201O International Conference on E-Health Networking, Digital Ecosystems and Technologies
Analysis and Application of Wireshark in TCP/IP Protocol Teaching
Shaoqiang Wang DongSheng Xu
School of Computer Science and Department of Information
Technology Technology
Changchun University Yulin University
Changchun, China Yulin,China
[email protected]
[email protected]
[email protected]
Abstract-TCP/IP is widely employed to interconnect
computing facilities in today's network environments, and it
is the most important content of networking elements study.
This paper introduces the functions and characteristics of
Wireshark, and expounds its analysis and application in
TCP/IP protocol teaching by some specific examples. The
practice shows that good teaching result will be received with
the aid of Wireshark and it is worth popularization and
application.
Keywords- Wireshark; TCPI/P; protocol; teaching
I. INTRODUCTION
TCP/IP (Transmission Control Protocol/Internet
Protocol) is the basic communication language or protocol
of the Internet, and it is a set of protocols developed to
allow cooperating computers to share resources across a
network. The TCP/IP protocol suite is made of five layers:
physical, data link, network, transport, and application.
The layers contain relatively independent protocols that
can be mixed and matched depending on the needs of the
system [1]. These network protocols are the important and
difficult points of TCP/IP protocol courses. If students
don't understand the format and parameter of
PDU(Protocol Data Unit), will couldn't understand fully
the principle and function of each layer in network. But the
content is abstract and boring, the teaching effect is not
perfect sometimes. Wireshark is an excellent tool with
analysis and measurement of network traffic monitoring.
To introduce Wireshark in the teaching process, on the one
hand an amount of information can be greatly enhanced in
the classroom to improve teaching efficiency, interaction
and interest, which will help students master the abstract
theories of TCP/IP protocol; The other hand, enable the
students to master the Wireshark, which is often used as
the analysis of monitoring tools in a network environment,
will be with great help to diagnose and solve network
problems.
II. ABOUT WIRES HARK
Wireshark is a free and open-source packet analyzer. It
is used for network troubleshooting, analysis, software and
communications protocol development, and education.
Originally named Ethereal, in May 2006 the project was
renamed Wireshark due to trademark issues [2]. It has all
978-1-4244-5517-11101$26.00 ©2010 IEEE
269
ShiLiang Yan
Engineering & Technology Center
Southwest University of Science and
Technology
Mianyang, China
of the standard features you would expect in a protocol
analyzer, and several features not seen in any other
product. Its open source license allows talented experts in
the networking community to add enhancements. It runs
on all popular computing platforms, including Unix,
Linux, and Windows [3]. Network administrators use it to
troubleshoot network problems; Network security
engineers use it to examine security problems; Developers
use it to debug protocol implementations; Students use it to
learn TCP/IP protocol. In the teaching process we can use
it to capture packets and analyze packet structure. MAC
frame, IP datagram, TCP packet segment, and other
content and transmission of PDU can be directly observed
by students, which can get twice the result with half the
effort in TCP/IP protocols learning. The version of
Wireshark is 0.99.5 in this article.
Ill. TYPICAL CASES OF WIRESHARK IN ASSISTING
TCPIIP PROTOCOL TEACHING
Here we have two examples on how to use Wireshark
assistant with TCP/IP protocol teaching, the two section
are the important and difficult points of TCP/IP protocol
teaching. Experimental devices are two hosts, host A and
host B on LAN. IP address of host A is 192.168.0.10,
physical address of host A is OO:02:3f:02:3b:ed, IP address
of host B is 192.168.0.20, physical address of host B is
00:11:11:02:59:e8. Host A is equipped with Wireshark, all
operations are done on host A. In order to facilitate
analysis, we can set filters, only snatch communication
data between host A and B. We can also set up specific
filter protocols further, such as snatch data only contain
ARP or ICMP protocol according to later experiments.
A. Address Resolution Protocol (ARP)
ARP is the acronym for Address Resolution Protocol, a
network layer protocol used to convert an IP address into a
physical address. This section requires students to master
the contents of ARP packet format, understand the
function and principle. To be able to capture ARP packets,
firstly execute the command "arp -d' to clear the arp
cache. Second, click the start capturing button in
Wireshark toolbar, and then execute the command "ping
