Homework 5: Understanding Network Traffic using Wireshark
In this homework, we’ll learn basic usage of wireshark and how to debug network traffic with wireshark. Wireshark is a free and open-source packet analyzer. Wireshark consists of two parts: one is a packet capture engine powered by tcpdump, and the other is a powerful and expressive packet parsing capability that understands hundreds of different network protocols.
Install Wireshark on your machine
For an ubuntu vm,
apt-get install wireshark will be sufficient; for OSX and
Windows, you can download the most recent version here:
Get Trace Files
Wireshark can analyze trace files recorded by others. There are several trace
files saved in the public class git repository. We will use them as example to
learn basic usage of wireshark and understand what happened when these files
were recorded. The files you will need are located in
Basic Understanding of HTTP
01_http.pcap contains several HTTP conversations. After opening this file,
answer the questions below. You don’t need to know what these fields mean
(yet!), however you should be able to find them by browsing through the
different protocols being “dissected” at different layers of each packet.
Q1: What is the absolute initial sequence number of the first TCP conversation in this file? Hint: the antonym of absolute is relative.
Q2: What is the query type of the second DNS request? What is the record type that the server uses to respond to that request?
Q3: In this trace file, there is one conversation in which a client downloaded a picture from a webserver. Answer this question with the filename and its md5sum.
Hint: If the large amount of packets in one file makes you crazy, filter is
very useful tool to reduce the amount of them. Also an ascii table is very
useful - either
man ascii or this
one are good options.
Cooked Telnet to remote server.
02_telnet-cooked.pcap is a recording of a client connecting to
a remote server with telnet. This is similar to what Chris has been doing in
class using telnet to connect to an HTTP or SMTP server.
Q4: What is the client’s and server’s IP addresses?
Q5: What is the password input by the client to login?
Q6: Show the date of the last login.
Q7: List all commands run by the client after login successfully (separate them with semicolons).
If you are interested, several funny places you can telnet to can be found here. The Star Wars asciimation is particularly impressive.
Deal With Raw Records of Telnet
The telnet conversation in
03_telnet-raw.pcap is character buffered instead
of line buffered. This means that the client sends every keypress to the server
- including characters that eventually get deleted by backspace, so there might
be incorrect keypresses in the conversation. Please answer the following
Q8: What is the user name used by the client to login?
Q9: What is the host name pinged by the client?
Q10: List all commands run actually by the client.
Find hidden servers among many other flows
04_http-garbage-connection.pcap, there are several http and https
conversations in this file running on the usual ports (80, 8080 for http, 443
for ssl). There is also an http server running on a nonstandard port.
Q11: Find the http conversation happening on the nonstandard port and give its IP address and port. Save the first file served by the “secret” server and paste the file’s md5sum as well. Use the format IP;PORT;MD5SUM for your answer.
Q12: The client downloaded a file with range request from a webserver. Answer this question with the filename and the md5sum of the file contents.
Trace Local Network Traffic
Q13: Trace local network traffic while running git clone command to clone your own repository and save the trace file with “hw5.pcap” as file name. Only include the traffic necessary for the clone event.
To submit this assignment, create a
hw5 subdirectory, and answer questions 1-12 in the following format in a file called
Q1: ANSWER_TO_Q1 Q2: ANSWER_TO_Q2
If the answer includes multiple elements, keep them all on one line and use “;”
to separate each item. Save the
hw5.pcap file to this directory as well.
This homework is due at 3PM Friday, October 30.
Grading will be done automatically using a script. We will publish this script after grading has completed.