LAB 1: APPLICATION LAYER VERSION 5.

Lab 1: Application Layer

Objective
Having gotten our feet wet with the Wireshark packet sniffer in the introductory lab
(Lab # 0), we are now ready to use Wireshark to investigate protocols in operation (“in
the wild”). In this lab, we will explore several aspects of the Application Layer. In
particular, you will analyze the HTTP protocol: the essential GET/response interaction,
Conditional GET, HTTP message formats, retrieving large HTML files, retrieving
HTML files with embedded objects, and HTTP authentication and security. You will also
analyze DNS interactions as part of the Application layer. Before starting with this
lab, you might want to review Sections 2.2 and 2.4 of the textbook1.
Before working with the Testbeds (the “Racks”) and executing the instructions for Lab #
1, make sure to read all the instructions in this document (so you have a good
idea of what you are required to do and do not lose precious time trying to understand
the instructions!). Starting with Lab # 1, you can reserve specific slots to use the 14740
network testbeds (the “Racks”). Please make sure to reserve your slots on the
Canvas Calendar and be respectful of your and your classmates’ slots.

The Hardware
You will be using the 14740 Network Testbeds (the “Racks”) located on the second oor of
the Information Networking Institute (INI) building inside the Quiet Study Room (shown
in the image below). These testbeds are a self-contained simulation of a minimal internet
network. The most prominent feature of the testbeds is a computer monitor mounted on an
arm from the top of the rack. There is also a keyboard and a mouse to control the computer.
On the back of the Racks, there is a row of power switches. An Ethernet cable is
hanging out of the top of the Racks.

1 Version 7

PAGE 1 OF 12 SEPTEMBER 13, 2024

fl
 LAB 1: APPLICATION LAYER VERSION 5.1

Go ahead and peek in the glass doors to admire the hardware inside. Lots of switches,
Raspberry Pis (small computers), and wires. At this point, you should be thinking, "It looks
complicated." And, you would be right to think so. It is complicated! But most of that
complexity is hidden, to make this lab experience clear and standard for all of you. Similarly,
the complexity of the Internet is hidden by the layers of abstraction. For now, imagine the
testbeds have a network connecting the PC to many di erent servers. Oh, when I say "the
PC," I mean the Next Unit of Computing (NUC) computer running the screen and
keyboard/mouse that will be your interface to the network. You will use it to create
network tra c. That tra c will travel through various switches and over wired links to
the servers, each of which is running on a Raspberry Pi.
That Ethernet cable hanging out of the top of the rack is your view (capture
point) of that tra c. The other end of that wire is connected to a switch with a mirror
tap enabled. That mirrors all the tra c in the Network Testbeds (our mini Internet), so it
will be visible to any computer connected to that Ethernet cable (i.e., your computer
running Wireshark).
Your laptop will be connected to the Ethernet cable and you will run Wireshark
(on your computer) to examine the network tra c between the Rack’s PCs and
the various servers (inside the testbed). Enough talk! Let's get started!

Procedures
1. Verify that power switch nine (9) (on the power rail behind the racks as shown in the
following gure) is turned on.2

2. Verify that the top Netgear switches inside the Racks display the numbers one (1)
and two (2) as shown in the image below.

2Please, NEVER turn o Power Switch 9 on the back of the “Racks” as it can cause a cascade e ect of miscon gurations in the
Racks.

PAGE 2 OF 12 SEPTEMBER 13, 2024

fi
ffi
ff
ffi
ffi
ffi
ffi
ff
ff
fi
 LAB 1: APPLICATION LAYER VERSION 5.1

3. Turn on (Restart if it is already on) the PC by powering on/o switch eight (8) (on the
power rail behind the rack). BE CAREFUL! The PC must be rebooted between
students, as that is set up to clear out the memory and lesystem.
4. Login to the Racks’ PC using the following credentials:
Username: student
Password: 740Rocks$
5. If the power switch one (1) is ON, turn it OFF and wait for ve (5) seconds (static
charge can keep the devices on for a second or two) to continue with the next step.
6. Turn ON the power switch one (1) (on the power rail behind the rack) and wait about
thirty (30) seconds for the hosts to boot up.
7. Open the Lab 1 user interface (application) on the PC’s desktop and make sure that the
status line at the bottom reads Status: All hosts are up. If not wait for a few
more seconds, reopen the Lab 1 user interface (application), and proceed with the next
step.
8. Repeat steps ve (5) to seven (7) if any hosts are still down.
9. If you are having issues at any point with the Lab devices (e.g., servers), you can always
restart all the components of Lab 1 by repeating steps 5-7.
10. Connect the Ethernet cable (on the top of the rack) to your laptop and start
Wireshark (on your laptop).
11. When you are done with the lab, shut down the computer and turn o all the
power switches EXCEPT 9!

