Homework 1: Understanding Network Traffic using Wireshark
In this homework, we’ll learn basic usage of wireshark and how to debug network traffic with wireshark. Wireshark is a free and open-source packet analyzer. Wireshark consists of two parts: one is a packet capture engine powered by tcpdump, and the other is a powerful and expressive packet parsing capability that understands hundreds of different network protocols.
Preparing
Needed Tools
You will need several tools to complete this assignment, all of which are available on all major platforms. Some of these tools may already be available on your machine. You are responsible for getting these tools installed.
Get Trace Files
Wireshark can analyze trace files recorded by others.
We will use several pre-recorded trace files as examples to learn basic usage
of wireshark and understand what happened when these files
were recorded. The trace files you will need are located in your homework
repository, in the pcaps directory.
Homework Questions
Basic HTTP
01_http.pcap contains several HTTP conversations. After opening this file,
answer the questions below. You don’t need to know what these fields mean
(yet!), however you should be able to find them by browsing through the
different protocols being “dissected” at different layers of each packet.
Q1: List every IPv4 address involved in an HTTP conversion in this file.
For your answer, put the every IP addresses on a single line, comma separated,
without any spaces. For example a.a.a.a,b.b.b.b,c.c.c.c, etc.
Q2: There are three domains that HTTP requests are made to in this file. Name any one of them.
hints:
- examples of domains are
example.orgorwww.domain.net. IP addresses are not domains. - practice using filters in wireshark to better forcus in on the traffic you are interested in.
Buffered Telnet
02_telnet-cooked.pcap is a recording of a client connecting to
a remote server with telnet.
Q3: What are the client’s and server’s IP addresses? Enter them on the same
line, comma separated, with no spaces. (E.x client ip,server ip)
Q4: What is the password input by the client to login?
Q5: What was the date of the last login? hint enter this using the exact same format as it appears in the telnet conversation.
Q6: List all commands run by the client after login successfully (separate them with commas, all on one line, and in the order they were made).
hints:
- there are 4 commands
- usernames and passwords are not commands
- do not include the paths or arguments to commands here (ie if you see the user enter
/bin/cat some_file.txtin the telnet conversation, the correct answer for this question iscat, notcat some_file.txtor/bin/cat). - if the same command was entered more than once, enter the command each time it was called during the conversation, in the order it was called.
If you are interested, several funny places you can telnet to can be found here. The Star Wars asciimation is particularly impressive.
Unbuffered Telnet
The telnet conversation in 03_telnet-raw.pcap is character buffered instead
of line buffered. This means that the client sends every keypress to the server,
including characters that eventually get deleted by backspace, so there might
be incorrect keypresses in the conversation. Please answer the following
questions:
Q7: What is the user name used by the client to login?
Q8: What is the host name pinged by the client?
Q9: List all commands run by the client, in the order they were run. Enter them all on the same line, comma separated.
hints:
- usernames and passwords are not commands
- do not include the paths or arguments to commands here (ie if you see the user enter
/bin/cat some_file.txtin the telnet conversation, the correct answer for this question iscat, notcat some_file.txtor/bin/cat). - if the same command was entered more than once, enter the command each time it was called during the conversation, in the order it was called.
Hidden Servers
In file 04_http-garbage-connection.pcap, there are several http and https
conversations in this file running on the usual ports (80, 8080 for http, 443
for https). There is also an http server running on a nonstandard port (ie not
80, 8080 or 443).
Q10: Find the http conversation happening on the nonstandard port and give its
IP address and port, and the HTTP path requested to that server.
Give your answer in the format IP,PORT,PATH. (hint, the path starts with
the / character).
Trace Local Network Traffic
Q11: Wireshark isn’t only for reading previously captured network traffic. You can also it to save capture traffic on your own network.
For this question, use wireshark to capture the network traffic on your
own network when requesting the URL http://wttr.in/chicago. You should
fetch this from the commandline, using a tool like curl.
Do not fetch the URL in your web browser, as the site will serve different
content to web browsers than other, simpler HTTP clients.
Only include the relevant HTTP traffic in the saved file. Save the resulting
network traffic in a pcap file, called hw1.pcap.
Submission and Grading
You must submit your solution to this assignment through git. When you submit your assignment, your project should have (at least) the following files in it:
README.md: this filehw1.txt: your answers to questions 1-10. Each answer should appear on its own line. Only the first 10 lines of your file will be considered.hw1.pcap: the network traffic generated from question 11.netid.txt: a text file that contains only your UIC NetID. It should not contain anything else.
There are a total of 15 possible points for this assignment.
- 1 point for each of the first 10 questions.
- 3 points for correctly capturing the HTTP traffic described in question 11.
- 2 point for only capturing the HTTP traffic described in question 11 (ie not including any other traffic in this file).
Not correctly including the netid.txt file will be an automatic 0 for the
assignment.
Due Date
This homework is due before 3pm on Wednesday, January 25.
GPL Notice
Trace files 1 and 2 are covered by the GNU GPL and were downloaded from The Wireshark Wiki.