LAB # 0: INTRODUCTION TO WIRESHARK VERSION 4.0.

Introduction to Wireshark
Objective
In this lab, you shall work individually to:
1. Learn about network sni ers (e.g., Wireshark) and see how they capture and analyze
network tra c.
2. Install Wireshark in your working environment (your personal computer!).
3. Learn how to use network sni ers aka Wireshark to capture and analyze network
packets.
4. Analyze a HyperText Transport Protocol (HTTP) exchange and the corresponding
information1.
5. Use Wiresharks’s built-in tools/services to help you better analyze network tra c.

Theory: Network Sniffers

Network2 sni ers are a basic tool for observing the messages being exchanged on a network.
As the name suggests, a network sni er captures (“sni s”) messages (Data Link layer
Frames) being sent/received from/by your computer; it will also typically store and/or display
the contents of the various protocol elds in these captured messages (e.g., HTTP
messages). A network sni er itself is passive. In other words, it observes messages
being sent and received by network applications and protocols running on your computer,
but never sends messages itself. Similarly, received messages are never explicitly
addressed to the packet sni er. Instead, a network sni er receives a copy of ALL the
messages that are sent/received from/by applications and protocols executing on your
computer.
packet sniffer
application (e.g., browser,
ssh client, skype)
packet
analyzer
application

operating system
Transport (TCP/UDP)

Network (IP)
packet
copy of all Ethernet
capture Link (Ethernet)
frames sent/recieved
(pcap)
Physical (CAT5, Radio)

to/from network

1We will study HTTP in this class before the deadline of this lab. However, if you have never heard about HTTP, it
is probably a good idea to read Chapter 2.2 (version 7) of the textbook before completing this lab.
2It is also called a Packet Sni er within the networking community. However, it captures more than just the
Network Layer Packets. Indeed, it captures Data Link Layer frames that contain Network Layer Packets,
Transport Layer Segments, and Application Layer Messages. So, a better name is a Network Sni er.

PAGE 1 OF 13 AUGUST 30, 2024

ffi
ff
ff
ff
ff
ff
ff
ff
fi
ff
ff
ff
ffi
 LAB # 0: INTRODUCTION TO WIRESHARK VERSION 4.0.3

The gure above shows the structure of a network sni er in your computer. At the right are
the network protocols (in this case, Internet protocols such as TCP/UDP, IP, Ethernet, etc.)
and user applications (such as a web browser or a File Transfer Protocol (FTP) client) that
normally run on your computer. The network sni er, shown within the dashed rectangle (at
the left of the gure), is an addition to the usual network software/stack on your computer
and consists of two parts. The packet capture library (pcap) receives a copy of every Data
Link Layer Frame that is sent from and/or received by your computer. In other words, both
the user application (e.g., a web browser such as Google Chrome) and the packet sni er
receive the same information. As you might know already, messages exchanged by higher-
layer protocols such as HTTP, FTP, TCP, UDP, DNS, or IP all are eventually encapsulated
in Data Link Layer (MAC) Frames that are transmitted as bits over physical media such as
an Ethernet cable or a Wi-Fi connection (channel). In the above gure, the assumed physical
media is an Ethernet cable, and so all upper-layer protocols are eventually encapsulated
within an Ethernet frame (we will learn more about these protocols throughout this course).
Capturing all Data Link layer Frames thus gives you access to all the messages
sent/received from/by all the upper-layer protocols (e.g., TCP segments and
HTTP requests/responses) and applications executing on your computer.
The existence of the packet capture in your computer should give you a reason to pause and
think, particularly down two trains of thought. First, it shows that any Data Link Frame in
a shared medium (e.g., Ethernet, Wi-Fi, etc.) can be captured and examined without any
noti cation to the sender or receiver of the Frame. You cannot rely on common Data Link
layer protocols to protect your secrets or your privacy online. At a minimum, you should be
using encryption protocols (generally buried in the Application layer, though sometimes
found elsewhere) to protect all network tra c you generate or receive in a network.
Secondly, you can act as the “bad guy” and capture the network tra c of other network users
(in a shared channel such as Ethernet), examine it, and exploit what you nd. Hence, you
need to learn to use this tool responsibly. Remember the movie quote: “With great
power comes great responsibility!” We will use a lter to ensure Wireshark does not display
tra c other than your own, but this is purely a voluntary measure. Please act ethically
and responsibly in your use of Wireshark (or any network sni er).
The second component of a network sni er is the Packet Analyzer (connected to the packet
capture library), which displays the contents of all elds within a protocol message for the
Data Link layer frames that are “captured” by the pcap library. To do so, the Packet
Analyzer must “understand” the structure of all messages exchanged by network protocols.
For example, suppose we are interested in displaying the various elds in requests exchanged
by the HTTP protocol. The Packet Analyzer understands the format of Ethernet Frames,
and so can identify the IP Packet within an Ethernet Frame. It also understands the IP
Packet format, so that it can extract the TCP Segment within the IP Packet. Finally, it
understands the TCP Segment structure, so it can extract the HTTP message contained in
the TCP segment. Finally, it understands the HTTP protocol and so, for example, knows
that the rst bytes of an HTTP request will contain the HTTP methods (GET, POST, or
HEAD). It also knows whether the message is an HTTP request or an HTTP response, the
headers in the message, the body of the message, etc.

