Exercising the Wireshark network protocol analyzer ("packet sniffer")


1. Install needed software

Download the Wireshark packet sniffer and protocol analyzer. Go to http://www.wireshark.org to get it, and use a US mirror . A direct link you could use is http://wireshark.zing.org/download/win32/wireshark-setup-0.99.6a.exe. Run the file, accepting defaults, to install Wireshark.

Download the Windows version of netcat (nc). (It seems difficult to find on the internet since its purveyor was acquired. You can get it here, or alternatively via anonymous ftp at sputnik.smc.edu.) The file is nc11nt.zip. Unzip it. It contains nc.exe, the file of interest. Put nc.exe in c:\windows.

Download OpenSSH for Windows. Install, but when asked to choose components uncheck "Server" as you only need the client.

2. Perform a preliminary capture

Go to Start -> Run
Enter "cmd" and press the OK button.
At the resulting command prompt type "ipconfig" and press enter. Write down the dotted-quad format "IP Address" shown.

Launch Wireshark, expand it to full screen.
Go to Capture -> Interfaces.
On the line for your internet-connected NIC card interface (showing the IP address you just looked up), press the Options button.
In the resulting dialog box, find the section headed "Display Options" and check all three check boxes it contains
Find the section headed "Name Resolution" and uncheck its three check boxes.
Enter your IP Address in the text box labeled "Capture Filter:" If your address is, enter it in the form "host"
Press the "Start" button

Return to the command prompt. Type "ping". Observe resulting detection activity in Wireshark.

Return to Wireshark. Go to Capture -> Stop.

3. Get familiar with the Wireshark interface

Observe the three primary, vertically stacked panes:
 - packet list pane - one line for every packet you captured
 - packet details pane - the decoded breakdown of the selected packet
 - packet bytes pane - the actual raw content of the selected packet in hex dump format

Right click on any packet in the packet list pane. From the context menu select "Show Packet in New Window". Maximize the new window. It has only two panes, specifically for the selected packet:
 - packet details pane
 - packet bytes pane

Select any line item in the details pane and observe the change of highlight in the bytes pane. Expand the items you see and pick some sub-items. The selected line is the interpretation, or decode, telling the meaning of the highlighted bytes.
Close the single-packet new window you opened.
Wireshark understands how the protocol expresses information. The protocols that Wireshark knows are many:

Go to Analyze -> Enabled Protocols

Examine the long list, then Cancel.

Note colorization.
Go to View -> Colorize Packet List
Uncheck, note visual result, then recheck.
Go to View -> Coloring Rules. Examine, then Cancel.

4. Capture/analyze the operation of a protocol of interest:   the echo protocol

The protocol of interest is the echo protocol. It is implemented by an echo server. An echo server for you to use is running on port 7 at dmorgan.us, or other location per your instructor. An echo server uses either UDP or TCP to exchange data with a client, depending which one the client uses to send data. To understand what the echo server does, please read the RFC document that defines it. Who is J. Postel? What is ISI? Any client that sends something to an echo server is a suitable client for the echo server. A client that prints on screen what is sent back is even better, for a user. A good client is netcat.

Go to Capture -> Start, and start Wireshark again
Give the command "nc -u  <server> 7", in your command window (replace "<server>" with a domain name or IP address)
Type "hi" then enter, followed by "bye" then enter, followed by control-C, in nc.
Go to Capture -> Stop, in Wireshark
Go to Statistics -> Flow Graph, select "General flow" and press OK. Examine then close the window.

In Wireshark's packet list pane, successively highlight each of the 4 packets whose Protocol is given as ECHO. For each, in the packet details and packet bytes panes, note from and to which computers the packet traveled,  what transport layer protocol was used (below "Internet Protocol" in the details pane) and with what port numbers, and what the application payload was (final, "Echo" line in the details; expand that and also look at the highlight in the bytes pane). How many bytes of application payload (e.g., the words "hi" and "bye") were carried in each packet? how many total in all 4 packets?

Go to Statistics/Conversation List/UDP
Of how many bytes did the conversation consist? Is this the same as the total bytes of application payload you saw?

We will now start fresh using TCP instead of UDP to do the same thing.

Go to Capture -> Start, in Wireshark
Give the command " nc <server> 7"
Type "hi" then enter, followed by "bye" then enter, followed by control-C, in nc.
Go to Capture -> Stop, in Wireshark
Go to Statistics -> Flow Graph, select "TCP flow" and press OK. Examine then close the window.

In Wireshark's packet list pane, locate the packets between your computer and port 7 of the server. Successively highlight each of them, starting from the first and using the down arrow in the packet list pane, while watching the details and bytes panes to locate the application payload ("hi" and "bye").

Right click in the list on any packet belonging to the conversasion, select "Follow TCP Stream" in the context menu. In the new window that opens, client-to-server application data appears red-highlighted while server-to-client data is blue. The size of the "Entire conversation" is given. How many bytes in this conversation? Write it down. Close the Follow TCP Stream window.

Go to Statistics/Conversation List/TCP and locate the conversation you had with the server's port 7
Of how many bytes did the conversation consist? Write it down. Is this the same as the total bytes the Follow TCP Stream window gave you?

