1. Engineering
  2. Computer Science
  3. please use the wireshark program for the following question case...

Question: please use the wireshark program for the following question case...

Question details

Please use the Wireshark program for the following question.

Case Project: Decode a TCP Segment in a Wireshark Capture. Please send screenshots and other important information

Case Project 3-2: Decode a TCP Segment in a Wireshark Capture In this chapter, you walked through a TCP segment to interpret the data included in its header. In this project, you use Wireshark to capture your own HTTP messages, examine the TCP headers, and practice interpreting the data youll find CASE PROJECTS there. 1. Open Wireshark and snap the window to one side of your screen. Open a browser and snap that window to the other side of your screen so you can see both windows.

Case Projects 153 In Windows, you can quickly snap a window to one side of your screen by hold- ing down the Win key on your keyboard, pressing either the left or right arrow key, then releasing both keys. Alternately, you can drag a window to one side OTE of your screen until it snaps into position. 2. Start the Wireshark capture. In the browser, navigate to google.com. Once the page 3 loads, stop the Wireshark capture. Youll have fewer messages to sort through if you can do this entire process fairly quickly Now apply a filter to expose the messages involved with your Web site request. in your capture, a DNS message will show the original request to resolve the name google.com to its IP address. A series of TCP messages will then show the three-way hand- shake, along with the rest of the data transmission. Because your transmission has to do with requesting a Web page, you need to filter to port 80. Apply the following filter to your capture: dns or tap.port eq 80 3. Somewhere 4. This filter helps reduce the number of messages to the ones you actually want to see. But youll still probably have to scroll through your results to find exactly the right DNS message that started this process. Youll see DNS in the Protocol field, and something to the effect of Standard query and www.google.com in the Info field, as shown in Figure 3-27

that started this process. 1 ou ll see DNS In the Protocol field, and something to the effect of Standard query and www.google.com in the Info field, as shown in Figure 3-27. (v1.102-2-962a5244 from master-1 192-168.1.109 192.168.1.109 1s2.368-1.109 23.62.97.10 192.1553-10 23.62.97.10 3.62 97.10 192-168.1.10e 170 standard query response 500 len-o wss-1460 42 , 00547200 192, 158, 1. 20g 43 4-0057 600 23.82- 97.30 TCP 34 39502 > http tACK] seq-1 ack-1 win-262144 Len-0 4. 80577500 292 368.2 109 710 GET/qsel. aspaquerygoosrc-1E-Addr 54 59501 > bttp tACK] Seq-1 Ack-1 in-262144 Len 0 54 http > 59502 (CK] 5eqI ACkv657 win»15912 Len- 54 59502 > http TAck] seq-637 Ack-1461 kin 262144 Len-o 54 59502 hetp [ACK] seq-657 ack-1703 sin-261885 Len- 6 4.08608300 23 62-.o 192. 155.1.19 TP14 frce segnent of a reassenbTed Poul 23-52.97.10 192.168.1.109 23.62.97.10 HTTP L 29& HTTR1.1 200 ok 30 4-27584200 192-288.1 20s s sser batagran Protocol. sE Port: donain (53), Dst Port: 56364 (56364) Figure 3-27 This DNS message is a request to resolve the domain name www.google.com Source: The Wireshark Foundation 5. Once youve located this message, click on it and examine the details of the message in he second pane. Answer the following questions a. What is the OUI of the sources NIC? b. Which IP version was used? c. If the message used IPv4, what was the TTL? If IPv6, what was the hop limit? d. Did the message use TCP or UDP? e. What is the source port? The destination port?

Chapter 3 How Data is Transported Over Networks 6. Now check your filter results for the first (SYN] message after this DNS request. Open e TCP segment header in the second pane, and answer the following questions: If you cant find the TCP stream for this Web page request, your system may have used port 443 instead of port 80. Port 443 is assigned to HTTPS, which is a secure version of HTTP. Run your filter again using port 443 instead of port 80 th NOTE a. What is the sequence number? b. Which flags are set in the TCP segment? If youre using the default settings in Wireshark, you probably found a sequence num- ber of 1. Thats because Wireshark shows relative numbers instead of the actual, ran- dom numbers humans to keep up with, but they provide no security in that theyre very predictable. Random numbers, on the other hand, are more difficult to fake easier for used in the segments themselves. Relative numbers are 7. To find the actual, random sequence number assigned to this segment, click on the sequence number field in the second pane, then find the corresponding value now highlighted in the third pane. The actual value is presented in hexadecimal format. 8. Switch the output to show the actual, random numbers (in decimal form) in your cap- ture by clicking on the Edit menu, then click Preferences, expand the Protocols list, click TCP, and uncheck Relative sequence numbers. Then click OK. Look back at the relative numbers shown in Figure 3-27, and compare the data in that figure to the ran- dom numbers shown in Figure 3-28. master-1,10

relative numbers shown in Figure 3-27, and compare the data in that f dom numbers shown in Figure 3-28. e ran- Figure 3-28 The captured messages now show the actual, random numbers used in t he Seq and Ack fields Source: The Wireshark Foundation 9. Apply another filter layer to show only the messages for this TCP conve ISYNJ message and click Follow TCP Stream. Close the Follow TCP Stream click the dialog box that opens, as you will be examining data in the actual capture.

Case Projects 155 10. Immediately after that initial [SYN] message, locate the [SYN, ACK] message and answer the following questions: a. What is the source IP address? The destination IP address? b. What is the sequence number? The acknowledgment number? c. Which flags are set in the TCP segment? 11. Locate the third message in this three-way handshake, the [ACK] message, and answer the following questions: a. What is the source IP address? The destination IP address? b. What is the sequence number? The acknowledgment number? c. Which flags are set in the TCP segment? 12. The three-way handshake establishes the session, but the conversation continues as the t contains the actual headers encapsu- oad, so youll need to look at the deepest layer in the message to find Web server begins to respond to your browsers request for the Web page. At some point later in the conversation, locate an HTTP/XML message tha data for Googles search page. Recall that there are several layers of lating this payl the Web pages data. Locate the correct message, and answer the following questions: a. List the types of headers included in this message, in order. b. What is the source IP address? The destination IP address? c. Which flags are set in the TCP segment?

Solution by an expert tutor
Blurred Solution
This question has been solved
Subscribe to see this solution