EXPERIMENT NO.

Aim:To study thebasic operation of a packet sniffer, installation, and a test run of WIRESHARK.

Requirement: PC with OS installed (Windows XP, any), Wireshark 1.6.1 (any version), internet
connection through Ethernet interface or Wireless Interface.

Theory:
Wireshark: The basic tool for observing the messages exchanged between executing protocol entitiesis
called a packet sniffer. As the name suggests, a packet sniffer captures (“sniffs”)messages being
sent/received from/by your computer; it will also typically store and/ordisplay the contents of the various
protocol fields in these captured messages. A packetsniffer itself is passive. It observes messages being
sent and received by applications andprotocols running on your computer, but never sends packets itself.
Similarly, receivedpackets are never explicitly addressed to the packet sniffer. Instead, a packet
snifferreceives a copy of packets that are sent / received from/by application and protocolsexecuting on
your machine.

Figure 1 shows the structure of a packet sniffer. At the right of Figure 1 are the protocols(in this case,
Internet protocols) and applications (such as a web browser or ftp client)that normally run on your
computer. The packet sniffer, shown within the dashedrectangle in Figure 1 is an addition to the usual
software in your computer, and consistsof two parts. The packet capture library receives a copy of
every link-layer frame thatis sent from or received by your computer. Messages exchanged by higher
layer protocolssuch as HTTP, FTP, TCP, UDP, DNS, or IP all are eventually encapsulated in link-
layerframes that are transmitted over physical media such as an Ethernet cable. In Figure 1,the assumed
physical media is an Ethernet, and so all upper layer protocols are eventually encapsulated within an
Ethernet frame. Capturing all link-layer frames thus gives you allmessages sent/received from/by all
protocols and applications executing in yourcomputer.
The second component of a packet sniffer is the packet analyzer, which displays thecontents of all fields
within a protocol message. In order to do so, the packet analyzermust “understand” the structure of all
messages exchanged by protocols. For example,suppose we are interested in displaying the various fields
in messages exchanged by theHTTP protocol in Figure 1. The packet analyzer understands the format of
Ethernetframes, and so can identify the IP datagram within an Ethernet frame. It also understandsthe IP
datagram format, so that it can extract the TCP segment within the IP datagram.Finally, it understands the
TCP segment structure, so it can extract the HTTP messagecontained in the TCP segment. Finally, it
understands the HTTP protocol and so, forexample, knows that the first bytes of an HTTP message will
contain the string “GET,”“POST,” or “HEAD”.

Figure 1: Packet sniffer structure

Computer Network PDEA’s College Of Engg., Manjari(Bk)

We will be using the Wireshark packet sniffer for these labs,allowing us to display the contents of
messages being sent/received from/by protocols atdifferent levels of the protocol stack. (Technically
speaking, Wireshark is a packetanalyzer that uses a packet capture library in your computer). Wireshark is
a free networkprotocol analyzer that runs on Windows, Linux/Unix, and Mac computers. It’s an ideal
packet analyzer for our labs – it is stable, has a large user base and well-documentedsupport that includes
a user-guide man pages, and a detailed FAQrich functionality that includes the capability toanalyze
hundreds of protocols, and a well-designed user interface. It operates incomputers using Ethernet, Token-
Ring, FDDI, serial (PPP and SLIP), 802.11 wirelessLANs, and ATM connections (if the OS on which it's
running allows Wireshark to doso).

Steps to install the Wiresark:

Wireshark has been installed on all machines in lab 237. Wireshark can be started on thePCs by executing
the following steps:
Step 1 – Log on to the Linux PC in lab 237
Step 2 - Open a the terminal window
Step 3 – Enter the command “sudowireshark”.
Step 4 - Enter your account password

Procedure to RUN Wireshark:

When you run the Wireshark program, the Wireshark graphical user interface shown in Figure 2 will be
displayed. Initially, no data will be displayed in the various windows.

Figure 2: Wireshark Graphical User Interface

The Wireshark interface has five major components:

 The command menus are standard pulldown menus located at the top of thewindow. Of interest
to us now are the File and Capture menus. The File menuallows you to save captured packet data
or open a file containing previouslycaptured packet data, and exit the Wireshark application. The
Capture menuallows you to begin packet capture.
 The packet-listing window displays a one-line summary for each packetcaptured, including the
packet number (assigned by Wireshark; this is not apacket number contained in any protocol’s
header), the time at which the packetwas captured, the packet’s source and destination addresses,

Computer Network PDEA’s College Of Engg., Manjari(Bk)

 the protocol type,and protocol-specific information contained in the packet. The packet listing
canbe sorted according to any of these categories by clicking on a column name. Theprotocol
type field lists the highest level protocol that sent or received this packet,i.e., the protocol that is
the source or ultimate sink for this packet.
 The packet-header details window provides details about the packet selected(highlighted) in the
packet listing window. (To select a packet in the packet listingwindow, place the cursor over the
packet’s one-line summary in the packet listingwindow and click with the left mouse button.).
These details include informationabout the Ethernet frame and IP datagram that contains this
packet. The amount ofEthernet and IP-layer detail displayed can be expanded or minimized by
clickingon the right-pointing or down-pointing arrowhead to the left of the Ethernet frameor IP
datagram line in the packet details window. If the packet has been carriedover TCP or UDP, TCP
or UDP details will also be displayed, which cansimilarly be expanded or minimized. Finally,
details about the highest levelprotocol that sent or received this packet are also provided.
 The packet-contents window displays the entire contents of the captured frame,in both ASCII
and hexadecimal format.
 Towards the top of the Wireshark graphical user interface, is the packet displayfilter field, into
which a protocol name or other information can be entered inorder to filter the information
displayed in the packet-listing window (and hencethe packet-header and packet-contents
windows). In the example below, we’ll usethe packet-display filter field to have Wireshark hide
(not display) packets exceptthose that correspond to HTTP messages.

Steps for Test Run:

The best way to learn about any new piece of software is to try it out! First, you need toknow the network
interconnections in the lab. The IP addresses are shown in Table 1 The
11 PCs are connected in the following fashion. (1 <->2),(3 <->4),(5<->6),(7<->8),(9<->2),(9<->1),(10<-
>3),(10<->4),(11<->5),and (11<-> 6). For ex (1<->2) means Pc1 andPc2 are connected to the same
switch. So PC1 and PC2 can communicate with eachother. To perform the following steps, identify the
two PCs for your test run.

Perform the following:

1. Start up your favorite web browser.
2. Start up the Wireshark software. You will initially see a window similar to thatshown in Figure 3,
except that no packet data will be displayed in the packetlisting, packet-header, or packet-contents
window, since Wireshark has not yetbegun capturing packets. Make sure you check “Don't show this
message again”and press “ok” on the small dialog box that pops up.
3. To begin packet capture, select the Capture pull down menu and select Interfaces.This will cause the
“Wireshark: Capture Interfaces” window to be displayed, asshown in Figure 4.
Table 1- IP Address Assignment

Computer Network PDEA’s College Of Engg., Manjari(Bk)

 Figure 3:Wireshark GUIFigure 4: Wireshark Capture Interfaces Window

4. The network interfaces (i.e., the physical connections) that your computer has tothe network are shown.
The attached snapshot was taken from my computer. Youmay not see the exact same entries when you
perform a capture in the 237 Lab.You will notice that eth0 and eth1 will be displayed. Click “Start” for
interfaceeth0. Packet capture will now begin - all packets being sent / received from/byyour computer are
now being captured by Wireshark!
5. If you started your Web browser on PC1, you can only connect to PC2 and PC9(refer to the
interconnections listed at the start of this section). If you want toconnect to PC2, refer to Table 1, and
identify the IP address of eth0. The IP
address is 10.0.1.3. If you wanted to connect to PC9, the IP address would be10.0.1.17. While Wireshark
is running, enter the URL:http://10.0.1.3/INTRO.htm to connect to the web server in PC2 and have that
pagein your browser. In order to display this page, your browser will contactthe HTTP server at
10.0.1.3(PC2) and exchange HTTP messages with the serverin order to download this page. The Ethernet
frames containing these HTTPmessages will be captured by Wireshark.
6. After your browser has displayed the intro.htm page, stop Wireshark packetcapture by selecting stop in
the Wireshark capture window. This will cause theWireshark capture window to disappear and the main
Wireshark window todisplay all packets captured since you began packet capture. The main

Computer Network PDEA’s College Of Engg., Manjari(Bk)

Wiresharkwindow should now look similar to Figure 2. You now have live packet data thatcontains all
protocol messages exchanged between your computer and othernetwork entities! The HTTP message
exchanges with the PC2 web server shouldappear somewhere in the listing of packets captured. But there
will be many othertypes of packets displayed as well (see, e.g., the many different protocol typesshown in
the Protocol column in Figure 2). Even though the only action you tookwas to download a web page,
there were evidently many other protocols runningon your computer that are unseen by the user.
7. Type in “http” (without the quotes, and in lower case – all protocol names are inlower case in
Wireshark) into the display filter specification window at the top ofthe main Wireshark window. Then
select Apply (to the right of where you entered“http”). This will cause only HTTP message to be
displayed in the packet-listingwindow.
8. Select the first http message shown in the packet-listing window. This should bethe HTTP GET
message that was sent from your computer(ex. PC1) to the PC2HTTP server. When you select the HTTP
GET message, the Ethernet frame, IPdatagram, TCP segment, and HTTP message header information
will be displayedin the packet-header window2. By clicking on right pointing and down-pointingarrows
heads to the left side of the packet details window, minimize the amount ofFrame, Ethernet, Internet
Protocol, and Transmission Control Protocolinformation displayed. Maximize the amount information
displayed about theHTTP protocol. Your Wireshark display should now look roughly as shown inFigure
5 (Note, in particular, the minimized amount of protocol information forall protocols except HTTP, and
the maximized amount of protocol information forHTTP in the packet-header window).
9. Exit Wireshark

Figure 5: Wireshark display after step 9

CONCLUSION:

Computer Network PDEA’s College Of Engg., Manjari(Bk)