PAGE 2 OF 13 AUGUST 30, 2024

ffi
fi
fi
fi
fi
ff
ffi
fi
ff
fi
ff
fi
fi
ffi
ff
fi
ff
 LAB # 0: INTRODUCTION TO WIRESHARK VERSION 4.0.3

We will be using the Wireshark network sni er (wireshark.org) for ALL the lab
assignments in the class. Wireshark allows us to display the contents of messages being
sent/received from/by protocols at di erent levels of the protocol stack in your local
computer (Application, Transport, Network, and Data Link layers). Technically speaking,
Wireshark is a packet analyzer that uses a packet capture library on your
computer. Wireshark is a free network protocol analyzer that runs on Apple, Windows,
and Linux/Unix computers. It is an ideal packet analyzer for our labs – it is stable, has a large
user base, and has well-documented support that includes a user guide (wireshark.org/docs/
wsug_html_chunked), manual pages (wireshark.org/docs/man-pages), and a detailed FAQ
page (wireshark.org/faq.html). Wireshark has rich functionality that includes the capability
to analyze hundreds of protocols and a well-designed user interface.

Some Comments About (ALL) Lab Reports

With not just this lab but ALL labs in this class, you are observing real network tra c conditions
that may di er from the theory we discussed in class. I cannot write a lab that lets you see real-
time network conditions and also anticipates exactly what you will see in your particular setup.
Therefore, remember to remain exible. Act like a grad student running an experiment and
reporting on it:
1. Tell me what you see. Just writing down a number is not good enough. Remember,
whatever you write has to convince the grader that you actually did the experiment and that
you understand the result (screenshots and annotations are essential/required in ALL lab
report questions even if the questions do not explicitly ask for screen captures or
screenshots).
2. You must explain what you see. Explain if it di ers from what you expect or the theory.
Explain what you think it might have looked like according to the theory.
3. Theorize why there is a di erence. Ponder on it and show you have put thought into it (not
just "Windows does not do that," but "How must Windows be handling the situation
because it is doing something di erent”).
4. Questions in the labs might contain multiple subquestions. Make sure to answer all the
subquestions being asked in a given question. Otherwise, you might get points deducted
due to some unanswered questions.
5. Write your report in such a way that we believe you have learned the lesson the question was
trying to teach you.
6. Many questions in the Labs are “vague” or “open to interpretation” by design. We expect you
to think critically and provide the most accurate interpretation based on the material
presented in the slides, the textbook, and your OWN substantial analysis!

PAGE 3 OF 13 AUGUST 30, 2024

ff
ff
ff
fl
ff
ff
ff
ffi
 LAB # 0: INTRODUCTION TO WIRESHARK VERSION 4.0.3

Procedures
1. The rst step in this Lab is to get Wireshark!
1. To run Wireshark, you will need to have access to a computer that supports both
Wireshark and the libpcap or WinPCap packet capture library. The libpcap
software will be installed for you if it is not installed within your Operating System
(OS) when you install Wireshark. See wireshark.org/download.html for a list of
supported OS and download sites.
2. Download the Wireshark binary from wireshark.org/download.html for your
corresponding OS and install it. If allowed by your computer setup, use the latest
version of Wireshark. Make sure to also download the Wireshark user guide (for your
Wireshark version) for your reference.
3. The Wireshark FAQ has several helpful hints and interesting tidbits of information,
particularly if you have trouble installing or running Wireshark.
4. You MAY need to disable anti-virus protection software (McAfee, I am looking at
you!) before your IP address will show up in the captured data.
5. You should be connected to an Ethernet (wired) connection. In all the following
Labs we will use a wired connection. So, please use one in this Lab as well so you do
not have any issues when working with the course’s Network Testbeds (the “Racks”)
in future labs3.
2. Run Wireshark
1. When you run the Wireshark application, the Wireshark graphical user interface will
be displayed. Initially, no data will be displayed in the various windows.
By the way, the pictures I show in this lab guide may di er, perhaps substantially, from the
interface you see on your computer, depending on your installed version and operating
system. Once again, a key feature of solving the labs is to be exible!

