Computer Networks 1

Wireshark Analyses for TCP Three Way Handshake & Ping packet
Lab 10
Objective
After completing this lab :
1. Students should be able to understand the basic concept for Wireshark .
2. Students should able capture web browsing packet then filter and analysis packets for
Transmission Control Protocol (TCP Three Way Handshake ) and Ping
Background
Wireshark is the world’s foremost and widely-used network protocol analyzer. It lets you see what’s
happening on your network at a microscopic level and is the de facto (and often de jure) standard across
many commercial and non-profit enterprises, government agencies, and educational institutions. Wireshark
development thrives thanks to the volunteer contributions of networking experts around the globe and is
the continuation of a project started by Gerald Combs in 1998. Wireshark has a rich feature set which
includes the following:
● Deep inspection of hundreds of protocols, with more being added all the time
● Live capture and offline analysis
● Standard three-pane packet browser
● Multi-platform: Runs on Windows, Linux, macOS, Solaris, FreeBSD, NetBSD, and many others
● Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility
● The most powerful display filters in the industry
● Rich VoIP analysis
● Read/write many different capture file formats: tcpdump (libpcap), Pcap NG, Catapult DCT2000,
Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer® (compressed and
uncompressed), Sniffer® Pro, and NetXray®, Network Instruments Observer, NetScreen snoop,
Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx,
Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others
● Capture files compressed with gzip can be decompressed on the fly
● Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token
Ring, Frame Relay, FDDI, and others (depending on your platform)
● Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS,
WEP, and WPA/WPA2
● Coloring rules can be applied to the packet list for quick, intuitive analysis
● Output can be exported to XML, PostScript®, CSV, or plain text

Reference : https://www.wireshark.org/
Capturing Packets

To capture any packet you must first install and locate then open wireshark as seen below .

1. Locate your interface of your machine whether wired or wireless as highlight above .
2. Double click the highlighted interface in blue ,this now make the capture active which start gathering
information about of all the devices in the network . See example below

3. Stop the your capture event by clicking the red button on your upper left.
4. Locate the protocol plane base on your capture ,identified any four protocol . Now
research each protocol identified then identify which layer of the OSI model these
protocol are found.
__________________________________________________________________________

___________________________________________________________________________

___________________________________________________________________________

___________________________________________________________________________

___________________________________________________________________________

___________________________________________________________________________

TCP -Threeway Handshake

1. Open wireshark ,click Capture then click start. Wireshark will now start .
2. Open a your search engine then type your favorite website in the url eg. “ www.yahoo.com “.
3. Allow web browsing traffic to be captured for a while .
4. Stop the capture by clicking the red blue button upper left corner.
5. Save capture by clicking File save as give name as “TCP packet”
Analyze Web Browser Capture

1. Open your capture packet “TCP packet” file .

2. Filter packet for TCP three-way handshake as seen above in the highlighted field.
● Identify the frame that carries the first TCP segment in the three-way handshake that sets up the
connection between the http client and server. [SYN] What source Ethernet and IP addresses
do you
expect in this segment? What protocol and type fields do you expect in the first segment?
Confirm
that these addresses are as expected.
● Explain the values in the destination Ethernet and IP addresses in the first segment? To what
machine(s) do these addresses correspond?
● Identify the ephemeral port number used by the client and confirm that the well-known port number
is the correct value for HTTP.
● What is the length of the TCP segment?
● Find the hex character that contains the SYN flag bit.

● Identify the frame that carries the second segment in the three-way handshake. [SYN,ACK]
a. How much time elapsed between the capture of the first and second segments?
b. Before examining the captured packets, specify the values for the following fields in this
frame:
● Source and destination addresses and type field in Ethernet frame.
● Source and destination IP addresses and port numbers in IP packet.
● Acknowledgment number in TCP segment.
● Values of flag bits.
● Confirm that the frame contains the expected values.
c. What is the length of the TCP segment?

● Identify the frame that carries the last segment in the three-way handshake. [ACK]
a. How much time elapsed between the capture of the second and last segment? Compare
to the elapsed time between the first and second segments and explain the difference.
b. Specify the following values in the TCP segment:
i. Acknowledgment and sequence numbers.
ii. Flag bits and window size.
Reference : https://ecee.colorado.edu/~ecen5032/hw/EtherealWebBrowsing.htm
Analyse Ping Capture

a. “Close any internet connection” ,open wireshark.

b. Open Command Prompt.

c. Type ipconfig ( for windows machine) ,find your machine ip address.

d. Or type ifconfig (for linux machine ), find your machine ip address

e. Find out the ip address of your neighbor’s machine.

f. Now start wireshark

g. Go back to command prompt, ping your neighbor’s ip (eg. ping 10.20.153.89)

m. Now stop wireshark packet capture.

h. Type icmp at the filter section to see the ping capture results

i. Now analyze the frames for the icmp echo request and echo reply and complete the table below:

First Echo Request First Echo Reply

Frame Number

Souce IP Address

Destination IP Address

ICMP TYPE

ICMP CODE

Source Ethernet Address

Destination Ethernet Address

Internet Protocol Version

Time to Live(TTL) value

 DHCP Discover Offer Request Process Using Wireshark

1. To capture DHCP traffic:

Start a Wireshark capture.

