Introduction to Networking & Network Management
Engineering Science Department
Wireshark_tcp_udp Experiment
Your Name:
Your Station:
You Partners:
Your Computer:
Date:
A. Objectives
1. Learn what protocol analysis means
2. Learn how to use Wireshark
3. Monitor traffic at specific port & capture tcp/udp traffic data on an interface
4. Analyze the tcp & udp segments, their structures & contents
5. Understand how the tcp & udp protocols can help the web & dns applications to provide services
B. Configuration & Network Setup
No configuration is needed for this experiment. Each student needs to do the experiment on her/his own & submit the report.
Note that you can save the Wireshark captures in your Ubuntu Document folder with your name.
C. Procedure
1.
Boot the computer watch for the display to show a list of OSs (e.g., Ubuntu, Ubuntu backup, & Windows 7) for you to
choose. Select & highlight UBUNTU (NOT Ubuntu Backup) & Enter for the UBUBTU OS to boot. You may need to
enter the password that your instructor provides to be able to see the UBUNTU screen when it timesout.
2.
Open a Terminal page by the command “sudo wireshark -i eth0 -c 10”. This opens the Wireshark screen in the
Ubuntu screen. Make sure you see for the “Capture Options”: Interface = eth0, Capture Filter = tcp, & Stop
Capture = after “10” packets. Then click “Start”.
3.
On the Ubuntu screen click the Firefox to open www.sonoma.edu/engineering (default page). The eth0 port should
allow you to get to the Internet. tcp provides the http application reliable connection for the webpage to download.
4.
The captured packets pop up in the top panel of the Wireshark screen. On the Wireshark screen go to View at the top
menu & drop down ”Expand All” is checked & the Link, Network, & Transport layers are enabled. Note the
encapsulations of “http packet by tcp”, “tcp by ip”, & “ip by the Ethernet frame”.
Question
Which computer (A, B, C, D) did you use for Wireshark?
List of the packets in the top panel
Can you identify the 3-way TCP handshake, if so list the segments?
Which message is the third tcp segment?
5.
Answer
Now select the third tcp segment on the top panel & use the middle & bottom panels of the Wireshark to identify the
following fields, write the # of bytes for each field & the content in the table below. The ifconfig command & the tcp
protocol (https://en.wikipedia.org/wiki/Transmission_Control_Protocol) can help answering some of the questions.
Question
# of
byte
s in
Dec
# of
byte
s in
Hex
Content
The source eth0 address in the frame in decimal & hex
Is this the same as the eth0 address of the source
computer?
The destination eth0 address in the frame in decimal &
AMK
6/30/2016
1
Introduction to Networking & Network Management
Engineering Science Department
hex
The source computer ip address in decimal & hex
Is this the same as the ip address of the source
computer?
The destination computer ip address in decimal & hex
The source tcp port address in decimal & hex
The destination tcp port address in decimal & hex
The Sequence # in decimal & hex?
Are they the same as you expect? Explain why not
The ACK # in decimal & hex values
The header length including the flags & reserved
fields? Explain
The code (flag) bits
The calculated window size
The bits of the checksum in hex
The bits of the urgent field
Any options used in this message?
Do these fields look okay to you? Explain
What is TLSv1.2 protocol?
How many TLSv1.2 messages do you see?
Explain briefly what the TLSv1.2 messages do
6.
Next, let us use similar analysis for the udp messages. Start the Wireshark with filter “udp.port == 53” (on some
computers “port 53” may work) to capture dns (Domain Name Server) traffic at eth0 port of your computer. Open
another terminal page on your computer screen & enter the Linux command “nslookup www.sonoma.edu”. dns uses
udp to identify the ip address of the desired webpage quickly without establishing a connection. You will soon see the
packets captured on the Wireshark panels for your analysis.
Question
Which computer (A, B, C, D) did you use for Wireshark?
List of the packets in the top panel. Any dns message?
State what port 53 in the capture filter identifies.
7.
Answer
You should see a dns query & a dns response packet in the top panel. First, select the query packet & from the middle
& bottom panels of the Wireshark identify the following fields. Write the # of bytes & the content for each field in the
table below. Verify some of the contents of the fields by the commands ifconfig & nslookup on the terminal screen.
Question
# of
byte
s in
Dec
# of
byte
s in
Hex
Content
The source eth0 address field in the frame in decimal & hex
Is this address the same as the source computer eth0 address?
The destination eth0 address field in the frame in decimal & hex
The version of ip packet used in decimal & hex
The header length in decimal & hex
The total length of the ip packet in decimal & hex
The identification of the ip packet in hex
The flags
The fragment offset in decimal & hex
The time to live in decimal & hex
The protocol field in decimal & hex
AMK
6/30/2016
2
Introduction to Networking & Network Management
Engineering Science Department
The checksum in hex
The source computer ipv4 address in decimal & hex
Is this address the same as the source computer ip address?
The destination computer ipv4 address in decimal & hex
The source udp port address in decimal & hex
The destination udp port address in decimal & hex
What application does the destination port address signify?
The udp length in decimal & hex?
The udp checksum in decimal & hex
The ipv4 address of the Sonoma.edu server (from Terminal
page)
8.
Under the “Domain Name System (query)” check the following field.
Transaction ID in hex
Flags in hex
Question in hex
Answer in hex
Authority in hex
Additional RRs
Queries in xex
Google the ASCII codes & find the hex representation
of www.sonoma.edu & write it on the right side.
Are these what you expected?
D. Report
1. Type all your responses to the questions in the tables above including your observations & comments neatly.
2. Make sure to power off all the devices, remove the cables & return them to the cabinet, & clean up your station.
3. Submit your report by the due date.
AMK
6/30/2016
3