PART I 1. Start your INF 284 Ubuntu VM and log in as student. The password is cit247. 2. Open a terminal window by right-clicking on your VMs desktop and select Open Terminal. 3. Start wireshark. Do this by issuing the command sudo wireshark in your terminal window. We use sudo because you need root privileges to capture data on your network interface. If you get an error dialog box that says something like Lua: Error during loading, thats OK. Just click OK. 4. Start a capture session on your Ethernet port by double-clicking on ens32 in the Wireshark window. 5. Open a Firefox private window by right-clicking on the Firefox icon and selecting Open a New Private Window. We use a private browser to avoid using any cached files. One in your private window, visit some of the websites, such as example.com, nku.edu etc. (At least 5 websites including example.com). Once you are connected to that page, stop your capture session by clicking the red square icon. 6. At this point, you must save your capture file so that you can submit it as part of your lab documentation. Click on File/Save. Name your capture file lab1nkuid.pcap. (Replace nkuid with your NKU username.) Save the file to a location where you will be able to find it later (desktop is fine). 7. Look at the data captured by Wireshark. You should see three windows of data. The top Window is the packet list window. The middle window is the packet details window. The bottom window is the packet bytes window. The packet list window contains a complete list of packets that you captured on your network connection. The packet details window is where you can inspect the contents of each packet from the packet list window. Just click on a packet from the packet list window, and you can see all of the details of that packet in the packet details window. At the left of each line in the packet list window that Wireshark assigned to that packet. This number only exists in Wireshark. It was not part of the captured data. You may notice a large number of packets that were captured. This is all the network traffic that your PC received during the timeframe of your capture. In the packet details window, you will see one line listed for every level of encapsulation in the packet. These usually correspond to the layers of the TCP/IP model, but thats not always the case. Notice that you can expand each layer by clicking on the arrow on the left.

Q1: How many packets were captured in your capture session? You can easily figure this out by looking at the frame number of the very last captured frame. 8. We can cut down on the amount of data in your packet list window by applying filters. Lets apply a filter to the packets that you captured so that you can narrow down just the traffic associated with the http protocol used by your browser. Find the filter field at the top left of your Wireshark screen. In that field enter http and then press enter. The packets that you see now in the packet list window should consist only of those that passed data using the http protocol. That is the protocol used by your web browser to get to example.com. 9. In Wireshark, find the packet containing the GET request for example.com. In the Info data on the right in the packet list window, the line you are looking for will contain GET / HTTP/1.1. 10. You might not see the GET request if you already visited the site before. In case you dont see any GET request packets, you will have to empty your browser cache. Please watch my uploaded video how to empty browser cache. Once you empty your browser cache, start wireshark again, and visit the sites. Q2: What is the frame number that Wireshark assigned to the example.com HTTP GET request? (The Wireshark frame number is listed in the column on the left.) Q3: Look at the Transmission Control Protocol (TCP) line in the packet details window. Write down 5 source port numbers? What is the destination port number? Explain why do we have multiple source port numbers while a single destination port number. Q4: Expand the Hypertext Transfer Protocol (HTTP) line in the packet details window by clicking on the + on the left. The very first HTTP line shows the text of the get command. What was the GET command? Q5: Look in the next line of the HTTP data. What was the name of the host? PART II In this part, we will use another application layer protocol sftp. SFTP is used for transferring file securely from a server to client and vice versa.

Step 1: Download the file lab2.txt to your VMs Documents folder. Step 2: Open terminal and type ifconfig. It will show you IP address. Make sure you are looking the correct ipv4 address. It will be showing ens32 interface next to inet addr and will start with 10.2 Question 6: Write down the IP address of your VM. Step 3: Now start capture packet again in wireshark. Step 4: Open a terminal (if you are using MAC) or command promt (if you are using windows) in your personal device (not VM). In terminal/command prompt type: sftp student@your_vms_ip_address use the IP that you got in Question 6 in your_vms_ip_address place. It will ask for a password to connect. Use cit247 as password. Upon successfully enter the password you will see sftp> in your screen. Now use the following commands: sftp>cd Documents sftp>get lab2.txt sftp>quit Now visit your VM, stop capturing wireshark and answer the following question. Q7: How many application layer (SSH) packets are captured by wireshark? Q8: Look at the Transmission Control Protocol (TCP) line in the packet details window of any SSH packets. Write down the source port and destination port number. Q9: Can you see the content of any of the packet in wireshark? Explain your answer.

PART III In this part we will use the normal FTP protocol and see how the normal FTP is different than SFTP. Step 1: First, remove the browser cache as shown in my uploaded video. Open a browser window in your VM and visit the following site. https://dlptest.com/ftp-test/ Click on the link provided in the line FTP URL: ftp.dlptest.com or ftp://ftp.dlptest.com/ Enter the following username and password in the prompt. You can copy the password before entering to the above link and simply paste the password in the password field. FTP User: dlpuser@dlptest.com Password: rNrKYTX9g7z3RgJRmxWuGHbeu You will be able to see several text (.txt) files. Download any of the text file by clicking on the file. Once the file is successfully downloaded stop capturing packets in wireshark. Filter your packet using ftp and answer the following questions: Q10: How many application layer (FTP) packets are captured by wireshark? Q11: Look at the Transmission Control Protocol (TCP) line in the packet details window of any FTP packets. Write down the source port and destination port number. Q12: Observe all the packets. a) Can you see the username and password? b) What is the username and password displaying in your wireshark? c) How many times you can see username and password? d) Write down the frame numbers where you can see the username and password e) Where exactly (which field) in your frame you can see the username and password? Now filter packet using ftp-data and answer the following questions.

Q13: Can you see the data you downloaded? Q14: Which frame/frames contains the data you downloaded? Q15: Where exactly in your frame you can see the data? You have to mention, the exact field in frame that holds the data. In case you see data in the hex field you need to mention that field name. Q16: Write down the first and last line of your data from the captured packet.