Open a command prompt .
Type ipconfig /renew and press Enter.
Type ipconfig /release and press Enter.
Type ipconfig /renew and press Enter.
Close the command prompt.
Stop the Wireshark capture.

To analyze DHCP Request (lease renewal) traffic

1. Observe the traffic captured in the top Wireshark packet list pane. To view only DHCP traffic, type
udp.port == 68 (lower case) in the Filter box and press Enter.
2. In the top Wireshark packet list pane, select the DHCP packet, labeled DHCP Request.
3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II
/ Internet Protocol Version 4 / User Datagram Protocol / Domain Host Control Protocol frame.
4. Expand Ethernet II to view Ethernet details.
5. Observe the Destination and Source fields. The destination should be your DHCP server's MAC
address and the source should be your MAC address. You can use ipconfig /all and arp -a to confirm
by going to command prompt .
6. Expand Internet Protocol Version 4 to view IP details.
7. Observe the Source address. Notice that the source address is your IP address.
8. Observe the Destination address. Notice that the destination address is the IP address of the DHCP
server.
9. Expand User Datagram Protocol to view UDP details.
10. Observe the Source port. Notice that it is port (68), the client port.
11. Observe the Destination port. Notice that it is port (67), the DHCP server port.
12. Expand Domain Host Control Protocol to view DHCP details.
13. Observe the DHCP Message Type. Notice that it is a Request .
14. Observe the Client IP address, Client MAC address, and DHCP option fields. This is the request to
the DHCP server.

Note : Research both ipconfig/release and ipconfig/renew

function.

References : http://en.wikiversity.org/wiki/Wireshark/DHCP#References
 To analyze DHCP ACK (server acknowledgement) traffic:

1. In the top Wireshark packet list pane, select the DHCP packet, labeled DHCP ACK.
2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II
/ Internet Protocol Version 4 / User Datagram Protocol / Domain Host Control Protocol frame.
3. Expand Ethernet II to view Ethernet details.
4. Observe the Destination and Source fields. The destination should be your MAC address and the
source should be your DHCP server's MAC address.
5. Expand Internet Protocol Version 4 to view IP details.
6. Observe the Source address. Notice that the source address is the DHCP server IP address.
7. Observe the Destination address. Notice that the destination address is your IP address.
8. Expand User Datagram Protocol to view UDP details.
9. Observe the Source port. Notice that it is port (67), the DHCP server port.
10. Observe the Destination port. Notice that it is port (68), the client port.
11. Expand Domain Host Control Protocol to view DHCP details.
12. Observe the DHCP Message Type. Notice that it is an ACK .
13. Observe the Client IP address and Client MAC address fields. This is the acknowledgement from the
DHCP server.
14. Observe the DHCP options and expand to view the details for IP Address Lease Time, Subnet Mask,
Router (Default Gateway), Domain Name Server, and Domain Name, as well as any other options if
included.

To analyze DHCP Release traffic

1. In the top Wireshark packet list pane, select the DHCP packet, labeled DHCP Release.
2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II
/ Internet Protocol Version 4 / User Datagram Protocol / Domain Host Control Protocol frame.
3. Expand Ethernet II to view Ethernet details.
4. Observe the Destination and Source fields. The destination should be your DHCP server's MAC
address and the source should be your MAC address. You can use ipconfig /all and arp -a to confirm
by going to command prompt
5. Expand Internet Protocol Version 4 to view IP details.
6. Observe the Source address. Notice that the source address is your IP address.
7. Observe the Destination address. Notice that the destination address is the IP address of the DHCP
server.
8. Expand User Datagram Protocol to view UDP details.
9. Observe the Source port. Notice that it is port (68), the client port.
10. Observe the Destination port. Notice that it is port (67), the DHCP server port.
11. Expand Domain Host Control Protocol to view DHCP details.
12. Observe the DHCP Message Type. Notice that it is a Release .
13. Observe the Client IP address and Client MAC address fields. This is the address that will be released
on the DHCP server.