PAGE 3 OF 12 SEPTEMBER 13, 2024

fi
fi
fi
ff
ff
 LAB 1: APPLICATION LAYER VERSION 5.1

The Lab 1 User Interface (Application)

For Lab # 1, you will be using a custom-built application (web-browser-like GUI) to generate
network tra c between the PC and the servers in the Network Testbeds. Click the Lab 1 icon
(on the Rack’s PC’s desktop) to get this started.

The Lab 1 interface has eight (8) major components, numbered in the above picture (red
numbers):
1. The Address Bar allows you to specify URIs to make general HTTP requests.
The drop-down menu (box) on the left allows you to change the method of the
HTTP request from GET to POST. The middle part allows you to type in the
address (URI) of the website. The Go! button on the right will execute the HTTP
request using the speci ed method (GET or POST), the options provided (e.g.,
Range), and the address that you entered (URI).
2. The Post Parameter [Optional] Field allows you to send parameters in an
HTTP POST request. As noted, this is optional (For instance, it will not be included
in a GET request). In an HTTP POST request, you should type in a key/value pair
separated by an equal sign (key=value) when posting information. For example, if
you want to send a password parameter (key) with the value 1234, simply type
password=1234 in this eld to complete the POST request.
3. The GET Range [Optional] Field provides a space for you to enter the details of a
GET Range to create a Conditional GET HTTP request. The value typed here will be
put into the appropriate header of the request3. For instance, if you want to retrieve the
rst 115 bytes of a given webpage (URI), you can type 0-115 in the Range eld.

3 If you want to learn more about GET requests with the Range option please check this document.

PAGE 4 OF 12 SEPTEMBER 13, 2024

fi
ffi
fi
fi
fi
 LAB 1: APPLICATION LAYER VERSION 5.1

4. The Proxy Request Checkbox (Use Proxy) is used in part three (3) of this Lab.
Check this box and the Network Testbed’s Web Proxy (Cache) will be used. This is
a Web Proxy (Cache) and it is di erent from the Browser Cache that is available
in the Lab 1 application. Do not activate this option until indicated in the handout.
5. This window will render (display) the contents of the web page you load (requested
HTML le), much like your web browser does (e.g., Google Chrome).
6. This is the host status line for all the components (e.g., servers) that are needed in
the Lab, make sure this eld always shows Status: All hosts are Up!
7. The Start DNS Spoofer button (bottom-right corner) is used in part six (6) of
this Lab, Click this button and the spoofer will start.4
8. The Clear Browser Cache button is pushed to clear the Browser Cache of
the Lab 1 user interface. This is a very useful tool to avoid getting a cached copy of
the webpages that you want to render and instead get the webpages directly from the
Origin server for your analysis. So make sure to use it whenever indicated in
this handout.

Part 1
Let’s begin our exploration of HTTP by downloading a very simple HTML le (i.e., a
webpage), one that contains a couple of elements. Do the following:
• Before starting Wireshark (on your computer), make sure the Rack’s
Ethernet cable (on top of the rack) is connected to your computer5.
• Start up the Wireshark packet sni er (on your computer), as described in Introductory
Lab # 0. Make sure to start the packet capture on your Wired Ethernet connection6
(but do not yet begin packet capture). To better help you with your analysis, you
might want to Filter for http or dns tra c so that you only capture HTTP or DNS
messages that will be displayed later in the packet-listing window. We are only
interested in these protocols in this Lab and do not want to see the clutter of all
captured packets. This is just a piece of advice, feel free to capture the tra c without
any capture lter and then use Wireshark’s Display lter (http or dns) to show
only the information that you need. Both approaches are valid and correct for this lab!
• Start the Wireshark capture on your Laptop (using the correct interface connected
to the Rack).
• Using the Lab 1 interface, display the following page. Make sure you clear the Browser
Cache before requesting the web page by using the available button7.

4Do not press this button until you arrive at the corresponding part of the lab. Otherwise, you will need to restart the lab
components to complete all the other steps.
5If needed you can use one of the Ethernet adapters (“dongles”) available in the basket next to the Rack. Make sure to select the
correct interface in your Wireshark window.
6 To avoid issues we advice students to turn o their Wi-Fi connection.
7 You might want to click on the Clear Browse Cache button at least two to three times to make sure the cache is cleared.