3There are USB adaptors (“dongles”) and Ethernet cables available in a little basket next to the “Rack” (INI
Building 2nd Floor, Quiet Study Room). If you use these adaptors and cables, please do not remove them from the
Rack and use them only inside the Quiet Study Room (Please, do NOT take the cables or adapters outside the
INI!). If using an Ethernet connection within the CMU campus, you will need to complete the steps posted on
Piazza.

PAGE 4 OF 13 AUGUST 30, 2024

fi
ff
fl
 LAB # 0: INTRODUCTION TO WIRESHARK VERSION 4.0.3

2. The Wireshark interface has ve major components:

display filter
specification
command
menus

listing of
captured
packets

details of
selected
packet
header

packet content
in ASCII and
hexadecimal

1. The command menus are standard pulldown menus located at the top of the
window or in your menu bar (not shown in the gure above). Also included is a
toolbar (shown in the gure). Of interest to us now are the File, Capture,
Analyze, and Statistics menus. The File menu allows you to save
captured packet data or open a le containing previously captured packet data (a
PCAP le), and exit the Wireshark application. The Capture menu allows you
to begin packet capture. The Analyze and Statistics menus can be very
useful when analyzing your captured data to answer the questions in the di erent
labs!
2. The packet-listing window displays a one-line summary for each captured
packet, including the packet number (assigned by Wireshark; this is not a packet
number contained in any protocol’s header), the local time (from your computer)
at which the packet was captured, the packet’s source, and destination addresses,
the protocol type, the length, and protocol-speci c information contained in the
packet. You can add additional columns of information to display the packet (you
can check the Wireshark documentation on how to do this). The packet listing
can be sorted according to any of these categories by clicking on a column name.
3. The packet-header details window provides details about the packet selected
(highlighted) in the packet listing window. (To select a packet in the packet listing
window, place the cursor over the packet’s one-line summary in the packet listing
window and click on it). These details include information about all the network
layers (e.g., Application, Transport, Network, and Data Link) contained in the

PAGE 5 OF 13 AUGUST 30, 2024

fi
fi
fi
fi
fi
fi
ff
 LAB # 0: INTRODUCTION TO WIRESHARK VERSION 4.0.3

captured Data Link Layer Frame. For instance, an Ethernet Frame (assuming the
packet was sent/received over an Ethernet interface) contains the IP Datagram,
the TCP Segment, and the Application Messages (e.g., HTTP request). The
amount of Ethernet and IP-layer detail displayed can be expanded or minimized
by clicking on the arrow boxes to the left of the Ethernet Frame or IP Datagram
line in the packet details window. If the packet has been carried over TCP or
UDP, details will also be displayed, which can similarly be expanded or
minimized. Finally, details about the highest-level protocol that sent or received
this packet are also provided. For instance, you can analyze the contents of an
HTTP request and its corresponding HTTP response.
4. The packet-contents window displays the entire contents (or a speci c
portion) of the captured frame, in both ASCII and hexadecimal format. If you
click on one of the packet layers (e.g., Ethernet), the contents of that speci c
header will be displayed and highlighted here.
5. Towards the top of the Wireshark graphical user interface, is the packet display
lter eld, into which a protocol name or other information can be entered to
lter the information displayed in the packet-listing window (and hence the
packet-header and packet-contents windows). In the example below, we will use
the packet-display lter eld to have Wireshark hide (does not display) packets
except those that correspond to HTTP messages (requests and responses).
3. Take Wireshark for a “Test Run.” The best way to learn about any new piece of
software is to try it out! Do the following:
1. Start up your favorite web browser4, which will display your selected homepage.
2. If you are using a proxy (especially a host-based one), disable it if possible. You want
to examine uncached network tra c going from your computer to the servers.
3. Start up the Wireshark application. You will initially see a window similar to that
shown above, except that no packet data will be displayed in the packet-listing,
packet header, or packet-contents window since Wireshark has not yet begun
capturing packets.
4. To begin packet capture, select the Capture pull-down menu and select Options.
This will cause the Wireshark - Capture Options window to be displayed.
There are three sections to this window: Input, