHCP Offer message
to client. Here, also DHCP uses broadcast.
DHCP request: Client selects the first arrived message from server’s DHCP offer message,
then, broadcasts all DHCP servers.
DHCP ACK: DHCP server received DHCP Request sends ACK to client. If client receives
this ACK well, TCP/IP becomes initiated and client is recognized as binding DHCP client.
26
Lab Assignment)
IP address, server identification(5)
We commanded ipconfig /release finally. So, we can see like following
picture.
27
Lab 3 Assignment
Please follow things from p22 to p26 in this ppt
Submit the result as report form
Report must contain all contents in slides from
p22 to p26 and related screen shot
Also, you should write necessary explanation in
your report
Due is up to 00:00, Sep. 22, 2012