References : http://en.wikiversity.org/wiki/Wireshark/DHCP#References
 To analyze DHCP Discover (lease request) traffic

1. In the top Wireshark packet list pane, select the DHCP packet, labeled DHCP Discover.
2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II
/ Internet Protocol Version 4 / User Datagram Protocol / Domain Host Control Protocol frame.
3. Expand Ethernet II to view Ethernet details.
4. Observe the Destination and Source fields. The destination should be the broadcast address
ff:ff:ff:ff:ff:ff and the source should be your MAC address. When the client doesn't have an IP
address or server information, it has to broadcast to discover a DHCP server.
5. Expand Internet Protocol Version 4 to view IP details.
6. Observe the Source address. Notice that the source address is 0.0.0.0, indicating no current IP
address.
7. Observe the Destination address. Notice that the destination address 255.255.255.255, the broadcast
IP address.
8. Expand User Datagram Protocol to view UDP details.
9. Observe the Source port. Notice that it is port (68), the client port.
10. Observe the Destination port. Notice that it is port (67), the DHCP server port.
11. Expand Domain Host Control Protocol to view BOOTP details.
12. Observe the DHCP Message Type. Notice that it is a Discover .
13. Observe the Client IP address, Client MAC address, and DHCP option fields. This is the request to
the DHCP server.

To analyze DHCP Offer (server offer) traffic

1. In the top Wireshark packet list pane, select the DHCP packet, labeled DHCP Offer.
2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an
Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Domain Host Control
Protocol frame.
3. Expand Ethernet II to view Ethernet details.
4. Observe the Destination and Source fields. The destination should be your MAC address and the
source should be your DHCP server's MAC address.
5. Expand Internet Protocol Version 4 to view IP details.
6. Observe the Source address. Notice that the source address is the DHCP server IP address.
7. Observe the Destination address. Notice that the destination address is your IP address.
8. Expand User Datagram Protocol to view UDP details.
9. Observe the Source port. Notice that it is port (67), the DHCP server port.
10. Observe the Destination port. Notice that it is port (68), the client port.
11. Expand Domain Host Control Protocol to view DHCP details.
12. Observe the DHCP Message Type. Notice that it is an ACK .
13. Observe the Client IP address and Client MAC address fields. This is the offer from the DHCP
server.
14. Observe the DHCP options and expand to view the details for IP Address Lease Time, Subnet
Mask, Router (Default Gateway), Domain Name Server, and Domain Name, as well as any other
options if included.

References : http://en.wikiversity.org/wiki/Wireshark/DHCP#References
 To analyze DHCP Request (lease request) traffic

1. In the top Wireshark packet list pane, select the DHCP packet, labeled DHCP Request.
2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II
/ Internet Protocol Version 4 / User Datagram Protocol / Domain Host Control Protocol frame.
3. Expand Ethernet II to view Ethernet details.
4. Observe the Destination and Source fields. The destination should be the broadcast address
ff:ff:ff:ff:ff:ff and the source should be your MAC address. When the client doesn't have an IP
address or server information, it has to broadcast to request an address lease.
5. Expand Internet Protocol Version 4 to view IP details.
6. Observe the Source address. Notice that the source address is 0.0.0.0, indicating no current IP
address.
7. Observe the Destination address. Notice that the destination address 255.255.255.255, the broadcast
IP address.
8. Expand User Datagram Protocol to view UDP details.
9. Observe the Source port. Notice that it is port (68), the client port.
10. Observe the Destination port. Notice that it is port (67), the DHCP server port.
11. Expand Domain Host Control Protocol to view DHCP details.
12. Observe the DHCP Message Type. Notice that it is a Request (3).
13. Observe the Client IP address, Client MAC address, and DHCP option fields. This is the request to
the DHCP server.

To analyze DHCP ACK (server acknowledgment) traffic

1. In the top Wireshark packet list pane, select the DHCP packet, labeled DHCP ACK.
2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II
/ Internet Protocol Version 4 / User Datagram Protocol / Domain Host Control Protocol frame.
3. Expand Ethernet II to view Ethernet details.
4. Observe the Destination and Source fields. The destination should be your MAC address and the
source should be your DHCP server's MAC address.
5. Expand Internet Protocol Version 4 to view IP details.
6. Observe the Source address. Notice that the source address is the DHCP server IP address.
7. Observe the Destination address. Notice that the destination address is your IP address.
8. Expand User Datagram Protocol to view UDP details.
9. Observe the Source port. Notice that it is port (67), the DHCP server port.
10. Observe the Destination port. Notice that it is port 68), the client port.
11. Expand Domain Host Control Protocol to view DHCP details.
12. Observe the DHCP Message Type. Notice that it is an ACK .
13. Observe the Client IP address and Client MAC address fields. This is the acknowledgement from the
DHCP server.
14. Observe the DHCP options and expand to view the details for IP Address Lease Time, Subnet Mask,
Router (Default Gateway), Domain Name Server, and Domain Name, as well as any other options if
included. Close wireshark to complete this activity. Quit without saving to discard the captured
traffic.

References : http://en.wikiversity.org/wiki/Wireshark/DHCP#References