$50
ECE5484-Project 3 Solved
The objective of this project is to reinforce your understanding of network protocols and the TCP/IP protocol suite. You will use the Wireshark network protocol analyzer. You must:
i) install and become familiar with the basic operation of Wireshark;
ii) capture and analyze a simple HTTP transaction; and
iii) document your work in a short report.
1. Getting Started with Wireshark
Wireshark is a network protocol analyzer that is available under the GNU General Public License. Wireshark allows you to capture network packets that are seen on an interface of your computer (in some cases, even if they are not destined for your computer) and to inspect and analyze captured or stored sets of packets. The tool includes built-in protocol decoders that allow you to inspect protocol-specific fields and flows. This section is intended to get you into the water and swimming with Wireshark.
1.1. Installing Wireshark
Download Wireshark from https://www.wireshark.org/. Run the installation file and follow the instructions to install Wireshark. The default installation is assumed for the project. Note that the Wireshark website includes an FAQ list, a help Wiki, and extensive documentation.
As part of the Wireshark installation, for Windows machines you should also install Npcap. It is recommended that this be done as part of the Wireshark installation. During the installation of Npcap, you can choose to have it started automatically when the system starts.
You are to report on installation in Section 2 of your project report.
1.2. Quick Introduction to Wireshark
Wireshark has three basic functions:
i) capturing packets,
ii) displaying the captured packets; and
iii) analyzing packet flows.
You can capture all traffic on an interface or you can create a capture filter to capture only packets with specific characteristics. After the packets have been captured, you can display all packets or, using a display filter, you can display only packets that have certain characteristics. You can also analyze sets of packets, such as the packets that are part of a TCP session.
As an introduction to some basic functions in Wireshark and to ensure that you can capture packets, carefully follow the steps below. These steps will guide you through the process of capturing, displaying, and analyzing packets from a HTTP (web) session.
Start Wireshark. You should see an opening window similar to the one shown in Figure 1. Select the network interface you are using to connect to the Internet and then click “Capture Options.”
Figure 1. Select the network interface and, then, click “Capture Options” in the opening window. In the capture options window (see Figure 2), disable (uncheck) the “Use promiscuous mode on all interfaces” option. This will limit packet capture to only those packets originating from or destined for your host. This is required for many wireless LAN adapters and is good etiquette for all types of adapters. Also, be sure that “Update list of packets in real time” is selected (checked). This causes Wireshark to display packets as they are captured. [1]
In the same capture options window (See Figure 2), enter “tcp port http” or “tcp port 80” as the capture filter. This will set up a capture filter to capture only TCP traffic going to or coming from the default HTTP port, which is port 80. The capture filter will cause Wireshark to save only TCP packets with the value 80 in the port field in the TCP segment header. So, only traffic to or from a web server (or, at least, to or from the default port for HTTP) will be captured. Click on “Start” to start capturing packets.[2]
Figure 2. Turn off promiscuous mode and set capture filter in the capture options window.
Depending on what is happening elsewhere on your host, you may or may not see any packets being displayed. If you do not see any activity, then open a web browser and go to your favorite website, such as http://www.vt.edu/. This will create a flow of packets that should be captured and displayed by Wireshark. After you see some packets, such as in Figure 3, you can stop the capture by selecting the “Capture:Stop” menu item (or by clicking the associated toolbar icon).
Select a particular packet in the top pane of the display. (Note that Packet 88 is selected in Figure 3.) You can then see details of the various protocols used in the middle pane, such as Ethernet, IP, TCP, and, perhaps, HTTP. The bottom pane shows packet contents in hexadecimal. You may need to expand the Wireshark window and/or expand panes in the window to see all parts of all three panes. You can also double click on the packet to create a new window in which to inspect the packet.
Enter a display filter in the “Filter:” box above the packet display. You can directly enter an expression or click on “Expression...” to see a long list of options organized as a hierarchy. Enter “tcp.srcport == 80” in the filter input or use the “Expression...” feature to select this filter, as shown in Figure 4. Then click “Apply” to see just those packets with the source as port 80, i.e., just those packets sent from the web server. Click “Clear” to remove the display filter.
Figure 3. Example of captured packets.
Figure 4. Example of selecting a display filter expression.
Right click a TCP or HTTP packet, select “Conversation Filter,” and then select “TCP” to display only those packets associated with the packet’s TCP session. Click “Clear” to remove this display filter.
Select the “File:Save” menu item to save a file of the captured packets. Select the “File:Close” menu item to close the captured packets file. Then select the “File:Open menu” item to reopen the file. Verify that it is the same set of captured packets as observed earlier.
You will provide a screen shot of the captured packets, similar to Figure 3 above, in Section 3 of your project report.
You should now have installed Wireshark and you should be able to use it for basic packet capture tasks. Review the Wireshark Users’ Guide (select the “Help:Contents” menu item or see the Wireshark website) and other documents at the Wireshark web site for further information.
2. Packet Analysis with Wireshark
Follow the steps below to analyze an HTTP transfer using Wireshark. You will provide a screen shot and answer the questions given below in Section 4 of your project report
Open with Wireshark the “pcap file for "Packet Analysis with Wireshark” found on the Project 3 Canvas page. This is a pcap capture of http://www.orionsarrow.com/egg.txt (before the website moved to https).
From the Wireshark menu, select Statistics → Flow Graph. From the trace obtained, calculate the HTTP response time. The HTTP response time is the time taken for the web server to respond to the HTTP request for egg.txt. This value can be determined by noting the time at which the HTTP request was sent to the server and at the time at which the browser received the first fragment of the HTTP response. Note that the server may respond with a TCP acknowledgment before it responds with the actual HTTP response. Include a screenshot of the flow graph to support your calculation.
From the Wireshark menu, select Statistics → Protocol Hierarchy.
1. What percentage of the captured packets are using TCP?
2. From your captured packets, what is an example Application Layer protocol that uses TCP? Include a screenshot of the protocol hierarchy to support your calculation.
Find the packet from your host to www.orionsarrow.com that contains the HTTP GET request. By selecting different fields in Wireshark’s middle pane, you can answer the following questions:
1. How many bytes are in the IP header?
2. How many bytes are in the TCP header?
3. How many bytes are in the HTTP message?
