National University of Computer & Emerging Sciences (NUCES), Islamabad

Computer Networks Lab

Fall 2024
Week 02
HTTP and DHCP services
What is a Packet?
A “packet” is a single message from any network protocol (e.g., TCP, DNS, etc.).

What mode is LAN traffic in?

LAN traffic is in broadcast mode, meaning a single computer with Wireshark can see traffic between two other computers.
To see traffic to an external site, you need to capture the packets on the local computer.

What is Wireshark?
Wireshark is an open-source network protocol analysis software program, widely considered the industry standard. A
global organization of network specialists and software developers supports Wireshark and continues to make updates
for new network technologies and encryption methods. Government agencies, corporations, non-profits, and
educational institutions use Wireshark for troubleshooting and teaching purposes. There truly isn’t a better way to learn
low-level networking than to look at traffic under the Wireshark microscope. You should only use Wireshark on networks
where you have permission to inspect network packets. Using Wireshark to look at packets without permission is illegal.

How does Wireshark work?

Wireshark is a packet sniffer and analysis tool. It captures network traffic from ethernet, Bluetooth, wireless
(IEEE.802.11), token ring, and frame relay connections, among others, and stores that data for offline analysis. Wireshark
allows you to filter the log before the capture starts or during analysis, so you can narrow down and zero in on what
you’re looking for in the network trace. For example, you can set a filter to see TCP traffic between two IP addresses, or
you can set it only to show you the packets sent from one computer. The filters in Wireshark are one of the primary
reasons it has become the standard tool for packet analysis.

When should Wireshark be used?

Wireshark can be used to understand how communication takes place across a network and to analyze what went wrong
when an issue in communication arises.
Wireshark helps:
• Network administrators troubleshoot problems across a network
• Security engineers examine security issues across a network
• QA engineers verify applications
• Developers debug protocol implementations
• Network users learn about a specific protocol
 National University of Computer & Emerging Sciences (NUCES), Islamabad

Data packets on Wireshark

Capturing data packets on Wireshark
When you open Wireshark, you see a screen showing you a list of all the network connections you can monitor. You also
have a capture filter field to only capture the network traffic you want to see.

You can select one or more of the network interfaces using shift+left-click. Once select the network interface, you can
start the capture, and there are several ways to do that. Click the first button on the toolbar, titled “Start capturing
packets.”

During the capture, Wireshark will show you the packets captured in real-time.
 National University of Computer & Emerging Sciences (NUCES), Islamabad

Once you have captured all the packets needed, use the red button (next to the start one) or menu options to stop the
capture as you did to begin. Best practice dictates stopping Wireshark’s packet capture before analysis.

Analyzing data packets on Wireshark

Wireshark shows you three different panes for inspecting packet data. The Packet List, the top pane, lists all the packets
in the capture. When you click on a packet, the other two panes change to show you the details about the selected
packet. You can also tell if the packet is part of a conversation. Here are details about each column in the top pane:
• No.: This is the number order of the packet captured. The bracket indicates that this packet is part of a
conversation.
• Time: This column shows how long after you started the capture this particular packet was captured. You can
change this value in the Settings menu to display a different option.
• Source: This is the address of the system that sent the packet.
• Destination: This is the address of the packet destination.
• Protocol: This is the type of packet. For example: TCP, DNS, DHCPv6, or ARP.
• Length: This column shows you the packet’s length, measured in bytes.
• Info: This column shows you more information about the packet contents, which will vary depending on the type
of packet.
• Packet Details, the middle pane, shows you as much readable information about the packet as possible,
depending on the packet type. You can right-click and create filters based on the highlighted text in this field.
• The bottom pane, Packet Bytes, displays the packet exactly as it was captured in hexadecimal.

When looking at a packet that is part of a conversation, you can right-click the packet and select Follow to see only the
packets that are part of that conversation.

Wireshark capture filters

Capture filters limit the captured packets by the chosen filter. If the packets don’t match the filter, Wireshark won’t save
them. Examples of capture filters include:
• host IP-address: This filter limits the captured traffic to and from the IP address
• net 192.168.0.0/24: This filter captures all traffic on the subnet
• dst host IP-address: Capture packets sent to the specified host
• port 53: Capture traffic on port 53 only
• port not 53 and not arp: Capture all traffic except DNS and ARP traffic

Wireshark display filters

Wireshark display filters change the view of the capture during analysis. After you’ve stopped the packet capture, use
display filters to narrow down the packets in the Packet List to troubleshoot your issue. One of the most useful display
filters is:
• ip.src==IP-address and ip.dst==IP-address: This filter shows packets sent from one computer (ip.src) to another
(ip.dst). You can also use ip.addr to show packets to and from that IP. Other filters include:
• tcp.port eq 25: This filter will show you all traffic on port 25, which is usually SMTP traffic
• icmp: This filter will show you only ICMP traffic in the capture, most likely they are pings
• ip.addr != IP_address: This filter shows you all traffic except the traffic to or from the specified computer

Analysts even build filters to detect specific attacks, like this filter used to detect the Sasser worm:
• ls_ads.opnum==0x09
 National University of Computer & Emerging Sciences (NUCES), Islamabad

Wireshark Walk through task:

Step 1: Choose the network

Step 2: Start capturing packets

Step 3: Add a filter (http in our case), and press enter.

