Experiment No.

Aim: Basic Packet Inspection: Capture network tra c using Wire shark and analyse basic
protocols like HTTP, DNS, and SMTP to understand how data is transmitted and received.

Brief Description: Wireshark is an open-source network protocol analysis software

program. It is a packet sni er and analysis tool. It captures network tra c from ethernet,
Bluetooth, wireless (IEEE 802.11), token ring, and frame relay connections, among others,
and stores that data for o ine analysis.

Step 1: Download and Install Wireshark

Go to the Wireshark website (https://www.wireshark.org) and download the latest version

for your operating system.
Follow the installation instructions to install Wireshark on your computer.

Fig 1: Installation Wireshark

Step 2: Capture Network Tra c

Select the network interface you want to capture tra c from (e.g., Ethernet, Wi-Fi).
ffl
ff
ffi
ffi
ffi
ffi
 Open Wireshark after installation . Click on the "Start" button to begin capturing tra c.

Fig 2 : Wireshark network interface

Step 3: Analyse Basic Protocols

HTTP : Open a web browser and visit any website.

Go back to Wireshark and stop the capture.

Use the lter bar at the top and type "http" to lter HTTP tra c.

You will see a list of HTTP packets exchanged during your browsing session. Click on any
packet to view its details in the middle pane. You can analyse headers, payloads, and
other information here.

DNS : While Wireshark is still capturing, perform a DNS query by entering a website URL
in the browser’s address bar.

Stop the capture in Wireshark.

Use the lter bar and type "dns" to lter DNS tra c.

You'll see DNS queries and responses. You can analyse the domain names queried and
the IP addresses resolved.

SMTP : If you have an email client con gured, send an email.

fi
fi
fi
fi
fi
ffi
ffi
ffi
 Stop the capture in Wireshark

Use the lter bar and type "smtp" to lter SMTP tra c.

You'll see SMTP packets related to sending emails. Analyse sender, recipient, subject,
and other relevant information.

Fig 3 : Capturing Network Tra c

Wireshark lters

1) Wireshark capture lters

Capture lters limit the captured packets by the chosen lter. If the packets don't match
the lter:

a. host IP-address. This lter limits the captured tra c to and from the IP address
b. net 192.168.0.0/24: This lter captures all tra c on the subnet
c. dst host IP-address: Capture packets sent to the speci ed host
d. port 53: Capture tra c on port 53 only
e. port not 53 and not arp: Capture all tra c except DNS and ARP tra c

Wireshark display lters

Wireshark display lters change the view of the capture during analysis.

i) ip.src== IP-address and ip.dst==IP-address This lter shows packets sent from one
computer (ip.src) to another (ip.dst). You can also use ip.addr to show packets to and
from that IP.
fi
fi
fi
fi
fi
fi
fi
ffi
fi
fi
fi
ffi
ffi
ffi
ffi
ffi
fi
fi
fi
ffi
 ii) tcp.port eq 25: This lter will show you all tra c on port 25, which is usually SMTP
tra c

iii) icmp: This lter will show you only ICMP tra c in the capture, most likely they are
pings

iv) ip.addr!=IP_address: This lter shows you all tra c except the tra c to or from the
speci ed computer

Step 4: Analysis and Conclusion

: Review the captured packets for each protocol.

: Look for any anomalies or suspicious activity.
: Draw conclusions about how data is transmitted and received for each protocol.
: Document your ndings and observations.

Fig 4 : I/O Graph

ffi
fi
fi
fi
fi
fi
ffi
ffi
ffi
ffi