PAGE 5 OF 12 SEPTEMBER 13, 2024

fi
fi
fi
ff
ff
ff
ffi
fi
ffi
fi
 LAB 1: APPLICATION LAYER VERSION 5.1

http://cool.com
• The PC’s browser (the Lab 1 GUI) should display a simple page with one line of text and
a picture.
• Stop the Wireshark packet capture and save the PCAP le for your future
analysis8.

Answer the following questions:

1. Report on the DNS tra c seen. You should describe what happened and illustrate the
zonal hierarchy involved with the DNS request as a diagram showing all the computers
(“Name Servers”) involved. Show and describe a sequence diagram9 of all messages
sent between the client, resolver, and DNS servers along with their IP addresses. (6
points)
2. How is a DNS request matched with a DNS response (Choose any pair of DNS
requests/responses that you want and indicate the elds that allow for this matching)?
Speculate on why such a mechanism is necessary. (4 points)
3. What are ALL the di erent kinds of DNS Resource Records (RR) you saw in the
di erent DNS queries and answers? What do they represent and why were they
included in this tra c? (5 points)
4. Report on the HTTP tra c seen. What is the IP address of the HTTP Server?
Indicate the headers seen in the rst HTTP request and response and describe in brief
at least four (4) di erences that you notice between a request and a response header.
Consider the rst HTTP response (from the Server to the Client) and calculate the
percentage overhead of the size of the HTTP header compared to the size of
the HTTP content (content length). (Hint: Calculate the percentage overhead as a
simple relationship (value 1/value 2)*100). (6 points)
5. Report on the latency performance of both HTTP and DNS. Calculate the total
amount of time taken by DNS and also by HTTP to complete their respective
processes. Also, analyze and report what is the round-trip time (RTT) of all requests/
responses for both HTTP and DNS. Finally, use the rst DNS request from the client
to the resolver as the time of reference and describe the timeline of the entire
experiment until the last HTTP response is seen by the HTTP client. (7 points)

Part 2
Let's see what happens with a more complex DNS and HTTP interaction. Do the following:
• Start up a new Wireshark packet capture (on your computer).

8 We advise you to save a di erent PCAP le for each part/question of the lab (e.g., Part 1.pcap). This will help you in your
analysis as you will only need to analyze the packets corresponding to that particular part. We advise you to do this with ALL the
labs and ALL the parts/questions.
9 If you have never drawn a sequence diagram, you can nd multiple examples by doing a quick Internet search.

PAGE 6 OF 12 SEPTEMBER 13, 2024

ff
fi
ff
ffi
ff
ff
ffi
ffi
fi
fi
fi
fi
fi
fi
 LAB 1: APPLICATION LAYER VERSION 5.1

• Clear the Browser Cache by clicking on the Clear Browser Cache button at least a
couple of times to be completely sure that the Cache is cleared.
• Enter the following URL into the PC’s browser (Lab 1 application interface)10.

http://bill.com (It will take slightly longer to load than the previous (simpler)
website)
• Your browser should display a simple version of the old course website.
• Stop Wireshark packet capture and save the PCAP le for your future analysis11.

Answer the following questions:

6. Report on the HTTP request and HTTP response sent/received to/from http://
bill.com. What information does the browser (HTTP client) use to understand what is
wrong with the original HTTP request and move forward to get the desired webpage?
What is the new domain for the required webpage? Where in the HTTP response did you
get the necessary information about the new domain? What happens after the client receives
the rst response from the server with the information you previously reported?(4 points)
7. Once again analyze the DNS interactions for the loaded webpage. You may notice
something strange with the resolver and the lack of communication with the root DNS
server for the new location/domain of the webpage during their initial interaction. Why do
you think the resolver forwards the DNS request straight to the TLD? What information in
the messages sent to and received from the TLD makes it behave di erently? Why do more
TLDs not behave the way the second one did? What other navigation di erence did you
notice between the two domain names in this question? (8 points)
8. Indicate the old zone and new zone DNS hierarchy for the old and new webpage domains
(We advise you to create a simple diagram to illustrate the di erences between DNS zone
hierarchies (including their IP addresses) between the new and old locations/domains of the
webpage). Where is the Authoritative name server (IP address) for the nal webpage that is
loaded? (5 points)

Part 3
Now, let's look at HTTP interactions in more detail. In particular, let’s analyze the interactions
of the Rack’s computer with a Web Proxy (Cache) in the network. Do the following:
• Start up a new Wireshark packet capture (on your computer).

10If nothing is loaded after waiting some time (15 seconds), repeat the steps a couple of times until the webpage is fully loaded and
you see the HTTP packets being captured in your Computer/Wireshark.
11For the analysis of the following questions, we advise you to use a display lter to observe both http and dns tra c at the
same time.