192.168.0.20". The capture of ARP packets is shown in
Figure l.
EDT2010
 No. _I Source I Destination
1 00 02·3f.02.3b ed ff"ffff ff ff ff ARP
2 00:11:11:02:59:e8 00:02:3f:02:3b:ed ARP
I±l Frame 1 (42 bytes on wire, 42 bytes captured)
BEthernet II, Src: 00:02:3f:02:3b:ed (00:02:3f: 02:3b:ed), Dst: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff)
I±l Destinati 0 n: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff)
I±l Source: 00:02:3f:02:3b:ed (00:02:3f:02:3b:ed)
Type: ARP (Ox0806)
B Address Resolution Protocol (request)
Hardware type: Ethernet (Ox0001)
Protocol type: IP (Ox0800)
Hardware size: 6
Protocol size: 4
Opcode: request (Ox0001)
Sender MAC address: 00:02:3f:02:3b:ed (00:02:3f:02:3b:ed)
Sender IP address: 192.168.0.10 (192.168.0.10)
Target MAC address: 00:00:00:00:00:00 (00:00:00:00:00:00)
Target IP address: 192.168.0.20 (192.168.0.20)
Figure 1.
Now, we analyze the captured data by Figure 1, the
first line(No.1) is an ARP request packet. Host A wants to
find the physical address of host B on the LAN, it sends an
ARP request packet. The packet includes the physical and
IP address of the sender (host A) and the IP address of the
receiver (host B). Because host A does not know the
physical address of host B, the request is broadcast over
the LAN, so that all the hosts on the LAN will receive the
request. The second line(No.2) is an ARP reply, every host
on the LAN receives and processes the ARP request packet,
but only host B sends back an ARP reply. The reply packet
contains the IP and physical addresses of host B. The
packet is unicast directly to host A using the physical
address received in the request packet. After receiving
ARP reply from host B, the mapping between IP address
and the physical address of host B is written into ARP
cache of host A. When host A communicate with host B
the next time, it can find the physical address directly from
the cache instead of using broadcast to send the ARP
request packet. The above illustrates the working principle
and analytical process of the ARP protocol.
We can also view specific format and parameters of the
captured data packet through packet details. As shown in
Figure 1, there are 42 bytes in this frame. Destination
address is ff:ff:ff:ff:ff:ff, Source address is
00:02:3f:02:3b:ed, it means that the frame is sent from
host A to all the hosts on the LAN. Type (data type) of
Ox0806 indicates that the data type of the frame is ARP.
Hardware type of Ox0001 means that the type of the
network is standard Ethernet. Protocol type of Ox0800
means IPv4 protocol. Hardware size of 6 means that the
length of the physical address accounts for 6 bytes.
Iprotoco II Info
Who has 192.168.0.20? Tel1192 168 0 10
192.168.0.20 is at 00:11:11:02:59:e8
ARP Packet
Protocol size of 4 means that the length of logical address
accounts for 4 bytes. Opcode of request(OxOOO1) presents
that the type of the packet is ARP request. Sender MAC
address is 00:02:3f:02:3b:ed. Sender IP address is
192.168.0.10. Target MAC address is 00:00:00:00:00:00,
this field is all 0 because the sender does not know the
physical address of the target. Target IP address is
192.168.0.20. By analyzing with the captured data,
students can see the format, content and transmission
process of ARP realistically, which is more effective
especially compared with the traditional teaching in the
working principle understanding.
B. IP Datagram Format and Fragmentation
A datagram can ravel through different networks. Each
router decapsulates the IP datagram from the frame it
receives, processes it, and then encapsulates it in another
frame. The format and size of the received frame depend
on the protocol used by the physical network through
which the frame has just traveled. The format and size of
the sent frame depend on the protocol used by the physical
network through which the frame is going to travel. Each
data link layer protocol has its own frame format. When a
datagram is encapsulated in a frame, the total size of the
datagram must be less than maximum transfer unit (MTU)
[1]. This section requires students to master the contents of
IP datagram format, understand the process of IP datagram
fragmentation. Click the start capturing button in
Wireshark toolbar, then execute the command ping
"192.168.0.20 -I 3000", some of the data packets are
captured which is shown in Figure 2.
270
 No 1 Source
. • 1 Destination Iprotocoll Info
1 192.168.0.10 192.168.0.20 IP Fragmented IP protocol (proto=IC MP Ox01, off=O)
2 192.168.0.10 192 168 0.20 IP Fragmented IP protocol (proto=IC MP Ox01, off=1480)
3 192.168.0.10 192.168.0.20 IC MP Echo (ping) request
4 192.168.0.20 192.168.0.10 IP Fragmented IP protocol (proto=IC MP Ox01, off=O)
5 192.168.0.20 192.168.0.10 IP Fragmented IP protocol (proto=IC MP Ox01, off=1480)
6 192.168.0.20 192.168.0.10 IC MP Echo (ping) reply

I±l Frame 2 (1514 bytes on wire, 1514 bytes captured)

I±l Ethernet II, Src: 00:02:3f:02:3b:ed (00:02:3f:02:3b:ed), Dst: 00:11 :11:02:59:e8 (00:11 :11:02:59:e8)
EJ Internet Protocol, Src: 192.168.0.10 (192.168.0.10), Dst: 192.168.0.20 (192.168.0.20)
Version: 4
Header length: 20 bytes
I±l Differentiated Services Field: OxOO (DSCP OxOO: Default; ECN: OxOO)
Total Length: 1500
Identification: Oxebb2 (60338)
EJ Flags: Ox02 (More Fragments)
0.. . = Reserved bit: Not set
.0 .
. = Dont fragment: Not set
..1. = More fragments: Set
Fragment offset: 1480
Time to live: 64
Protocol: ICMP (Ox01)
I±l Header checksum: Oxe746 [correct)
Source: 192.168.0.10 (192.168.0.10)
Destination: 192.168.0.20 (192.168 0.20)
Reassembled IP in frame: 3
Data (1480 bytes)

Figure 2. IP Datagram Format and Fragmentation

With the use of the command "ping 192.168.0.20 -I
3000", ICMP packet carries 3000 bytes of data, coupled
with ICMP header and IP header, it has been over the
MTU of data link layer protocol in Ethernet. Therefore, the
excessive datagram must be divided before the
transmission on the network. We can see the IP datagram
of the ICMP request and reply are divided into three
fragment from Figure 2. Confined to the length of the
thesis, we only analyze the second fragment of the ICMP
request packet in the text.
Source MAC address is 00:02:3f:02:3b:ed, Destination
MAC address is 00:11:11:02:59:e8, it means that the frame
is sent from host A to host B. Version of 4 means that the
version of the IP protocol is IPv4. Header length of 20,
means the header length of degree is 20 bytes. Total length
of 1500 indicates that the IP datagram (or fragment) total
length is 1500 bytes. Identification of Oxebb2(60338)
indicates that the IP datagram (or fragment) identification
is 60338. Flag segment as Flags is a three-bit field. The
first bit is reserved. The second bit is called the do not
fragment bit, its value is 0 means the datagram can be
fragmented if necessary. The third bit is called the more
fragment bit, its value is 1 means the datagram is not the
last fragment, there are more fragments after this one.
Fragment offset of 1480 shows the relative position of this
fragment with respect to the whole datagram is 1480 bytes,
that is the former fragment contains the first 1480 bytes
data of the higher protocol; Time to live of 64 means the IP
datagram's lifetime is 64 hops; Protocol of ICMP(OxOl)
indicates that the higher level protocol that uses the
services of the IP layer is ICMP, this field specifies the
final destination protocol is to which the IP datagram
should be delivered. Header checksum is the error
detection method used by most TCP/IP protocols, its value
is Oxe746. Source of 192.168.0.10 and Destination of
192.168.0.20 indicates that the IP datagram(or fragment) is
sent from host A to host B. Data of 1480 indicates that the
fragment carries 1480 bytes data of the higher layer. Test
to ascertain discrepancies between the captured results and
IP fragmentation principle again, as ICMP carries 3000
bytes, coupled with 8 bytes of its header, the total bytes is
3008, with the MTU of data link layer protocol in Ethernet
is 1500, then get rid of 20 bytes IP header, each fragment
can only get 1480 bytes, the offset of the data in the
original datagram measured in units of eight bytes. so 3008
bytes are divided into three parts:1480, 1480, 48, then the
length of the three datagram fragment should be 1500,
1500, 68 after plusing 20 bytes of the IP header, that is
consistent with the results of the captured data completely.

271
 IV. CONCLUSION REFERENCES

The application form of Wireshark is flexible and [ 1] Behrouz A.Forouzan, TCP/IP Protocol Suite [M], Third Edition.
Beijing: Tsinghua University, 2006.
diversified during the teaching. Practice has proved that,
the use of Wireshark during TCP/IP protocol teaching can [2] http://en.wikipedia.orgiwiki/Wireshark

improve the effort and make the abstract theoretical [3]
knowledge emerge with direct and active examples. The [4]
students have been interested in learning, and good
teaching effect has received considerable. Wireshark is [5]
useful and should to be spread as a supplementary means
for TCP/IP protocol teaching.
[6]
http://www.ethereal.com/
Xiren Xie, Computer network [M], 5th edition, Beijing: Electronic
Industry, 2008.
Tian Junsong, Huangfu Daen, "The Application of Ethereal in
<Network Protool> Teaching," Educaton Popularizer, 2008.9,
pp.63-64,54.
Huang Xiaoyan, "Network Protocol Analysis Based on Ethereal,"
Tropical Agricultural Engineering, Yol.33, No. 1, 2009.2, pp.42-45.

272