University of Central

Punjab (Incorporated by Ordinance No. XXIV of 2002 promulgated by Government of the

Punjab)
FACULTY OF INFORMATION TECHNOLOGY

Computer Communications and Networks

Lab 06
Introduction to Wireshark
HTTP and DNS on Wireshark
 Lab Manual 11
Objectives
 DNS
 HTTP on Wireshark
 Tracing DNS with Wireshark
 Lab Graded Task

Reference Material

Introduction to Wireshark
Wireshark, a network analysis tool formerly known as Ethereal, captures packets in real time and
display them in human-readable format. Wireshark includes filters, color-coding and other
features that let you dig deep into network traffic and inspect individual packets.

DNS: Domain Name System

The domain name system (DNS) is a naming database in which internet domain names are
located and translated into internet protocol (IP) addresses. The domain name system maps
the name people use to locate a website to the IP address that a computer uses to locate a
website.

DNS Records
 DNS servers store resource records (RR)
 Each DNS Reply carries one/more RRs
RR format: (name, value, type, ttl)

DNS protocol, messages

 Query & Reply messages, both with same message format
Taking Wireshark for a Test Run:
 1. Open Wireshark, select interface from list of interfaces (Ethernet in your case). Change
your Interface to the appropriate one from the list provided. Then Press the capture Start button
to start capturing the packets at run time.
2. While Wireshark is running, enter the URL:
http://gaia.cs.umass.edu/wireshark-labs/INTRO-wireshark-file1.html and have that page
displayed in your browser.
3. Now enter another URL http://gaia.cs.umass.edu/favicon.ico and you will see that this
page is not found on the server.
4. In order to display both the pages, your browser will contact the HTTP server at
gaia.cs.umass.edu and exchange HTTP messages with the server in order to download this page.
The Ethernet frames containing these HTTP messages will be captured by Wireshark.
5. After your browser has displayed both the web pages, stop Wireshark packet capture by
selecting stop in the Wireshark capture window. You now have live packet data that contains all
protocol messages exchanged between your computer and other network entities! The HTTP
message exchanges with the gaia.cs.umass.edu web server should appear somewhere in the
listing of packets captured. But there will be many other types of packets displayed as well.
6. Type in “http” (without the quotes, and in lower case – all protocol names are in lower
case in Wireshark) into the display filter specification window at the top of the main Wireshark
window. Then select Apply (to the right of where you entered “http”). This will cause only HTTP
message to be displayed in the packet-listing window.
7. Select the first http message shown in the packet-listing window. This should be the
HTTP GET message that was sent from your computer to the gaia.cs.umass.edu HTTP server.
When you select the HTTP GET message, the Ethernet frame, IP datagram, TCP segment, and
HTTP message header information will be displayed in the packet-header window3. By clicking
plus and- minus boxes to the left side of the packet details window, minimize the amount of
Frame, Ethernet, Internet Protocol, and Transmission Control Protocol information displayed.
Maximize the amount information displayed about the HTTP protocol. Your Wireshark display
should now look roughly as shown in Figure 5. (Note in particular, the minimized amount of
protocol information for all protocols except HTTP, and the maximized amount of protocol
information for HTTP in the packet-header window).
8. Now try to find out the packet which contains the second request you sent to the browser
and also analyze the packet which your browser received as a result of second GET Request.

Lab Tasks

Task 1. Explore the packets you captured from test run and answer the following questions
 [30 Marks]
1. List up to 4 different protocols that appear in the protocol column in the unfiltered
packet-listing window.

2. What is the response time against HTTP GET Request?

3. Was the second Get Request successful? How can you tell it from the corresponding
response packet?

By looking at the information in the HTTP GET and Response Messages for both the HTTP
Requests, answer the following questions
4. Is your browser running HTTP version 1.0 or 1.1? What version of HTTP is the server
running?

5. What languages (if any) does your browser indicate that it can accept to the server?

6. What is the IP address of the gaia.cs.umass.edu server and your computer?

7. What is the MAC address of the server and your computer?

8. What is sending and receiving Port Number? What does Port No. 80 represents

9. When was the HTML file, that you are retrieving, last modified at the server?

10. How many bytes of total packet content are being returned to your browser?

Note: Make a Word file and post the screen shots of all the answers in it. Apart from the
answers explore different settings of wireshark, analyze all the layers of the HTTP Packets
and try to understand how layering system works in Computer Networks. Implement
different filters in your data to view different grouping of packets. Make yourself familiar
with the software as we will be using it in the next labs frequently.
Task 1. Tracing DNS with Wireshark [20 Mark]
First, capture the DNS packets that are generated by ordinary Web surfing activity.
 Use ipconfig to empty the DNS cache in your host.
 Open your browser and empty your browser cache. (With Internet Explorer, go to Tools
menu and select Internet Options; then in the General tab select Delete Files.)
 Open Wireshark and enter “ip.addr == your_IP_address” into the filter, where you obtain
your_IP_address (the IP address for the computer on which you are running Wireshark) with
ipconfig. This filter removes all packets that neither originate nor are destined to your host.
 Start packet capture in Wireshark.
 With your browser, visit the Web page: http://www.ietf.org
 Stop packet capture.

Answer the following questions:

1. Locate the DNS query and response messages. Are they sent over UDP or TCP?

2. What is the destination port for the DNS query message? What is the source port of DNS
response message?

3. Examine the DNS query message. What “Type” of DNS query is it? Does the query
message contain any “answers”?

4. Examine the DNS response message. How many “answers” are provided? What does
each of these answers contain?