Homework 5: Understanding Network Traffic using Wireshark

In this homework, we’ll learn basic usage of wireshark and how to debug network traffic with wireshark. Wireshark is a free and open-source packet analyzer. Wireshark consists of two parts: one is a packet capture engine powered by tcpdump, and the other is a powerful and expressive packet parsing capability that understands hundreds of different network protocols.

Install Wireshark on your machine

For an ubuntu vm, apt-get install wireshark will be sufficient; for OSX and Windows, you can download the most recent version here: wireshark.

Get Trace Files

Wireshark can analyze trace files recorded by others. There are several trace files saved in the public class git repository. We will use them as example to learn basic usage of wireshark and understand what happened when these files were recorded. The files you will need are located in homeworks/hw5/.

Basic Understanding of HTTP

01_http.pcap contains several HTTP conversations. After opening this file, answer the questions below. You don’t need to know what these fields mean (yet!), however you should be able to find them by browsing through the different protocols being “dissected” at different layers of each packet.

Q1: What is the absolute initial sequence number of the first TCP conversation in this file? Hint: the antonym of absolute is relative.

Q2: What is the query type of the second DNS request? What is the record type that the server uses to respond to that request?

Q3: In this trace file, there is one conversation in which a client downloaded a picture from a webserver. Answer this question with the filename and its md5sum.

Hint: If the large amount of packets in one file makes you crazy, filter is very useful tool to reduce the amount of them. Also an ascii table is very useful - either man ascii or this one are good options.

Cooked Telnet to remote server.

02_telnet-cooked.pcap is a recording of a client connecting to a remote server with telnet. This is similar to what Chris has been doing in class using telnet to connect to an HTTP or SMTP server.

Q4: What is the client’s and server’s IP addresses?

Q5: What is the password input by the client to login?

Q6: Show the date of the last login.

Q7: List all commands run by the client after login successfully (separate them with semicolons).

If you are interested, several funny places you can telnet to can be found here. The Star Wars asciimation is particularly impressive.

Deal With Raw Records of Telnet

The telnet conversation in 03_telnet-raw.pcap is character buffered instead of line buffered. This means that the client sends every keypress to the server - including characters that eventually get deleted by backspace, so there might be incorrect keypresses in the conversation. Please answer the following questions:

Q8: What is the user name used by the client to login?

Q9: What is the host name pinged by the client?

Q10: List all commands run actually by the client.

Find hidden servers among many other flows

In file 04_http-garbage-connection.pcap, there are several http and https conversations in this file running on the usual ports (80, 8080 for http, 443 for ssl). There is also an http server running on a nonstandard port.

Q11: Find the http conversation happening on the nonstandard port and give its IP address and port. Save the first file served by the “secret” server and paste the file’s md5sum as well. Use the format IP;PORT;MD5SUM for your answer.

In file 05_partial-content.pcap:

Q12: The client downloaded a file with range request from a webserver. Answer this question with the filename and the md5sum of the file contents.

Trace Local Network Traffic

Q13: Trace local network traffic while running git clone command to clone your own repository and save the trace file with “hw5.pcap” as file name. Only include the traffic necessary for the clone event.


To submit this assignment, create a hw5 subdirectory, and answer questions 1-12 in the following format in a file called hw5.txt:


If the answer includes multiple elements, keep them all on one line and use “;” to separate each item. Save the hw5.pcap file to this directory as well.

Due Date

This homework is due at 3PM Friday, October 30.


Grading will be done automatically using a script. We will publish this script after grading has completed.

GPL Notice

Trace files 1 and 2 are covered by the GNU GPL and were downloaded from The Wireshark Wiki.