EXPERIMENT 1

1.Basic Packet Inspection: Capture network traffic using

Wire shark and analyze basic protocols like HTTP, DNS,
and SMTP to understand how data is transmitted and
received.
Take the following steps to initiate a capture in Wireshark:

 Open Wireshark.
 Set a capture filter, and select the interface on which to
capture.
 Start the capture.
 Generate traffic by connecting to a website, pinging a remote
device or attempting any other network connection.
 Stop the capture.
Wireshark v3 organizes the output into three vertically stacked
window panes. Wireshark v4 uses the same three panes, but the
Packet Details pane is in the lower-left corner -- it was the middle
pane in v3 -- and the Packet Bytes pane is in the lower-right
corner.
 Select a frame in the Packet List pane

In the new Wireshark interface, the top pane summarizes the

capture. It displays one or more frames, along with the packet
number, time, source, destination, protocol, length and info
fields.
Use the protocols, source and destination addresses, and ports
columns to help you decide which frame to examine. Click on a
frame to select it, and then look at the two lower panes for
details.
 Interpret the Packet Details pane

Before examining the various headers and contents, I'll briefly

review the TCP/IP model to help explain the results displayed in
the lower-left Packet Details pane.
TCP/IP model layers and their associated protocols:
 Application layer protocols. HTTP, HTTPS, SMTP, Secure
Socket Shell (SSH) and others reside in this layer.
 Transport layer protocols. TCP and User Datagram Protocol
(UDP) reside in this layer. TCP is connection-oriented (or
stateful), while UDP is connectionless (or stateless). If you
capture TCP packets, notice how handshakes that consist of
SYN and ACK messages intersperse with the data to ensure all
packets arrive at the destination. These units are usually
called datagrams.
 Internet layer protocols. These protocols govern
communication and logical addressing, such as IP addresses.
This article focuses on IP, but other protocols exist. These
units are usually called packets.
 Network link layer data. This layer displays Ethernet
information, including frame types and source and destination
MAC addresses. These units are usually called frames.

 Wireshark displays this output from the bottom of the TCP/IP

model upward. Frame information -- the bottom of the TCP/IP
model -- resides at the top of the pane in the lower left of the
Wireshark screen.
 Understand the headers

How is this information helpful? Relating the headers in the

captured frames to the TCP/IP model helps troubleshooters
visualize the layers at which problems might occur, helping to
identify possible culprits. The following sections address the
various layers in more detail.
 Frame content

This frame section provides Ethernet information, such

as frame size, time of capture and the physical interface
on which the frame was captured.
Use this information: Administrators can use this
information to examine frame size, for example. Certain
devices might have issues accepting frames that exceed
the standard size. Troubleshooters can also verify which
interface the data was captured on, ensuring
information flows through the proper connection.
 Ethernet content

Next is Ethernet II content, including source and destination MAC

addresses. Depending on the frame's direction of travel, the local
MAC address is either the source or destination address, and the
next network device's MAC address is the other.
Use this information: Confirm the MAC
addresses are correct to combat security issues,
such as Address Resolution Protocol poisoning
or spoofing. Troubleshooters might also confirm
which local interface is in use with the MAC
address.
IP content
Use this information: Network technicians can verify
the IP addresses are valid and expected. Remember, an
address beginning with 169.254.x.x is not valid on the
network and indicates a possible
Dynamic Host Configuration Protocol problem. Techs
can also confirm the source and destination IP
addresses are as expected to reduce issues of DNS
poisoning or incorrect name resolution settings.
 Transport content

• Next is a section containing transport layer information. You

should see either TCP or UDP here, depending on the type of
datagram captured. Remember, TCP uses the three-way
handshake to enumerate the data exchange, ensuring that the
source device resends any lost data.
• This section displays the source and destination ports, too. If
the packet originates from the client computer, the
destination port is the service port number. For example, if
the destination system is a web server, the destination port
number is 80 or 443 (HTTP or HTTPS). The client's port
number is a randomly generated number between 1,024 and
65,535 (this range varies by OS). Both port numbers appear in
this header.
Use this information: Confirm the client and server use the
correct service port number. If you captured packets on the
server, this is the destination port number on inbound
packets. This is especially important with any nonstandard
port numbers for custom applications or odd firewall rules in
place.
 Application content

The application layer information is at the bottom of the Packet

Details pane but at the top of the TCP/IP model.
This information varies by service and protocol.
For example, when using HTTP, the pane includes instructions
such as GET or the contents of the requested webpage.
For capture targeting, you see information with SMTP, Post
Office Protocol 3 or Internet Message Access Protocol.
The same goes for services such as SSH, network file sharing,
DNS, etc.
Use this information: Applications are preconfigured for specific
ports, so there probably isn't much room for misconfiguration
here. You could use this information to ensure the destination
services are running on the server.
Wireshark does a great job of displaying data exactly as you'd
expect to find it in the TCP/IP model.
Challenge:
 Can you relate the content of the captured packet to the
seven layers of the OSI model? Each of the layers is
represented in the captured information.
 The header information in the capture helps confirm that
addresses, ports and other settings meet expectations. Such
captures tell what is happening on the network, not what
should be happening.
 Interpret payload information

The Packet Bytes pane in the lower-right corner of Wireshark

displays the payload. This content can be the end-user data
security professionals worry about. Unencrypted protocols, such
as HTTP, Telnet, SMTP and others, don't protect the
confidentiality of their payload, so the data is shown in this
window.