PAGE 7 OF 12 SEPTEMBER 13, 2024

fi
fi
fi
ff
ff
fi
ff
ffi
 LAB 1: APPLICATION LAYER VERSION 5.1

• Check (select) the Use Proxy checkbox12.

• We are going to create three (3) di erent HTTP iterations13 in this part.
• Enter the following URL into the rack PC’s browser (Make sure you clear the browser cache
using the button before making the request.)
http://bill.cmu.edu
• Make the HTTP request to get the webpage (this is the rst iteration for your analysis)
• Stop Wireshark packet capture and save the PCAP le for your future analysis (for the
rst iteration).
• Now, complete the below two (2) additional iterations.
• Make a new web request on the same webpage after hitting the Clear Browser
Cache button (this is your second iteration).
• Stop Wireshark packet capture and save the PCAP le for your future analysis (for
the second iteration).
• Then make a new request WITHOUT hitting the Clear Browser Cache button
(this is your third iteration).
• Stop Wireshark packet capture and save the PCAP le for your future analysis (for
the third and nal iteration).
• Uncheck the Use Proxy checkbox. Remember that for the following parts of this Lab, you
must NOT use the “Proxy” option in your requests.

Answer the following questions:

9. Report on the interactions (use the rst and second iterations for this question). What is the
IP address of the proxy? Did the HTTP requests/responses change for each iteration
between the proxy and the Web Server? What header(s) in the requests caused these
changes? Indicate the two main status codes being returned in each iteration and why they
are di erent. Did you see anything else of interest? (6 points)
10. Report on the performance of the proxy during the rst and second iterations. How many
bytes were transmitted for each of the two iterations and how long did each iteration take
( rst and second iterations)14? What is the percentage di erence in performance of the
second request compared to the rst (in transmitted bytes and total time)? Does the proxy
perform better than a normal browser (Be careful, I am not talking about a browser cache)?
(6 points)

12This will cause the Client (the PC that you are using) to rst contact the local Web Proxy/Cache available in the Rack, instead
of going directly to the Origin Web Server hosting the webpage that you are trying to obtain.

Each interaction will be composed of multiple HTTP requests/responses among the Client, the Proxy/Cache, and the Origin
13

Server.
14 The iterations include ALL the HTTP requests/responses between the Client, Proxy/Cache, and Origin Server for each of the
rst two iterations.

PAGE 8 OF 12 SEPTEMBER 13, 2024

fi
fi
fi
ff
fi
fi
ff
fi
fi
fi
fi
fi
fi
ff
fi
 LAB 1: APPLICATION LAYER VERSION 5.1

a. In the lab scenario?

b. Always? If not, (spoiler, the answer is "No") explain situations where the performance is
sub-optimal.
11. Explain the di erence you saw between the second and third iterations in terms of the
di erent kinds of HTTP headers, requests, and responses being used between the Client
and the Proxy/Cache. In addition, report on the di erences between the second and third
iterations in terms of the number of transmitted bytes, and the time taken by each of the
iterations (second and third)15. (4 points)

Part 4
Let's examine how the Range header works in a conditional HTTP GET. Do the following:
• Start up a new Wireshark packet capture (on your computer).
• Using the Range input eld in the Lab 1 application (browser) try to make a Conditional
GET Range request that retrieves only the text from the webpage: http://cool.com.
You might want to rst reanalyze the HTTP interactions (e.g., bytes received) without a
Range request to check where the text starts and nishes. This can give you a good idea of
the values to use in the Range eld (e.g., 0-115)
• Stop Wireshark packet capture and save the PCAP le for your future analysis.

Answer the following question:

12. How does the value that you typed in the GET Range Field in the application get translated
into something in the HTTP request (Make sure to explain this in the context of the GET
method)? (2 points)
13. What is the range value you used to fetch the text? (2 points)
14. How does the HTTP response, when using the Range eld, di er from a normal HTTP
response (without the Range eld)? (4 points)
Range headers are used in one of my favorite features of the Internet ➙ skipping the intro/
commercials/or any sort of seeking on a video stream. Do the following:
• Start up a new Wireshark packet capture (on your laptop).
• Visit the following URL in the lab 1 browser

http://cool.com/movie.ogv
• You should be able to watch a “Game of Thrones” clip.
• Use the seek/skip bar on the video player to skip to the end of the clip.
• A string (some random text) is displayed during the last few seconds of the video.

