University of Central Punjab

(Incorporated by Ordinance No. XXIV of 2002 promulgated by Government of the Punjab)

FACULTY OF INFORMATION TECHNOLOGY

Computer Communications and Networks

Lab 07
Introduction to Wireshark
HTTP and DNS on Wireshark
 Lab Manual 07
Objectives
• Introduction to Wireshark
• Running Wireshark
• Explore Wireshark Filters
• DNS
• HTTP on Wireshark
• Tracing DNS with Wireshark

Reference Material
Introduction to Wireshark:
Wireshark, a network analysis tool, captures packets in real time and display them in human-
readable format. Wireshark is a powerful tool for understanding what happens behind the scenes
when devices communicate over a network. By focusing on HTTP, you can inspect web traffic,
and with DNS, you can analyze domain lookups—making it essential for troubleshooting,
learning, and securing networks.

Running Wireshark:
When you run the Wireshark program, the Wireshark graphical user interface. Initially, no data
will be displayed in the various windows.
 Wireshark Filters
The simplest filter allows you to check for the existence of a protocol or field. If you want to see all
packets which contain the IP protocol, the filter would be "ip" (without the quotation marks).

1. Comparison operators
Fields can also be compared against values. The comparison operators can be expressed either
through English-like abbreviations or through C-like symbols:
eq, == Equal
ne, != Not Equal
 gt, > Greater Than
lt, < Less Than
ge, >= Greater than or Equal to
le, <= Less than or Equal to
Example
ip.addr == 10.0.0.1 [Sets a filter for any packet with 10.0.0.1, as either the source or dest]
tcp.time_delta > .250 [sets a filter to display all tcp packets that have a delta time of greater than
250mSec in the context of their stream

2. Search and match operators

Additional operators exist expressed only in English, not C-like syntax:
contains Does the protocol, field contain a value
matches, ~ Does the protocol or text string match the given case-insensitive Perl-compatible
regular expression
The "contains" operator allows a filter to search for a sequence of characters, expressed as a string
(quoted or unquoted), or bytes, expressed as a byte array, or for a single character, expressed as a C-
style character constant.
Example
To search for a given HTTP URL in a capture, the following filter can be used:
http contains https://www.wireshark.org
The "contains" operator cannot be used on atomic fields, such as numbers or IP addresses.
The "matches" or "~" operator allows a filter to apply to a specified Perl-compatible regular
expression (PCRE). The "matches" operator is only implemented for protocols and for protocol
fields with a text string representation. Matches are case-insensitive by default. For example, to
search for a given WAP WSP User-Agent, you can write:
wsp.user_agent matches "cldc"
This would match "cldc", "CLDC", "cLdC" or any other combination of upper and lower case letters.

3. The membership operator

A field may be checked for matches against a set of values simply with the membership operator. For instance,
you may find traffic on common HTTP/HTTPS ports with the following filter:
tcp.port in {80 443 8080}
as opposed to the more verbose:
tcp.port == 80 or tcp.port == 443 or tcp.port == 8080
Example
To find HTTP requests using the HEAD or GET methods:
http.request.method in {"HEAD" "GET"}
The set of values can also contain ranges:
tcp.port in {443 4430..4434}
ip.addr in {10.0.0.5 .. 10.0.0.9 192.168.1.1..192.168.1.9}
 frame.time_delta in {10 .. 10.5}

4. Logical expressions
Tests can be combined using logical expressions. These too are expressible in C-like syntax or with
English-like abbreviations:
and, && Logical AND
or, || Logical OR
not, ! Logical NOT
Example
ip.addr==10.0.0.1 && ip.addr==10.0.0.2 [sets a conversation filter between the two defined IP
addresses]
!(arp or icmp or stp) [masks out arp, icmp, stp, or whatever other protocols may be background noise.
Expressions can be grouped by parentheses as well. The following are all valid display filter
expressions:
tcp.port == 80 and ip.src == 192.168.2.1
not llc
http and frame[100-199] contains "wireshark"
(ipx.src.net == 0xbad && ipx.src.node == 0.0.0.0.0.1) || ip

How to Use Wireshark for HTTP and DNS Analysis

Wireshark allows users to capture and filter traffic to focus on specific protocols like HTTP and
DNS. Here's how you can use it:

Example 1: Analyzing HTTP Traffic

1. Setup:
o Start Wireshark and select your active network interface (e.g., Wi-Fi or Ethernet).
o Click "Start" to begin capturing packets.
2. Filter HTTP Traffic:
o Use the filter field at the top and type http.
o This shows only HTTP packets (e.g., requests and responses).
3. Analyze Packets:
o Click on a packet to see details like the HTTP method (GET, POST) and URL.
o Example: If you visit google.com, you’ll see a GET request with the URL in the
packet details.
4. Insights:
o Learn response times, status codes (e.g., 200 OK, 404 Not Found), and headers.
Example 2: Analyzing DNS Traffic
1. Setup:
o As before, start capturing packets using Wireshark.
o DNS queries are used for translating domain names (e.g., google.com) into IP
addresses.
2. Filter DNS Traffic:
o Use the filter DNS to isolate DNS packets.
3. Analyze Queries and Responses:
o You can see DNS queries sent from your device and the corresponding responses
from the DNS server.
o Example: If you type google.com in your browser, a DNS query will show the
domain name, and the response will show the resolved IP address.
4. Insights:
o Identify delays in DNS resolution or incorrect IP mapping.

DNS: Domain Name System

DNS stands for Domain Name System, and it is like the phonebook of the internet. It helps
translate human-friendly website names (like www.google.com) into computer-friendly IP
addresses (like 142.250.200.196 or 2607:f8b0:4004:801::2004).
Computers need IP addresses to communicate over the internet, but humans find it easier to
remember names rather than numbers. DNS handles this conversion automatically.

How Does DNS Work?

When you type a website name in your browser (e.g., www.google.com), here’s what happens:
1. You Enter a Domain Name:
o Example: You type www.google.com in your browser.
2. DNS Request (Query):
o Your computer doesn’t know the IP address for www.google.com, so it sends a
DNS query to a nearby DNS server (often provided by your Internet Service
Provider or a public DNS like Google’s 8.8.8.8).
3. DNS Server Resolves the Name:
o The DNS server looks up the domain name in its database.
o If it knows the IP address (e.g., 142.250.200.196), it sends it back to your
computer.
o If it doesn’t know, it asks other DNS servers on the internet (recursive query)
until it finds the IP address.
4. Your Computer Connects:
o Your computer uses the IP address to contact the server and load the website.
Types of DNS Records
DNS also contains information about the domain, such as:
1. A Record: Maps a domain to an IPv4 address.
o Example: www.example.com → 93.184.216.34.
2. AAAA Record: Maps a domain to an IPv6 address.
o Example: www.example.com → 2606:2800:220:1:248:1893:25c8:1946.
3. CNAME Record: Maps one domain to another domain (alias).
o Example: images.example.com → www.example.com.
4. MX Record: Used for email, maps a domain to mail servers.
o Example: example.com → mail.example.com.

Why is DNS Important?

• Without DNS, you’d need to remember IP addresses for every website you visit.
• It enables the internet to be user-friendly and scalable.

