J.S.

S Academy of Technical Education, Bangalore

Department of Computer Science and Engineering

CN ASSIGNMENT
A case study on
“ WIRESHARK ”

Submitted by :

Umesh Devgade(1JS15CS111)

Marks obtained : ____________

Staff Signature : ____________

 Case study on Wireshark

Objective of Wireshark network simulator tool:-

Wireshark is very similar to tcpdump, but has a graphical front-end, plus some integrated sorting
and filtering options.
Wireshark lets the user put network interface controllers into promiscuous mode (if supported by
the network interface controller), so they can see all the traffic visible on that interface including
unicast traffic not sent to that network interface controller's MAC address. However, when
capturing with a packet analyzer in promiscuous mode on a port on a network switch, not all
traffic through the switch is necessarily sent to the port where the capture is done, so capturing in
promiscuous mode is not necessarily sufficient to see all network traffic. Port mirroring or
various network taps extend capture to any point on the network. Simple passive taps are
extremely resistant to tampering
On GNU/Linux, BSD, and macOS, with libpcap 1.0.0 or later, Wireshark 1.4 and later can also
put wireless network interface controllers into monitor mode.
If a remote machine captures packets and sends the captured packets to a machine running
Wireshark using the TZSP protocol or the protocol used by OmniPeek, Wireshark dissects those
packets, so it can analyze packets captured on a remote machine at the time that they are
captured.

Features of tool:-
 Capture live packet data from a network interface.
 Open files containing packet data captured with tcpdump/WinDump, Wireshark, and a
number of other packet capture programs.
 Import packets from text files containing hex dumps of packet data.
 Display packets with very detailed protocol information.
 Save packet data captured.
 Export some or all packets in a number of capture file formats.
 Filter packets on many criteria.
 Search for packets on many criteria.
 Colorize packet display based on filters.
 Create various statistics.

Capturing and tracing the packets using Wireshark:-

The following methods can be used to start capturing packets with Wireshark:

 You can double-click on an interface in the main window.

 You can get an overview of the available interfaces using the “Capture
Interfaces” dialog box
 You can immediately start a capture using your current settings by selecting
Capture → Start or by clicking the first toolbar button.
 If you already know the name of the capture interface you can start Wireshark
from the command line:

$ wireshark –I eth0 -k

This will start Wireshark capturing on interface eth0.

Snapshots:-
2. Conduct the following experiments using Wireshark and show the results

1. Check the network interface card (NIC) whose traffic will be captured and analyzed using
Wireshark. The menu Capture-Interface details should be employed. The students must check the
capabilities of the NIC which is used for packet capturing purposes. At the end of this step,
answer to the following questions:

a. What media type is supported by the NIC?

-> image/jpeg

b. Who is the vendor of the NIC?

->Atheros

c. Which is the MAC address of the network card?

-> 75-5C-14-48-26-55

d. What is the size of the packets supported by this interface?

-> 1392
e. What is the link speed?
->3128bps

2. Define the capture options and start the capture.The menu used is Capture-Options. The
Ethernet card must be selected as the capture interface and then the pre-defined capture filters
should be checked. Before starting the capture using the right- corner start button, the students
will write down the answer to the following questions:

a. How many interfaces can be selected from, for capturing purposes and what are the properties
of these interfaces?
->1
Interface id: 0 (\Device\NPF_{CD3583-F73D-44E3-F915-3EC5283DA4AB})
Interface name: \Device\NPF_{CD13C583-F73D-44E3-F915-3EC5283DA4AB}

b. List five of the capture filters which are pre-defined and try to explain their meaning. These
filters can be browsed from the menu Capture, the button named Filter.
->Not ARP:-Capture except all ARP and DNS traffic
ip:-Capture only IPv4 traffic - the shortest filter, but sometimes very useful to get rid of lower
layer protocols like ARP and STP
ip6:-Capture IPv6 "all nodes" (router and neighbor advertisement) traffic. Can be used to find
rogue RAs
tcp:- It will capture the files coming from tcp connection
udp:- It will capture the files coming from tcp connection

3. Start a capture which will be automatically stopped after 20 seconds. The capture duration can
be set from the same menu (Capture-Options). For this first capture, no filtering option will be
used. Try to identify the TCP and UDP packets and answer the following questions:

a. What are the protocols analyzed in the lower part of the window (when you select a packet in
the upper part using the arrows or the mouse)?
-> ICMP,TCP,UDP

b. What is the length of the packets? Is this length the same for all the upper-layer protocols
(TCP, UDP etc)?
-> UDP-105
TCP-58
ICMP-93
No the length changes for upper layer protocol

c. Browse the protocols in the downward direction. Try to identify and to write down the header
lengths for all the protocols involved and to establish the position that each header occupies in
the captured frame. An example is given below for the IP header:
->Internet Protocol Version 4, Src: 104.2.1.1, Dst:96.22.11.1 0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
 Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
Total Length: 50
Identification: 0x5cdf (23115)
Flags: 0x02 (Don't Fragment)
Fragment offset: 0
Time to live: 128
Protocol: TCP (6)
Header checksum: 0x0000 [validation disabled]
[Header checksum status: Unverified]
Source: 104.2.1.1
Destination: 96.22.11.1
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]

4. Check some statistical information about the packets transferred during the capture. Thus,
browsing the submenus of the menu Statistics (Summary, Conversation list), try to find out and
to write down: the total number of captured packets, the average throughput, the average packet
size. What are the protocols from the conversation list which were not used during the capture?
-> The total number of captured packets: 45
The average throughput: 24.999
The average packet size: 255.55Bytes

5. Build a new capture filter which is enabled to capture only HTTP/IP packets (for both TCP
and UDP employed as transport layer protocols), for a duration of 30sec. Start the capture and
then stops, try to identify and to write down the following information: the protocol hierarchy,
the conversations(ip address)
Protocol hierarchy:
Conversation: