Lab 3: Network Traffic

Objectives In this practical you will use Wireshark to capture and inspect
network traffic. You will also apply UNIX file permissions using the
command line.

CLO: 2
Duration: 60+ min

Requirements  Lab PC
 Kali Linux (installed)
 Lab Files: VM XP Professional.zip

Tasks  Task 1: Capture Network Traffic (Wireshark)

 Task 2: Analyze Network Traffic (Wireshark)
 Task 3: Change Permissions (CHMOD)

About Wireshark Wireshark is a network protocol analyzer. It lets you see what's
happening on your network at a microscopic level.

Wireshark has a rich feature set which includes the following:

 Deep inspection of hundreds of protocols
 Live capture and offline analysis
 Standard three-pane packet browser
 Multi-platform: Runs on Windows, Linux, OS X, and many

others http://www.wireshark.org

Student Notes

1 | Intrusion Detection | Lab Instructor Manual | Dr. Samer Aoudi | Updated

September 2018
The TCP/IP Stack

2 | Intrusion Detection | Lab Instructor Manual | Dr. Samer Aoudi | Updated September
2018
Task 1: Capture Network Traffic (Wireshark)
Task Objectives
 You will capture network traffic using Wireshark

Wireshark
1. Go to Kali and from the Applications menu select 09 - Sniffing & Spoofing 
Wireshark

2. If you get an error, ignore it (click Ok)

Wireshark can capture network traffic (i.e. packets) going into and out of your
computer through one of its network interfaces (e.g. NIC or Wireless NIC). When
you start a
network traffic capture, you must tell Wireshark what interface to listen to.

3. Before we select the network interface, let’s get the name. Open a terminal
window and run the ifconfig command (notice the eth0)

4. Go back to Wireshark and click Capture as shown below

5. Make sure eth0 is selected and click the Start button

6. Minimize Wireshark and go to your terminal window again

7. In the terminal window, ping google.com as shown below

Notice the IP address of the Google server (216.58.207.14 in the screenshot above)

8. After capturing few packets, stop the ping command (ctrl+c)

9. Go to Wireshark and stop the capture
 Let’s save the capture file:
10. Go the File menu and click Save
11. Name the file ping and save it on the Desktop

We already captured PING (or ICMP) traffic. Let’s capture web (or
HTTP/HTTPS) traffic:
12. Back to Wireshark and start capturing traffic again

13. Start the web browser and type the following address: google.com
14. After the webpage loads, close the browser and go back to Wireshark
Wireshark now captured the web communication that went through your VM’s eth0
interface
15. Stop the capture using the stop button
16. Save the capture file as web on the Desktop
What is the extension .pcapng
of a Wireshark capture
file?
 Wireshark Packet Output Interface

Wireshark Panes:
When you Wireshark captures network traffic, it displays results (output) in 3
panes:
1. The packet list pane
 The upper pane displays the packet in order by their number;
you can also see the source and destination IP address as well
as the protocol and length.
2. The packet details pane
 This middle pane shows the protocols and protocol fields of
the packet selected in the "Packet List" pane. The protocols
and fields of the packet are displayed using a tree, which
can be expanded and collapsed.
3. The packet bytes pane
 This lower pane shows the data of the current packet (selected
in the "Packet List" pane) in a hexdump style

Also notice the status bar which displays informational

messages.

17. When you select a packet/frame in the Packet List pane, you will get its
details in the Details pane. Select few packets and check out the information
about them
 What is the total
Number 20
of Packets captured in
ping.pcapng?
What is the total
Number 1163
of Packets captured in
web.pcapng?

18. Open the ping.pcapng file and sort the results by protocol
What is the total 18
Number
of ICMP packets?
What is the IP address
of 172.217.19.174

google.com?
How did you get the By looking in to the destination IP Address
answer for the question
above?

Filter:
Wireshark may capture thousands of packets which makes it difficult to locate
what you’re looking for unless you can sort and filter.
Wireshark provides a powerful filter tool readily available above your
packet list
pane.

19. Type icmp in the filter field and hit enter

Notice the status bar at the bottom (your number may vary). In the
screenshot below, 10 ICMP packets are displayed out of 29 total (after
applying the filter)

20. Open the web.pcapng file and filter using http

OCSP:
When you filter using HTTP packets, you may also get some OCSP traffic.
The
Online Certificate Status Protocol (OCSP) is an Internet protocol used
for obtaining the revocation status of an X.509 digital certificate.
What is the total
Number 22
of HTTP packets
(including OCSP?
How did you get the At the end of the page you will see the number of
answer for the question pacts in total and this number will change
depending on the result of your search.
above?

How can you clear a By clicking on the “X” Butten at the end of the
filter? search bare.

The communication that took place between your web browser and the Google
web server is HTTP traffic via port 80 (or maybe HTTPS via port 443).
However, before HTTP traffic, your computer and the server had a 3-way TCP
handshake.

The 3-way handshake is the TCP way to establish communication between

the send and the receiver (similar to what you would do on a walkie-
talkie):
1. SYN (do you hear me?)
2. SYN-ACK (yes I hear you; do you hear me?)
3. ACK (yes I hear you)

[--End of Task 1--]

Task 2: Analyze Network Traffic (Wireshark)
Task Objectives
 You will analyze network traffic

The TCP/IP stack layers are:

1. Network
2. Internet
3. Transport (e.g. TCP and UDP)
4. Application (e.g. HTTP)

Wireshark’s Packet Details pane organizes information about each packet based on
the different TCP/IP layers:

Working with Capture Files

1. From the lab files provided, open capture1.pcap in Wireshark

2. Answer the following questions:
How many packets are 43
there in total?
How many different DNS, HTTP, TCP
protocols are there, and
what are they?
What’s an easy way to By clicking on this will help re arranging the
get protocols showing all different protocols in sections.
the answer for
the question
above?
In packet #1, what is the 145.254.160.237
source IP address?
In packet #1, what is the 65.208.228.223
destination IP address?
Which TCP/IP layer has
the Network
IP address information?
In packet #1, what is the
3372
source port?
In packet #1, what is the
80
destination port?
What can you conclude To know which service is open that will help with
from the information identifying the weak entry points.
about the ports and
why?
Which TCP/IP layer has
port information? Transport

What TCP flags are used

in SYN
packet #1?
What flags are used in
packet #2? SYN, ACK

What flags are used in

packet #2? SYN, ACK

What can you conclude

about packets 1, 2, and Three-way hand shake
3?
What is the protocol in
packet #4? HTTP

What is the TCP/IP layer Application layer

of
the protocol of packet
#4?
Can you find IP
address, port, and flag
information
within packet #4? Explain

Analyze packet #13 in Layer1 physical layer:

terms of its
TCP/IP
information.

Layer 2 Datalink:

Layer 3 Internet:
 Layer 4 transport:

Can you find TCP flags in No there are no flags in this packet because UDP
this packet? Why or Is a connection less protocol.
why not?

Advanced Filters (Expressions)

3. Click the Expression button in the filter bar

This will open the expression builder

4. Scroll down the field name and expand IPv4 –Internet Protocol Version 4 field group
5. Select the first field ip.addr
6. In the Relation list, select ==
7. Type the IP address as shown below and click OK
 Expression Builder

8. In the Filter bar, click apply button to apply the IP filter you created

9. Notice that only 34 packets are now displayed (from a total of 43)

[--End of Task 2--]

Task 3: Change Permissions (CHMOD)
Task Objectives
 You will modify file permissions using the chmod utility

UNIX Permissions:
The first part (- or d) states whether it’s a file or a directory (folder). After
that there are three categories (user/group/other). For each category,
there are three permission types: read (r), write (w), and execute (x). If
one is not set, there will be hyphen (-).

Example:

Display Permissions:

1. With Kali running, right-click the capture1.pcap file and click Properties then
select the Permissions tab

The 3 Roles or Categories

2. Answer the following

 Text Binary Octal
Owner / User Permissions rwx 421 111
Group Permissions r-- 400 100
Other Permission r-- 400 100

3. Write down the full permission for this file as one block (e.g. drwxrwxrwx)
Full Permissions 777
Full Permissions (Octal) 111111111

4. Close the properties window

5. Right-click on the Desktop and click Open Terminal
6. Type the following command to create a new text file

7. This will open the text editor. Type some content and save the file on the Desktop as
Permissions1

8. Close the text editor (Permissions1 should now be on your Desktop)

9. In the terminal window, type the following command

Ensure that you are in the Desktop folder (if not, use the cd
command). Example: cd Desktop

Q: How would you find out more information about the ls command
and it’s options?
A: Using the man pages (man ls)
 10. Write down the full permissions for the following:
Text Binary Octal
. rwxr-xr-x 755 111 101 101
.. rwxr-xr-x 755 111 101 101
Permissions1 rw-r--r-- 644 110 100 100

Change Permissions:
chmod:
The chmod utility changes the file mode bits for a specified file or folder
(i.e. it is used to change permissions). We can use in text mode or in octal
mode. For this activity, we will use octal mode in this format:
chmod [option] octal-mode file-name

Example:

-c option display changes

11. Change the permissions for the Permissions1 file to rwxrw-r-- (using octal
mode and displaying changes)
What is rwxrw-r-- in 111 110 100
octal?
The write the chmod 764 Permissions1
command to change
the permissions to the
above? (Octal Mode)

12. Change the permissions for the Permissions1 file to r--r--r-- (using octal
mode and displaying changes)
Command (Octal Mode)
chmod 444 Permissions1

[--End of Task 3--]

Review Questions
The following questions are based on the information and activities performed
in the activity you just completed.

1. Which one is not a packet pane in Wireshark?

A. Packet Names
B. Packet List
C. Packet Details
D. Packet Bytes

2. Which statement is true about HTTP?

A. It uses port 443
B. It uses port 80
C. It doesn’t require a TCP handshake
D. It uses the same port as HTTPS

3. What command is used to change file permissions in Linux?

A. chgmod
B. chmode
C. chgmode
D. chmod

4. What is r-xr----- in octal? 450

5. What protocol does PING use? icmp

6. What is the default port for DNS? 53