The iterations include ALL the HTTP requests/responses between the Client, Proxy/Cache, and Origin Server for each of the
15

two iterations (second and third).

PAGE 9 OF 12 SEPTEMBER 13, 2024

ff
ff
fi
fi
fi
fi
fi
ff
fi
fi
ff
 LAB 1: APPLICATION LAYER VERSION 5.1

• Stop Wireshark packet capture and save the PCAP le for your future analysis.

Answer the following questions:

15. What is the text displayed? How are Range GET requests used to skip the intro? (3 points)
16. Try to request the same video range from your previous answer without the seek bar, but use
the GET Range input eld instead. Were you able to skip the intro? Why not? (Hint: Every
time you click Go! on a browser a new HTTP connection is initiated. Does a seek bar do
the same thing?) (4 points)

Part 5
Use the knowledge you have gained in a less structured exercise. Try to solve a really easy
Capture the Flag (CTF) game by investigating the contents of the HTTP messages to nd
some hidden information. To solve this, you might need to do an internet search on CTF basics.
Do the following:
• Start up a new Wireshark packet capture (on your laptop).
• Use the Lab1 application to browse to http://ctf.game.com
• Look around the HTTP messages and nd the secrets of the CTF game. In other words,
you will nd the steps that you will need to follow and the information that you will use to get
the ag.
• The CTF ag process is completed once you nd the Flag (a webpage with a 200 OK status
code and the Flag is displayed on the webpage).
• Stop Wireshark packet capture and save the PCAP le for your future analysis.

Answer the following question:

17. What is the ag? Explain the steps that you followed to get the ag. What is the secret
information (key/name and value) that allows you to get the ag? Where in the HTTP
messages did you nd all the required information? (8 points)
18. Include a screenshot of Wireshark showing the 200 OK response and the webpage that you
got with the Flag. (2 points)

Part 6
The TA who built this rack was a security student, so he could not resist adding a malicious
computer to the network. This computer looks for DNS requests coming from the Resolver and
pretends to be an authoritative name server responding with a spoofed reply. Normally, the
spoofed reply would not be obvious, so we have arranged a way that you can distinguish it. DNS
replies coming from the malicious computer will contain an extra "unused record” along with a
message to make it obvious.

PAGE 10 OF 12 SEPTEMBER 13, 2024

fl
fi
fl
fl
fi
fi
fi
fi
fi
fi
fl
fl
fi
 LAB 1: APPLICATION LAYER VERSION 5.1

Do the following:
• Close the Lab 1 application (browser) and reopen it to ush the cache (just in case clear the
cache before starting).
• Start up a new Wireshark packet capture.
• Click the Start DNS spoofer button at the bottom of the browser, read the disclaimer,
accept by clicking Yes, and wait for about twenty (20) seconds for the script to start.
• Visit the following URI in your browser:

http://bill.cmu.edu
• Then, visit the following URI in your browser:

http://cool.com
• Stop Wireshark packet capture and save the PCAP le for your future analysis.

Answer the following questions:

19. Report on the results of what you saw. Did the rst website load a page that you did not
expect? Why did that happen? (5 points)
20. Explain how the attack was possible. Be speci c, using your knowledge of networks and
proper network terminology. (5 points)
21. Explain why the attack worked for the rst website, not the second one. (4 points)

Make sure to reboot the PC to clear out the lesystem and memory of any of your work.

Turn-in
Before writing your Lab # 1 Report, go back to Lab # 0 and re-read the Some Comments
About Lab Reports section. This will provide you with a refresher of what is expected in
each Lab report.
Write a report of your interactions and answer the questions. Make sure to include enough
details to ensure we understand that you understand what is going on. For instance, your
(many, many, many) included screenshots should probably be annotated to show
where a number came from -- do not assume that because you know how to read a
Wireshark screen we know that you know it. Our graders will not make that assumption.
So, prove it to us by describing/annotating every value you nd from Wireshark
and your screenshots.
Turn in your answers in a single PDF le and submit it to the Lab 1 Assignment on
Gradescope.

PAGE 11 OF 12 SEPTEMBER 13, 2024

fi
fi
fi
fi
fi
fi
fl
fi
 LAB 1: APPLICATION LAYER VERSION 5.1

In Gradescope, Map the questions to the corresponding page in your document.

Students who fail to map a question correctly will lose all the points for that
question16.
Do not forget to save (and name) all your PCAP les (for the di erent parts of
ALL labs) for your future analysis.

16 Here is a video that shows the process: https://youtu.be/nksyA0s-Geo?t=117

PAGE 12 OF 12 SEPTEMBER 13, 2024

fi
ff