Wireshark Assignment

This assignment introduces students to a free network analyzer. Network

analyzers are very useful tools that help understand data communications and
networks. They scan the data link attached to the computer and provide an
intuitive, visual view of packets as they flow past the computer. We use
Wireshark, a sniffer which may be downloaded for free off the Internet. Further
details about Wireshark as well as downloads are available at www.wireshark.org.
The goals of this assignment are two-fold. First, I would like you to know how
to use a network analyzer. Second, seeing the actual packets will help you link the
topics we cover in this class with the actual functioning of a real network. To
achieve these goals, you will follow the network traffic that is generated when you
perform the basic task of visiting a web site.
Using an analyzer is rather straightforward and no more difficult than using a
word processor or a spreadsheet. Follow the instructions given and submit your
answers to the questions.
Using Wireshark
1. After downloading the file from www.wireshark.org, install it on your
computer. Then open up the installed program.
2. The menus allow some interesting features, but we will limit ourselves to
the options shown under the “Capture” that is on the menu bar. In case
you are interested, there is extensive documentation for Wireshark at
http://www.wireshark.org/download/docs/user-guide-us.pdf.
3. To capture packets, simply select Capture → Interfaces. Often times a
computer is going to have multiple interfaces (wireless card, wired card),
so you’ll need to choose the interface that you are using for your Internet
connection. Then select Capture → Start. This will start the capture of all
packets that the interface you selected receives and sends.
4. When you click OK, Wireshark begins to capture packets, giving you a
real-time view of the packets in the capture window.
5. The capture goes on until you stop it by clicking the stop button. Before
you stop, be sure to open a webpage in your browser and see all the
packets that are sent/received in order to download that webpage.
Wireshark loads up the captured packets into the main window when you
stop the capture. You can now examine each packet in this window in
detail at your convenience.
6. The main Wireshark window has three panels. The topmost panel lists all
the packets captured. The second panel resolves the fields in the selected
packet in the first panel and the third panel gives a bit-level view of the
selected packet. Selecting a packet in the upper screen brings up the
details in the lower screens. This is the basic functionality of Wireshark.
Run a few captures and familiarize yourself with using the software.
 7. Disable all the three name resolution features in the Capture → Interfaces
screen and run a capture. Then enable the name resolution and capture a
few packets.
QUESTION 1: What are the differences? (Look at the source and destination
areas.)
8. You may notice that you are able to see packets generated by machines
on your network, other than your own machine. This is what happens in
broadcast networks. If you see a destination as ff:ff:ff:ff:ff:ff, that means it
is a broadcast message to everyone.
9. Now, go to the Start Menu on your computer → Accessories → Command
Prompt. Type in ipconfig and press enter to get info on your computer’s
 IP address.

QUESTION 2: What is the IP address of your computer?

10. Now go back to Wireshark and use the filter option by going to Analyze →

Display Filters. Put in your IP address

so that all packets not interacting with your IP address will be filtered.
Now, if you go back to the main screen, you’ll see that only packets with a
destination or source of your IP address are shown.
11. Enable all name resolution and start a new capture. After starting the
capture, use your browser to go to the CNN website at www.cnn.com.
There may be 1,000 or more packets due to the video that is loading.
Once the site loads on your browser, stop the capture.
12. Near the top of your capture, you should see some entries for DNS. Click
on the first DNS entry. This should be your computer’s request to figure
out what IP address cnn.com has. Click on the details below to see if this
is correct. Now, click on the DNS packet response, which gives your
computer the response from the DNS, so your computer knows what the
 IP address is. Open the details below to see what IP address(es) you have
received from the DNS.
QUESTION 3: What IP addresses are given to your computer in order to
access cnn.com? Most major websites have multiple IP addresses in
order to spread out the workload among multiple IP addresses and in case
one IP address isn’t working.

In the second pane, click on the “+” signs to expand the details.

13. Now click on the first pack which has one of the IP addresses of cnn.com
in the destination and has HTTP as the protocol. In the second pane you
will see five major headings. The first heading is just information from
Wireshark. It says something similar to: “Frame 459 (509 bytes on wire,
509 bytes captured)”. Ignore this first line. It just tells you about where
this packet was in the set of all packets that Wireshark captured.
QUESTION 4: Look at the next four headings. Ethernet Protocol? Internet
Protocol? Transmission Control Protocol? Hypertext Transfer protocol?
Why are there four different things in this same message?
QUESTION 5: How are these four protocols related? Capture a screen
shot of this page and paste it in your homework. To capture a screen shot
use a key at the upper right of your keyboard labeled “Print
Screen/SysRq”. Then go to your word processing package and choose
“Paste”.
14. Expand the hypertext transfer protocol to answer the following question:
QUESTION 6: What does the information in this packet state about the
browser you are using and the operating system you are using? Does it
show that you are sending a cookie? Information about your computer is
being sent to cnn.com’s server, since it will may send different packets
depending on the browser you are using, operating system, programs you
can run, etc.
15. Find the HTTP protocol line FROM CNN. It may be the first, second, or
third one from CNN since they may shift you to a different server to
handle your request. Open up the Hypertext Transfer Protocol line in the
second pane by clicking on it. Click on the line that says Data. Look at the
highlighted text in the bottom window.
QUESTION 7: What do you think that text is (hint: you can go to your
browser window and choose the menu “view” then “source” and compare
it).