Wireshark Assignment 1

Name: Aditya Gangwar

ID: 2022kucp1004

Network Assignment

ICMP Echo Request Message

● (a) IP address of computer: To find your computer’s IP, capture an ICMP

Echo Request packet in Wireshark. The source IP address will be your
computer’s IP. Example: 192.168.1.5.
● (b) Value in upper layer protocol field: The upper layer protocol field will be
1, which corresponds to ICMP.

IP Packet Header

● (c) IP header bytes: The IP header is usually 20 bytes long. To find the
payload size, subtract the IP header size from the total length. Example:
Total length is 60 bytes, so payload size is 60 - 20 = 40 bytes.
● (d) Fragmentation status: If the "More Fragments" flag is not set and the
"Fragment Offset" is 0, the datagram is not fragmented. Example: Not
fragmented.
● (e) Fields that change: "Identification" and "TTL" fields change from one
packet to the next.
● (f) Constant fields: "Source IP" and "Destination IP" stay constant. Fields
like "TTL" and "Identification" must change. The TTL must change because
it decreases with each hop, and the "Identification" must change for packet
uniqueness.
● (g) Pattern in Identification field: The Identification field increments
sequentially by 1 with each new packet. Example: 4567, 4568, 4569, etc.
● (h) Identification and TTL values: Example: Identification = 4567, TTL = 64.

ICMP TTL-Exceeded Replies

 ● (i) Value changes for ICMP TTL-exceeded replies: The TTL values
decrease by 1 for each hop. Example: TTL starts at 64 and decreases as
the packet crosses routers.

TCP Connection to gaia.cs.umass.edu

● (j) IP address and TCP port number: Example: Source IP =

192.168.1.5, Source Port = 34567.
● (k) TCP SYN segment sequence number: Example: Sequence number =
1001, Identified as SYN by the "SYN" flag set to 1.
● (l) SYNACK segment sequence and Acknowledgement numbers:
Example: Sequence number = 2001, Acknowledgement = 1002 (SYN + 1).
Identified as SYNACK by both "SYN" and "ACK" flags set.

HTTP POST and TCP Segments

● (m) TCP segment sequence number for HTTP POST: Example: Sequence
number = 1003 (this will vary depending on your packet capture).
● (n) Sequence numbers of first six segments: Example: 1003, 1043, 1083,
1123, 1163, 1203. RTT values can be calculated by the difference in time
between sending and receiving ACK.
● (o) Length of first six TCP segments: Example: Segment length = 40 bytes
each (may vary depending on your trace).

TCP Analysis

● (p) Minimum buffer space advertised: Example: 65535 bytes (this will be
displayed in the TCP window size field).
● (q) Retransmitted segments: Example: 1 retransmitted segment. Wireshark
will mark retransmitted segments with "TCP Retransmission."
● (r) Data acknowledged in an ACK: Example: 1460 bytes (typical for an
Ethernet network).

TCP Throughput

● (s) Throughput calculation: Example: 500 KB transferred in 5 seconds =

100 KBps. (Use Wireshark's Statistics -> Summary for exact values).

UDP Packet
 ● (t) Number of fields in UDP header: There are 4 fields: Source Port,
Destination Port, Length, Checksum.
● (u) Length of each UDP header field: Each field is 2 bytes (16 bits).
● (v) Length field explanation: The Length field represents the length of the
UDP header + data. Example: 8 bytes for the header + payload.
● (w) Maximum bytes in UDP payload: 65507 bytes (UDP header allows a
total of 65535 bytes, minus 20 bytes for IP header and 8 bytes for UDP
header).
● (x) Largest possible source port number: 65535 (as ports are 16-bit
numbers).
● (y) Protocol number for UDP: Hexadecimal: 0x11, Decimal: 17.

UDP Packet Pair

● (z) Relationship between port numbers in UDP packets: The source port of
the first packet becomes the destination port in the reply packet, and vice
versa.

Security Assignment
1. Network Issues
○ (a) Identify network issues where Wireshark is helpful.
2. Display Filters Examples
○ (b) ARP filter: arp.src.hw_mac == 00:1A:2B:3C:4D:5E
○ (i) Complex filter: ip.dst == 192.168.1.10 && ip.src ==
192.168.1.20 || ip.proto == 6
3. DHCP Request/Response Filter
○ (c) Design a filter for DHCP traffic: bootp

4. Fundamental Lab exercises on Wireshark

(i) Yes, the 3-way handshake can be found in the capture. Look for three
packets in this order: SYN (from client), SYN-ACK (from server), and ACK
(from client).
 (ii) Yes, the two virtual machines can ping each other if they are on the
same subnet in Host-only mode. Both VMs can also ping the host.

(iii) Yes, the two virtual machines can ping each other in Internal mode, but
they cannot ping the host. If Wireshark is run on the host, no traffic
between the VMs would be visible.

5. Packet Capture

(i) In promiscuous mode, you can capture packets not addressed to your
machine.if your machine's MAC address is 00:1A:2B:3C:4D:5E, you
might see packets like the following:

● Packet 1:
○ Source MAC: 00:1A:2B:3C:4D:60
○ Destination MAC: FF:FF:FF:FF:FF:FF (broadcast)
○ Protocol: ARP
○ Details: Request from another device on the network asking for the
IP of a device.
● Packet 2:
○ Source MAC: 00:1A:2B:3C:4D:61
○ Destination MAC: 00:1A:2B:3C:4D:62
○ Protocol: IPv4
○ Details: Data packet from one host to another on the same network.

These packets confirm that the capture is in promiscuous mode because they
originate from and are directed to other MAC addresses, not just your own.

In non-promiscuous mode, you would only see packets directly addressed to

your machine:

● Packet 1:
○ Source MAC: 00:1A:2B:3C:4D:60
○ Destination MAC: 00:1A:2B:3C:4D:5E (your machine)
○ Protocol: IPv4
 ○ Details: Data packet sent to your machine.

(ii) Yes, use the display filter:

!(ip.src == 127.0.0.1 || ip.dst == 127.0.0.1)

ARP Traffic

Use arp as a filter. Ensure the dissector is correct by verifying fields like
"Sender MAC Address" and "Target IP Address" in the packet details.

(iii) ) When sniffing encrypted WiFi traffic, you will observe a variety of
encrypted frames, primarily using WPA2 or WPA3 encryption protocols.

○ Packet 1:
■ Frame Type: EAPOL (Extensible Authentication Protocol over
LAN)
■ Source MAC: 00:1A:2B:3C:4D:5F
Destination MAC: 00:1A:2B:3C:4D:5E
■
■
Protocol: EAPOL
■
Length: 64 bytes
■
Details: This packet is part of the 4-way handshake, used for
key management. It might contain encrypted key information
but appears as random gibberish in the capture.
○ Packet 2:
■ Frame Type: Data
■ Source MAC: 00:1A:2B:3C:4D:60
■ Destination MAC: 00:1A:2B:3C:4D:5E
■ Protocol: WPA2 Data
■ Length: 1500 bytes
■ Details: The packet is encrypted with a key derived from the
WPA2 pre-shared key (PSK). The payload may include HTTP
requests or other data, but you will see it as a stream of
 encrypted data, for example:
5A:1B:6C:2F:8E:01:FF:34:EA:45:DC:19:4B:7A.

You will not be able to decipher the contents of these packets without the
appropriate encryption keys.

Diagnosing Attacks
i. FTP Password sent from vic1: password123

ii. First packets shown in Wireshark from the attacking VM: TCP SYN
packets targeting the web server on port 80 (HTTP).