Taking Wireshark for a Test Run

1. Open Wireshark, select interface from list of interfaces (Ethernet in your case). Change your
Interface to the appropriate one from the list provided. Then Press the capture Start button to
start capturing the packets at run time.
2. While Wireshark is running, enter the URL:
http://gaia.cs.umass.edu/wireshark-labs/INTRO-wireshark-file1.html and have that page
displayed in your browser.
3. Now enter another URL http://gaia.cs.umass.edu/favicon.ico and you will see that this page is
not found on the server.
4. In order to display both the pages, your browser will contact the HTTP server at
gaia.cs.umass.edu and exchange HTTP messages with the server in order to download this
page. The Ethernet frames containing these HTTP messages will be captured by Wireshark.
5. After your browser has displayed both the web pages, stop Wireshark packet capture by
selecting stop in the Wireshark capture window. You now have live packet data that contains
all protocol messages exchanged between your computer and other network entities! The
HTTP message exchanges with the gaia.cs.umass.edu web server should appear somewhere in
the listing of packets captured. But there will be many other types of packets displayed as well.
6. Type in “http” (without the quotes, and in lower case – all protocol names are in lower case in
Wireshark) into the display filter specification window at the top of the main Wireshark
window. Then select Apply (to the right of where you entered “http”). This will cause only
HTTP message to be displayed in the packet-listing window.
7. Select the first http message shown in the packet-listing window. This should be the HTTP
GET message that was sent from your computer to the gaia.cs.umass.edu HTTP server. When
you select the HTTP GET message, the Ethernet frame, IP datagram, TCP segment, and HTTP
 message header information will be displayed in the packet-header window3. By clicking plus
and- minus boxes to the left side of the packet details window, minimize the amount of Frame,
Ethernet, Internet Protocol, and Transmission Control Protocol information displayed.
Maximize the amount information displayed about the HTTP protocol. Your Wireshark display
should now look roughly as shown in Figure 5. (Note in particular, the minimized amount of
protocol information for all protocols except HTTP, and the maximized amount of protocol
information for HTTP in the packet-header window).
8. Now try to find out the packet which contains the second request you sent to the browser and
also analyze the packet which your browser received as a result of second GET Request.
 Lab Tasks
Task 1. Explore the packets you captured from test run and answer the following questions
[10 Marks]

1. List up to 4 different protocols that appear in the protocol column in the unfiltered
packet-listing window.
ANS:

Common protocols are:

• HTTP: For web requests and responses.

• TCP: For transport-layer communication.
• DNS: For domain name resolution.
• ARP or ICMP: For address ping communication.

2. What is the response time against HTTP GET Request?

ANS:

Use this formula to calculate response time:

Response Time = Time of HTTP Response - Time of HTTP GET Request.

By looking at the information in the HTTP GET and Response Messages for both the HTTP
Requests, answer the following questions:

3. Is your browser running HTTP version 1.0 or 1.1? What version of HTTP is the
server running?

4. What is the MAC address of the server and your computer?

 5. What are the sending and receiving port numbers? What does Port 80 represent?

• Note the following:

o Source Port: This is your browser's random high-number port.
o Destination Port: Usually 80, the standard port for HTTP traffic.

Task 2. Tracing DNS with Wireshark [10 Mark]

First, capture the DNS packets that are generated by ordinary Web surfing activity.
• Use ipconfig to empty the DNS cache in your host.
• Open your browser and empty your browser cache. (With Internet Explorer, go to Tools
menu and select Internet Options; then in the General tab select Delete Files.)
• Open Wireshark and enter “ip.addr == your_IP_address” into the filter, where you obtain
your_IP_address (the IP address for the computer on which you are running Wireshark)
with ipconfig. This filter removes all packets that neither originate nor are destined to your
host.
• Start packet capture in Wireshark.
• With your browser, visit the Web page: http://www.ietf.org
• Stop packet capture.
Answer the following questions:

1. Locate the DNS query and response messages. Are they sent over UDP or TCP?
ANS:

• Details:
o DNS queries and responses are typically sent over UDP.
o If packet size exceeds 512 bytes, DNS may switch to TCP.
2. What is the destination and source ports for the DNS query message?

3. Examine the DNS query message. What “Type” of DNS query is it? Does the query
message contain any “answers”?
4. Examine the DNS response message. How many “answers” are provided? What does
each of these answers contain?
5. Consider the subsequent TCP SYN packet sent by your host. Does the destination IP
address of the SYN packet correspond to any of the IP addresses provided in the DNS
response message?