Install and use Wireshark program (Please send back screen shots and other vital information)

Case project 3-2: Decode a TCP segment in a Wireshark capture

Case Project 3-2: Decode a TCP Segment in a Wireshark Capture In this chapter, you walked through a TCP segment to interpret the data included in its header. In this project, you use Wireshark to capture your own HTTP messages, examine the TCP headers, and practice interpreting the data you'll find CASE PROJECTS there. 1. Open Wireshark and snap the window to one side of your screen. Open a browser and snap that window to the other side of your screen so you can see both windows. In Windows, you can quickly snap a window to one side of your screen by hold- ing down the Win key on your keyboard, pressing either the left or right arrow key, then releasing both keys. Alternately, you can drag a window to one side OTE of your screen until it snaps into position. 2. Start the Wireshark capture. In the browser, navigate to google.com. Once the page loads, stop the Wireshark capture. You'll have fewer messages to sort through if you can do this entire process fairly quickly 3. Now apply a filter to expose the messages involved with your Web site request. Somewhere your capture, a DNS message will show the original request to resolve the name google.com to its IP address. A series of TCP messages will then show the three-way hand shake, along with the rest of the data transmission. Because your transmission has to do with requesting a Web page, you need to filter to port 80. Apply the following filter to your capture: dns or tcp.port eg 80 4. This filter helps reduce the number of messages to the ones you actually want to see. But you'll still probably have to scroll through your results to find exactly the right DNS message that started this process. You'll see DNS in the Protocol field, and something to the effect of "Standard query" and "www.google.com" i n the Info field, as shown -Fi Weshark 1 10.8 (01.108-2-952a5244 fiom master-1. l Expression- Clear Apply Save Pretecl Length eto ndo Sounce 39 3.97285500 23. 62-97.10 292. 168.1.109 192.168. 1.109 192.168.1.109 23.62.97.10 192.168.1.109 170 standard query response d Ack-1 Kin-14600 len-O MSS-1460 L en-o Mss-14 SACK-PERI-1 ws-2 41 4.00530300 23.62.97.10 42 4.09547200 192.168.1-109 43 4-00573600 23.62.97.10 44 4.00577500 192.168.1.109 45 4.00587400 197.168.1109 45 4.04601300 23.62.97 47 4.18258000 23.02.97-20 48 4.16264000 192-168.1. 109 9 4-37357900 23.62.97.20 50 4.17564200 192.168.1.100 51 4.64451400 192.168.1-109 54 59502 > http [ACK] Seq-1 Ack-1 in-262144 Len- 66 htrp > 59501 [SYN, ACKJ Seq-o Ack-1 win-14600 Len-o sSS 1460 Sac 710 GET /qsel, aspx?querygoodsrc TE-Addr es stmaxwidth-3276r owheight-20sectionnei 54 59501 http [ACK) Seq-1 Ack-i win-262144 Len O 54 http 59502 [ACK] 5eq-1 Ack-657 win-15912 Len-o HTTP 3.62.97.20 23.62.97.10 192.108.1.109 192.168.1.109 23.62,97-10 192,168.1.109 23.62,97.20 1514 [TCP segeent of a reassenbled Pou) [ACK] Seq-657 Ack 1461 wir-262144 Len 0 59502 54 54 59502 http [ACK) Seq-657 Ack-1703 win-261888 Len-0 66 59504 > http [SYN] seq-o Win-63535 Len O MSS-1460 S 236 ACKPER >http HTTPL 296 HrTp/.1 200 ok (ther net 11, src: cisco-L1 e internet Protocel verston 4, src: DOT: 192-168.1.109 (392.168.1. 109) agrn Protoco, sec Port: domatn (53), ost Port: 56364 (36364) sane Systes Cresponse) 5. Once you've located this message, click on it and examine the details of the message in the second pane. Answer the following questions: a. What is the OUI of the source's NIC? b. Which IP version was used? c. If the message used IPv4, what was the TTL? If IPv6, what was the hop limit? d. Did the message use TCP or UDP? e. What is the source port? The destination port? Chapter 3 How Data Is Transported Over Networks 6. Now check your filter results for the first [SYN] message after this DNS request. Open the TCP segment header in the second pane, and answer the following questions: If you can't find the TCP stream for this Web page request, your system may have used port 443 instead of port 80. Port 443 is assigned to HTTPS, which is a secure version of HTTP. Run your filter again using port 443 instead of port 80 NOTE a. What is the sequence number? b. Which flags are set in the TCP segment? If you're using the default settings in Wireshark, you probably found a sequence num- ber of 1. That's because Wireshark shows relative numbers instead of the actual, ran- dom numbers used in the segments themselves. Relative numbers are easier humans to keep up with, but they provide no security in that they're very predictable Random numbers, on the other hand, are more difficult to fake. for 7. To find the actual, random sequence number assigned to this segment, click on the sequence number field in the second pane, then find the corresponding value highlighted in the third pane. The actual value i now ented in hexadecimal format cap- 8, switch the output to show the actual, random numbers (in decimal form) in your ture by clicking on the Edit menu, then click Preferences, expand the Protocols click TCP, and uncheck Relative sequence numbers. Then click OK, Look hack at the relative numbers shown in Figure 3-27, and compare the data in that figure to the ra- dom numbers shown in Figure 3-28 ..*@ ml 5 .aam @s%: 2.1 59502 > hrtp 1683 30 170 standar 23.6297.1 4 59502 >hetp ACK) 5e-231 9396653 Ack 342025476 -82344 LO 9211-30 46.97.10 629.1 19 23 109 4 59501 http ACK] Seq-200081 9945 ACk-2112043579 n834 n 1514 [YCP segment of a reassenbled PU TCP TCP HTTP L 296 HTT/.1 200 oK 62.97.10 459502Htp m, Dst: 192.166.1109 C192.168.1.109) Figure 3-28 The captured messages now show the actual, random numbers used in the Seq and Ack fields Source: The Wireshark Foundation 9. Apply another filter layer to show only the messages for this TCP conve rsation. Right- click the [SYNJ message and click Follow TCP Stream. Cl dialog box that opens, as you will be examining data in the actual ca ose the Follow TCP Stream pture. 155 Case Projects the following questions: a. What is the source IP address? The destination IP address? b. What is the sequence number? The acknowledgment number? c: Which flags are set in the TCP segment? 11. Locate the third message in this three-way handshake, the [ACK] message, and answer the following questions a. What is the source IP address? The destination IP address? b. What is the sequence number? The acknowledgment number? c. Which flags are set in the TCP segment? 12. The three-way handshake establishes the session, but the conversation continues as the Web server begins to respond to your browser's request for the Web page. At some point later in the conversation, locate an HTTPIXML message that contains the actual data for Google's search page. Recall that there are several layers of headers encapsu- lating this payload, so you'll need to look at the deepest layer in the message to find the Web page's data. Locate the correct message, and answer the following questions: a. List the types of headers included in this message, in order b. What is the source IP address? The destination IP address? c. Which flags are set in the TCP segment