Wireshark Lab
Note: You will be blogging about your Wireshark lab. Take screen shots of the Wireshark output to include with your blog. Also you will need to research the Internet extensively to complete the assignment. Make use of the site http://www.ietf.org/rfc.html to find specific information about TCP, UDP, IP, Ethernet and ARP.
Start wireshark and view the packets that are being picked up by your computer.
1. Look at several packets and then complete the following :
a. Look at a packet that is using TCP and then answer the following:
i. What is the source port? Infowave 2082
Why is this source port used?
Infowave Mobility Server
ii. What is the destination port? 80
Why is this destination port used?
Common port for web browser TCP connection
iii. What is the flag?
0x10 & 0x02
Why is this flag used?
What is the source and destination IP address?
Src: 192.168.1.128 (192.168.1.128), Dst: 129.68.65.66 (129.68.65.66)
Is this packet coming or going from your computer?
No, it is coming from my computer to 129.68.65.66.
iv. What is the Time To Live for this packet?
128
What does TTL mean?
Time to Live: maximum time that a datagram can remain on the network before it is discarded. Represents the number of times a datagram has been forwarded by a router also known as hops.
v. What is the Differentiated Services field?
Indicator to the router the level of precedence they should apply when processing the incoming packet.
List the current value.
0x00 (DSCP 0X00: Default; ECN:0x00)
What does this mean?
List 4 other possible values.
1. Default PHB—which is typically best-effort traffic
2. Expedited Forwarding (EF) PHB—dedicated to low-loss, low-latency traffic
3. Assured Forwarding (AF) PHB— which gives assurance of delivery under conditions
4.Class Selector PHBs—which are defined to maintain backward compatibility with the IP Precedence field.
vi. What is the protocol field set to?
TCP (0x06)
What does this mean?
The TCP protocol is the intended receiver of this datagram.
vii. What else did you see that was interesting about the IP packet?
Honestly, nothing.
viii. What is the framing type used?
The only “type” category I see is under Ethernet II and it is set to IP (0x800)
ix. What is the source and destination MAC addresses?
Source: 00:80:c8:15:8c:ec Destination:
Is this frame coming or going from your computer?
Coming to my computer
x. What else did you see that was interesting about the Frame?
Nothing.
UDP Info
b. Look at a packet that is using UDP and then answer the following:
i. What is the source port? 2369
Why is this source port used?
BMC Software CONTROL-M/Server-Configuration Agent
ii. What is the destination port? 1900
Why is this destination port used?
Simple Service Discovery Protocol
iii. What is the flag? 0x00
Why is this flag used? Reserved bit not set, don’t fragment, more fragments not set
iv. What is the source and destination IP address?
Src 192.168.1.104,
Is this packet coming or going from your computer? Yes
v. What is the Time To Live for this packet? 247
What does TTL mean? The packet can only be online for 247 hops
vi. What else did you see that was interesting about the IP packet?
It listed IPv6 as well as the IPv4 addresses.
vii. What is the framing type used? query
viii. What is the source and destination MAC addresses?
Is this frame coming or going from your computer? from
ix. What else did you see that was interesting about the Frame
Nothing
TCP Packets
c. Intercept several TCP packets until you can view the three way handshake (read about this on pg 118 and 119).
What are the sequence and acknowledgement numbers on all 3 segments?
Packet 1: sequence 0, Ack 0, Packet 2 Seq. 0, Ack 1, Packet 3 Seq 1, Ack 1
d. Intercept an ARP frame. List the following:
i. What is the destination MAC address? ff:ff:ff:ff:ff:ff
Why is this address used? Broadcast finding out what pc are connected.
ii. What is the source MAC address? 00:0e:08:e6:9f:fe
Why is this address used? It’s the MAC on my pc
iii. What is the destination IP address? 192.168.1.1
Why is this address used? It’s the address of the router.
iv. What is the source IP address? 192.168.1.104
Why is this address used? It’s my ip address.
v. Write a paragraph about anything else your learned from capturing an ARP frame.
ARP requests went out 17 times in the 30 minutes I started this capture. I thought it was odd that it had to be updated so frequently or so it seems. 192.168.1.1 is the router, but where is 192.186.1.100 coming from? I think the .100 is the start of the ip-pool. ARP is a short burst of information.
Wireshark can be handy to detect spyware and viruses, to track heavy network traffic to the source i.e. a worker using the work pc to look for movies while at work. It can expose a lot of information for diagnostics when you have a bad connection or some type of network interference such as EMI, or crosstalk when network cables have been improperly installed in a dropdown ceiling.
Following a packet is a nice feature along with following a connection thru the filtering. Wireshark can simplify troubleshooting by capturing all this information.
No comments:
Post a Comment