Note: wirshark does not sniff packets with https protocol.
 National University of Computer & Emerging Sciences (NUCES), Islamabad

Step 4: Go to the web browser and search for a website like:

Step 5: Once all loaded, go back to Wireshark and notice packets.

Step 6: Observe the fields

Packet Tracer Walk Through Task for HTTP:

Step 1: make a topology with 2 PCs, a switch, and a server as shown

Step 2: assign ip addresses to the systems, and the server

 National University of Computer & Emerging Sciences (NUCES), Islamabad
Step 3: Click on the server, and go to the services. Make sure the HTTP service is on.

Step 4: Choose a file already available on the server

Step 5: Click on any one of the pc, go to desktop and click on web browser.

Step 6: Type in the ip address of the server, back slash, and the name of the chosen file
Like: 192.168.1.10/image.html

Dynamic Host Configuration Protocol (DHCP)

Dynamic Host Configuration Protocol (DHCP) is a client/server protocol that automatically provides an Internet Protocol
(IP) host with its IP address and other related configuration information such as the subnet mask and default gateway.
RFCs 2131 and 2132 define DHCP as an Internet Engineering Task Force (IETF) standard based on Bootstrap Protocol
(BOOTP), a protocol with which DHCP shares many implementation details. DHCP allows hosts to obtain required TCP/IP
configuration information from a DHCP server.
Every device on a TCP/IP-based network must have a unique unicast IP address to access the network and its resources.
Without DHCP, IP addresses for new computers or computers that are moved from one subnet to another must be
configured manually; IP addresses for computers that are removed from the network must be manually reclaimed.
With DHCP, this entire process is automated and managed centrally. The DHCP server maintains a pool of IP addresses
and leases an address to any DHCP-enabled client when it starts up on the network. Because the IP addresses are dynamic
(leased) rather than static (permanently assigned), addresses no longer in use are automatically returned to the pool for
reallocation.
 National University of Computer & Emerging Sciences (NUCES), Islamabad
The network administrator establishes DHCP servers that maintain TCP/IP configuration information and provide address
configuration to DHCP-enabled clients in the form of a lease offer. The DHCP server stores the configuration information
in a database that includes:

• Valid TCP/IP configuration parameters for all clients on the network.

• Valid IP addresses, maintained in a pool for assignment to clients, as well as excluded addresses.
• Reserved IP addresses associated with particular DHCP clients. This allows consistent assignment of a single IP
address to a single DHCP client.
• The lease duration, or the length of time for which the IP address can be used before a lease renewal is required.

A DHCP-enabled client, upon accepting a lease offer, receives:

• A valid IP address for the subnet to which it is connecting.

• Requested DHCP options, which are additional parameters that a DHCP server is configured to assign to clients.
Some examples of DHCP options are Router (default gateway), DNS Servers, and DNS Domain Name.

Packet Tracer Walk through task for DHCP

Step 1: make a topology with 2 PCs, a switch, and a server as shown

Step 2: assign ip addresses to the systems, and the server

Step 3: Click on the server, and go to the services, and select DHCP.

Step 4: Turn on the service

 National University of Computer & Emerging Sciences (NUCES), Islamabad
Step 5: select the pool available or add another one

Step 6: Change the pool name, assign a starting IP address making sure it is from the same network as the ip address of
the server and the PCs. Assign total number of users according to need.

Step 7: Click save

Step 8: Go to the first system, and then go to the desktop portion, and then the IP configuration. Click on the DHCP option
rather than the Static one. After a few moments the server will assign a IP address from the pool and a successful message
will be shown. This is how we assign dynamic IP addresses to a System from the server.
 National University of Computer & Emerging Sciences (NUCES), Islamabad

Practice Tasks
Task 1:
Answer the following questions for the assigned website:
1. Is your browser running HTTP version 1.0 or 1.1?
2. What languages (if any) does your browser indicate that it can accept to the server?
3. What is the IP address of your computer and the website?
4. What is the status code returned from the server to your browser?
5. When was the HTML file that you are retrieving last modified at the server?
6. How many bytes of content are being returned to your browser?
7. By inspecting the raw data in the packet content window, do you see any headers within the data that
are not displayed in the packet-listing window? If so, name one.
8. Which packet number in the trace contains the status code and phrase associated with the response
to the HTTP GET request?
9. What is the status code and phrase in the response?
10. When your browser’s sends the HTTP GET message for the second time, what new field is included in
the HTTP GET message?
For this specific question, you are required to answer the question on a word or pdf file. Attach the screenshot
of the Packets captured screen from Wireshark, and then answer the questions.

Task 2:
Construct a client server model that have 6 hosts, assign them IP address and subnet masks dynamically from
the server. Moreover, access the HTTP server from the client and show the results. You need to upload a
simple html file and access that specific file.

Task 3:
Construct a client server model that have 9 hosts, three of them are computers, and other six host will be
laptops, in which further connected to 2 switches, assign them IP address and subnet masks dynamically from
the server. Moreover, access the HTTP server from the client and show the results.

Submission Guidelines :

1. Do not zip your tasks, upload your tasks separately on GCR with naming convention :
rollNumber_TaskNumber.pkt, along with the screenshot of the topology with the successful message.
2. Pledgerism will result in ZERO marks.
3. No late submission will be marked.