******************************************************************

EXPERIMENT NO. 5
Name :- Class : T.E. COMPUTER
SUB : COMPUTER NETWORKS Roll No :
Date of conductance : /08/2023 Date of submission : /08/2023
******************************************************************
Aim : Use Wire shark to understand the operation of TCP/IP layers.
Apparatus:- Computer, Wire Shark
Theory:-
Wire Shark -
Wireshark is a free application you use to capture and view the data traveling back
and forth on your network. It provides the ability to drill down and read the contents
of each packet and is filtered to meet your specific needs. It is commonly used to
troubleshoot network problems and to develop and test software. This is open-source
protocol analyzer.

How to Capture Data Packets

To begin capturing packets, select one or more of the networks by clicking on your
choice and using the Shift or Ctrl keys if you want to record data from multiple
networks simultaneously. After a connection type is selected for capturing purposes,
its background is shaded in either blue or gray. Click on Capture in the main menu
located toward the top of the Wireshark interface. When the drop-down menu
appears, select the Start option.
You can also initiate packet capturing via one of the following shortcuts.
• Keyboard: Press Ctrl + E.
• Mouse: To begin capturing packets from one particular network, double-click
on its name.
• Toolbar: Click on the blue shark fin button located on the far left side of the
Wireshark toolbar.
The live capture process begins, and Wireshark displays the packet details as they
are recorded. To Stop capturing:
• Keyboard: Press Ctrl + E
• Toolbar: Click on the red Stop button located next to the shark fin on the
Wireshark toolbar.
Viewing and Analyzing Packet Contents
After you record some network data, it's time to take a look at the captured packets.
The captured data interface contains three main sections: the packet list pane, the
packet details pane, and the packet bytes pane.
Packet List -
The packet list pane, located at the top of the window, shows all packets found in the
active capture file. Each packet has its own row and corresponding number assigned
to it, along with each of these data points.
Time: The timestamp of when the packet was captured is displayed in this column.
The default format is the number of seconds or partial seconds since this specific
capture file was first created. To modify this format to something that may be a bit
more useful, such as the actual time of day, select the Time Display Format option
from Wireshark's View menu located at the top of the main interface.
• Source: This column contains the address (IP or other) where the packet
originated.
• Destination: This column contains the address that the packet is being sent to.
• Protocol: The packet's protocol name, such as TCP, can be found in this
column.
• Length: The packet length, in bytes, is displayed in this column.
• Info: Additional details about the packet are presented here. The contents of
this column can vary greatly depending on packet contents.
When a packet is selected in the top pane, you may notice one or more symbols
appear in the first column. Open or closed brackets and a straight horizontal line
indicate whether a packet or group of packets are all part of the same back-and-forth
conversation on the network. A broken horizontal line signifies that a packet is not
part of said conversation.

Packet Details
The details pane, found in the middle, presents the protocols and protocol fields of
the selected packet in a collapsible format. In addition to expanding each selection,
you can apply individual Wireshark filters based on specific details and follow
streams of data based on protocol type via the details context menu, which is
accessible by right-clicking your mouse on the desired item in this pane.
Packet Bytes
At the bottom is the packet bytes pane, which displays the raw data of the selected
packet in a hexadecimal view. This hex dump contains 16 hexadecimal bytes and 16
ASCII bytes alongside the data offset.
Selecting a specific portion of this data automatically highlights its corresponding
section in the packet details pane and vice versa. Any bytes that cannot be printed
are instead represented by a period.
You can choose to show this data in bit format as opposed to hexadecimal by right-
clicking anywhere within the pane and selecting the appropriate option from the
context menu.
Using Wireshark Filters
One of the most important feature sets in Wireshark is its filter capability, especially
when you're dealing with files that are significant in size. Capture filters can be set
before the fact, instructing Wireshark to only record those packets that meet your
specified criteria.
Filters can also be applied to a capture file that has already been created so that only
certain packets are shown. These are referred to as display filters.
Wireshark provides a large number of predefined filters by default, letting you
narrow down the number of visible packets with just a few keystrokes or mouse
clicks. To use one of these existing filters, place its name in the Apply a display filter
entry field located directly below the Wireshark toolbar or in the Enter a capture
filter entry field located in the center of the welcome screen.
There are multiple ways to achieve this. If you already know the name of your filter,
type it into the appropriate field. For example, if you only want to display TCP
packets, you type tcp. Wireshark's autocompleting feature shows suggested names
as you begin typing, making it easier to find the correct moniker for the filter you're
seeking.
Another way to choose a filter is to click on the bookmark-like icon positioned on
the left side of the entry field. This presents a menu containing some of the most
commonly used filters as well as an option to Manage Capture Filters or Manage
Display Filters. If you choose to manage either type, an interface appears allowing
you to add, remove, or edit filters.
You can also access previously used filters by selecting the down arrow on the right
side of the entry field to display a history drop-down list.
Once set, capture filters are applied as soon as you begin recording network traffic.
To apply a display filter, you click on the right arrow button found on the far right
side of the entry field.
Some Intended Purposes

Here are some reasons people use Wireshark :

• Network administrators use it to troubleshoot network problems

• Network security engineers use it to examine security problems
• QA engineers use it to verify network applications
• Developers use it to debug protocol implementations
• People use it to learn network protocol internals

Features of Wireshark :-
The following are some of the many features Wireshark provides :-
• Available for UNIX and Windows.
• Capture live packet data from a network interface.
• Open files containing packet data captured with tcpdump/WinDump,
Wireshark, and many other packet capture programs.
• Import packets from text files containing hex dumps of packet data.
• Display packets with very detailed protocol information.
• Save packet data captured.
• Export some or all packets in a number of capture file formats.
• Filter packets on many criteria.
• Search for packets on many criteria.
• Colorize packet display based on filters.
• Create various statistics.
Output :-
Operation Of TCP/IP Layers :-
● Ethernet Layer: Frame header, Frame size etc.
● Data Link Layer: MAC address, ARP (IP and MAC address binding)
● Network Layer: IP Packet (header, fragmentation), ICMP (Query and Echo)

● Transport Layer: TCP Ports, TCP handshake segments etc.

● Application Layer: DHCP, FTP, HTTP header formats

Conclusion: Successfully implemented the operation of TCP/IP layers Using

Wire shark.