Scribd
Upload
220 views9 pages

Ism3 Draft

The document contains the output of analyzing network traffic captured using Wireshark. It lists various protocols observed including TCP, UDP, HTTP, DNS and ARP. It notes the time interval between an HTTP GET message and the HTTP response was 0.000916 seconds. Filters in Wireshark can be used to view specific traffic types, such as only outgoing HTTP traffic or traffic from a particular IP address. The document also includes Python code to analyze a pcap file and extract details like the number of various packet types.

Uploaded by

Sahil Singh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
220 views9 pages

Ism3 Draft

The document contains the output of analyzing network traffic captured using Wireshark. It lists various protocols observed including TCP, UDP, HTTP, DNS and ARP. It notes the time interval between an HTTP GET message and the HTTP response was 0.000916 seconds. Filters in Wireshark can be used to view specific traffic types, such as only outgoing HTTP traffic or traffic from a particular IP address. The document also includes Python code to analyze a pcap file and extract details like the number of various packet types.

Uploaded by

Sahil Singh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

18BCE2188 JAESON KARTER JOSEPH 29/03/2021

a. Start Wireshark and look at the upper pane. What "Protocol" and "info" are shown for the very first packet that it
reports? Do you think this was caused by your use of the web browser? Why or why not?’

PROTOCOL: TLSv1.2

INFO: Application Data

Yes, it was caused by the use of web browser as google chrome was up and running in background

b. List up to 5 different protocols that appear in the protocol column in the unfiltered packet-listing window of the
lab activities

TCP, UDP, HTTP, DNS, ARP

c. How long did it take from when the HTTP GET message was sent until the HTTP OK reply was received? (By default,
the value of the Time column in the packet- listing window is the amount of time, in seconds, since Wireshark tracing
began. To display the Time field in time-of-day format, select the Wireshark View pull down menu, then select Time
Display Format, then select Time-of-day.)

According to the screenshot, the time interval between the HTTP GET message and HTTP OK message is16.882119s -
16.881203s = 0.000916s
18BCE2188 JAESON KARTER JOSEPH 29/03/2021
d. In Wire shark If a packet is highlighted by black, what does it mean for the packet?

black identifies packets with errors—for example, they could have been delivered out of order.

e. In Wire shark What is the filter command for listing all outgoing http traffic?

http

f. In Wire shark Why does DNS use Follow UDP Stream while HTTP use Follow TCP Stream?

Here is why DNS uses UDP.

 UDP is much faster when compared to TCP. TCP is slow as it uses 3-way handshake.  
 DNS requests are generally very small and they fit well within UDP segments.
 UDP is not reliable, but reliability can be added to the application layer. An application can
use UDP can be made reliable by using the timeout and resend at the application layer.

Why does HTTP use TCP as the transport layer


protocol?
 to ensure the fastest possible download speed
 because HTTP is a best-effort protocol
 because transmission errors can be tolerated easily
 because HTTP requires reliable delivery
Explanation:
When a host requests a web page, transmission reliability and completeness must be guaranteed.

Therefore, HTTP uses TCP as its transport layer protocol.

g. How long did it take from when the HTTP GET message was sent until the HTTP Acknowledgement / OK reply was
received?

According to the screenshot, the time interval between the HTTP GET message and HTTP OK message is16.882119s -
16.881203s = 0.000916s
18BCE2188 JAESON KARTER JOSEPH 29/03/2021
h. Which filter is used in Wireshark for capturing a specific type of traffic?

To filter traffic from any specific IP address type: [Link] == '[Link]' in the Apply a display filter field.

To filter traffic for specific protocol say TCP, UDP, SMTP, ARP, DNS Requests etc just type the protocol name in the
Apply a display filter field.

Wireshark has two filtering languages: capture filters and display filters. Capture filters are used for
filtering when capturing packets Display filters are used for filtering which packets are displayed
and are discussed below.

Display filters allow you to concentrate on the packets you are interested in while hiding the
currently uninteresting ones. They allow you to only display packets based on:

 Protocol
 The presence of a field
 The values of fields
 A comparison between fields

To only display packets containing a particular protocol, type the protocol name in the display filter
toolbar of the Wireshark window and press enter to apply the filter. 

i. Which filter is used in wireshark for capturing all type of traffic content.?

In Wireshark, there are capture filters and display filters. Capture filters only keep


copies of packets that match the filter. Display filters are used when you’ve captured
everything, but need to cut through the noise to analyze specific packets or flows

2. Do the following steps for capturing the information and answer the following questions.

Step 1: Start browser and Wireshark on correct interface

Step 2: Start capturing the data packets for various urls.


18BCE2188 JAESON KARTER JOSEPH 29/03/2021

Step 3: Stop the capture

Step 4: Save it as .pcap file


18BCE2188 JAESON KARTER JOSEPH 29/03/2021

Write a Python program to extract the following details from wireshark pcap file

a. No of ARP Request.

b. No of TCP SYN

c. No of UDP request

d. No of IPV4 request
18BCE2188 JAESON KARTER JOSEPH 29/03/2021

e. No of IPV6 request

f. To print the source MAC_Address, Destination MAC_Address, Src_Port, Dest_Port.


18BCE2188 JAESON KARTER JOSEPH 29/03/2021

Or

import dpkt
import datetime
import socket
from [Link] import compat_ord

def mac_addr(address):
"""Convert a MAC address to a readable/printable string

Args:
18BCE2188 JAESON KARTER JOSEPH 29/03/2021
address (str): a MAC address in hex form (e.g. '\x01\x02\x03\x04\x05\x06')
Returns:
str: Printable/readable MAC address
"""
return ':'.join('%02x' % compat_ord(b) for b in address)

def inet_to_str(inet):
"""Convert inet object to a string

Args:
inet (inet struct): inet network address
Returns:
str: Printable/readable IP address
"""
# First try ipv4 and then ipv6
try:
return socket.inet_ntop(socket.AF_INET, inet)
except ValueError:
return socket.inet_ntop(socket.AF_INET6, inet)

def print_packets(pcap):
"""Print out information about each packet in a pcap

Args:
pcap: dpkt pcap reader object ([Link])
"""
# For each packet in the pcap process the contents
for timestamp, buf in pcap:

# Print out the timestamp in UTC


print('Timestamp: ', str([Link](timestamp)))

# Unpack the Ethernet frame (mac src/dst, ethertype)


eth = [Link](buf)
print('Ethernet Frame: ', mac_addr([Link]), mac_addr([Link]), [Link])

# Make sure the Ethernet data contains an IP packet


if not isinstance([Link], [Link]):
print('Non IP Packet type not supported %s\n' % [Link].__class__.__name__)
continue

# Now unpack the data within the Ethernet frame (the IP packet)
# Pulling out src, dst, length, fragment info, TTL, and Protocol
ip = [Link]

# Pull out fragment information (flags and offset all packed into off field, so use bitmasks)

do_not_fragment = bool([Link] & [Link].IP_DF)


more_fragments = bool([Link] & [Link].IP_MF)
fragment_offset = [Link] & [Link].IP_OFFMASK
18BCE2188 JAESON KARTER JOSEPH 29/03/2021
# Print out the info

print('IP: %s -> %s (len=%d ttl=%d DF=%d MF=%d offset=%d)\n' % \


(inet_to_str([Link]), inet_to_str([Link]), [Link], [Link], do_not_fragment, more_fragments, fragment_offset))

def test():
"""Open up a test pcap file and print out the packets"""
with open('[Link]', 'rb') as f:
pcap = [Link](f)
print_packets(pcap)

if __name__ == '__main__':
test()

You might also like