Network security
Learning Objectives

In this lab, you will learn about Wireshark.

• Read about what Wireshark is in the description and template
• Understand what a protocol analyzer is, and what it is used for
• Try Wireshark out and post your outcome

Lab Materials and Setup

The materials you’ll need for this lab are

• Pencil and paper
• A Windows computer with Internet access, and the ability to install programs on the PC
Description and template
We will be using the Wireshark packet sniffer [http://www.wireshark.org/] for the lab. Wireshark allows us to display the contents of messages being sent and received from/by protocols at different levels of the protocol stack. Wireshark is a free network protocol analyzer that runs on Windows.

Getting Wireshark
In order to run Wireshark, you will need to have access to a computer that supports both Wireshark and the WinPCap packet capture library. The WINPCap software will be installed for you when you install Wireshark.
Download and install the Wireshark software:
• Go to http://www.wireshark.org/download.html and download and install Wireshark for your computer.
• Download the Wireshark user guide (Optional).
The Wireshark FAQ has a number of helpful hints and interesting tidbits of information, particularly if you have trouble installing or running Wireshark.
Running Wireshark
When you run the Wireshark program, the Wireshark graphical user interface is displayed. Initially, no data will be displayed in the various windows.

The Wireshark interface has five major components:
• The command menus are standard pulldown menus located at the top of the window. Of interest to us now are the File and Capture menus. The Capture menu allows you to begin packet capture.
• The packet-listing window displays a one-line summary for each packet captured, including the packet number (assigned by Wireshark; this is not a packet number contained in any protocol’s header), the time at which the packet was captured, the packet’s source and destination addresses, the protocol type, and protocol-specific information contained in the packet.
• The packet-header details window provides details about the packet selected in the packet listing window. These details include information about the Ethernet frame and IP datagram that contains this packet. The amount of Ethernet and IP-layer detail displayed can be expanded or minimized by clicking on the plus-or-minus boxes to the left of the Ethernet frame or IP datagram line in the packet details window. If the packet has been carried over TCP or UDP details will also be displayed.
• The packet-contents window displays the entire contents of the captured frame, in both ASCII and hexadecimal format.
• Towards the top of the Wireshark graphical user interface, is the packet display filter field, into which a protocol name or other information can be entered in order to filter the information displayed in the packet-listing window (and hence the packet-header and packet-contents windows). In the example below, we’ll use the packet-display filter field to have Wireshark hide (not display) packets except those that correspond to HTTP messages.

Instructions

Taking Wireshark for a Test Run
The best way to learn about any new piece of software is to try it out! We’ll assume that your computer is connected to the Internet via a wired Ethernet interface. You can also complete the lab with a wireless interface, but will need to choose the correct adapter during the steps. Do the following:
1. Start up your favorite web browser, which will display your selected homepage.
2. Start up the Wireshark software. You will initially see a window similar to that shown in Figure 2, except that no packet data will be displayed in the packet-listing, packet-header, or packet-contents window, since Wireshark has not yet begun capturing packets.
3. To begin packet capture, select the Capture pull down menu and select Options. This will bring up the “Wireshark: Capture Options” window to be displayed, as shown in Figure 3.

4. You can use most of the default values in this window. The network interfaces (i.e., the physical connections) that your computer has to to the network will be shown in the menu at the top of the Capture Options window. In case your computer has more than one active network interface (e.g., if you have both a wireless and a wired Ethernet connection), you will need to select an interface that is being used to send and receive packets. After selecting the network interface click Start. Packet capture will now begin – all packets being sent/received from/by your computer are now being captured by Wireshark.

5. While Wireshark is running, enter the URL: http://www.wireshark.org/tools/v46status.html and have that page displayed in your browser. In order to display this page, your browser will contact the HTTP server and exchange HTTP messages with the server in order to download this page. The Ethernet frames containing these HTTP messages will be captured by Wireshark.

6. After your browser has displayed the web page, stop Wireshark packet capture by selecting the stop live capture button. The main Wireshark window should now look similar to Figure 2. You now have live packet data that contains all protocol messages exchanged between your computer and other network entities! The HTTP message exchanges with the www.wireshark.org web server should appear somewhere in the listing of packets captured. Even though the only action you took was to download a web page, there were evidently many other protocols running on your computer that are unseen by the user.

7. Type in “http” (without the quotes, and in lower case – all protocol names are in lower case in Wireshark) into the display filter specification window at the top of the main Wireshark window. Then select Apply. This will cause only HTTP message to be displayed in the packet-listing window.

8. Select the first http message shown in the packet-listing window. This should be the HTTP GET message that was sent from your computer to the Wireshark HTTP server. When you select the HTTP GET message, the Ethernet frame, IP datagram, TCP segment, and HTTP message header information will be displayed in the packet-header window3. By clicking plus- and-minus boxes to the left side of the packet details window, minimize the amount of Frame, Ethernet, Internet Protocol, and Transmission Control Protocol information displayed. Maximize the amount information displayed about the HTTP protocol. Your Wireshark display should now look roughly as shown in Figure 5.

9. Take a screen capture of the Wireshark screen showing that you have done the packet capture and paste it at the end of this lab. Describe briefly what the screen is displaying and why you think Wireshark is useful and how it can help with security.

10. Exit Wireshark.