5. Create and apply a display filter

Wireshark has both "capture" and "display" filters. You already used a capture filter, confining your capture to just packets involving you ("host"). The syntax differs, even for the same thing, between the two filter types. Display filters are for after-the-fact viewing, narrowing display to only those packets that interest you. As example of syntax differences, these express the same thing:

 capture filter: host
 display filter:  ip.addr ==

The place to enter a capture filter is found in the pre-capture "Capture Options" dialog box; the place to enter a display filter is in the filter toolbar on the main interface. Wireshark can automatically create display filter expressions modeled on existing packets.

In the packet list pane select one of the packets in your captured conversation that has protocol "ECHO"
In the packet details pane right-click the protocol line labeled "Echo," click Apply as Filter, choose Selected
Clear the filter by clicking "Clear" on the filter toolbar

6. Auto-generate a rule for your firewall

Suppose you want a firewall to prohibit use of the standard echo protocol. Suppose you use use the iptables command in linux to build that firewall. You ask yourself, "What is the iptables command necessary to do the job?"

In the packet list pane select one of the packets in your captured conversation with protocol "ECHO"
Go to Analyze -> Firewall ACL Rules
In the dialog box open the Product drop-down list and select Netfilter (iptables).
Open the Filter drop-down list and select TCP port 7

The iptables syntax for what you want appears. Write it down (better, "copy" it and paste it into a file, you'll need it below).

7. Capture a cleartext password

On dmorgan.us or another server per your instructor, a "cs530" user account exists with password "Wireshark-CS530". The machine runs both telnet and ssh servers. Either will prompt you for a password and grant you a login session. Do both, one after the other, capturing them in Wireshark.

telnet   <server>


ssh   cs530@<server>

After you capture the telnet login session, locate the packets that contain the password and piece it together. Since telnet devotes a separate packet to each letter, you'll find successive packets carrying "W", "i", "r", and the other individual letters of the password. But you can find them. Make it easy on yourself, use "Follow TCP Stream". Capture that screen (PrintScrn key, Paint) showing the in-transit password, into a file named "exposed.jpg", to include in your submittal for this assignment. (Terminate the telnet session on the server with the "exit" command.) After you capture the ssh login session, try to do the same and satisfy yourself that you can't identify the password-bearing packet(s) but even if you could it is illegible. "Follow TCP Stream" makes the encryption completely obvious. (Terminate the ssh session on the server with the "exit" command.)

8. Capture an http (browse) session

On dmorgan.us or another server per your instructor an extremely simple webpage exists.

Open a browser; clear its page cache. Type in the target server name but do not press enter yet.
Go to Capture -> Start in Wireshark
In the browser, press enter to launch the http exchange
Go to Capture -> Stop in Wireshark
On any packet in the exchange right-click and select Follow TCP Stream

Observe the HTML code responsible for the page that appeared in the browser.

9. Observe protocols embodied in stored sessions

In Wireshark, view how some other protocols operate. We'll examine dhcp, kerberos, and ftp.

Browse to http://wiki.wireshark.org/SampleCaptures
Search and find files "dhcp.pcap" and "krb-816.zip"
Download them (unzip the zipped one)
Go to File -> Open in Wireshark, open and study the two sessions that were captured.

To make better sense of a capture it's useful to know the rules of the protocol you captured. For dhcp you could read the dhcp RFC document (when you have time). Who is R. Droms? For kerberos, the kerberos RFC document (when you have more time). Who is C. Neuman?

As a 3rd example, observe how ftp operates. I downloaded a file. While doing so, I captured the datastream using Wireshark then saved it.

Download, unzip, and open the capture file
Add a column showing packets' sizes; Go to Edit -> Preferences/User Interface/Columns/New
Set Title to the word "Size" and, from the dropdown list, set Format to "Packet length (bytes)"
Select the new column within the column list, and move it up so it's the second column
exit Wireshark, restart it, and reopen the file
sort the packets by size in the packet list pane by clicking on any the "Size" column title

Several of the questions in the assignment refer to the resulting screen.

The assignment:

Prepare your answers in a Microsoft Word doc file named snifflab.doc. In it, give numbered answers to these questions:

1. The number of bytes in the echo protocol exchange in section 4 above, according to the "Follow TCP Stream" window, is ________

2. The number of bytes in the echo protocol exchange in section 4 above, according to the Statistics/Conversation List/TCP window, is ________

3. The iptables command syntax to create a firewall rule against use of the standard echo protocol (Section 6 above) is:


4. J. Postel is:


5. The number of frames in section 9's datastream was ____________________

6. Their average length/size (in bytes) was  ____________________

7. The most common frame size was ____________________

8. The maximum frame size was ____________________

9. For any of the max-sized frames, the size of  its ethernet payload portion was ____________________

10. For that frame, the size of the remainder of the packet (ie, its header) was ____________________

11. For that frame (and all the others like it) Wireshark names its highest-level payload (see the packet details pane). It's ____________________

12. The oberved value of the maximum frame size is interesting. It could not be any larger because (consider the reference graphic that follows):


For reference, question 12:


13. At the bottom of your file, insert the screen capture you generated in section 7 above.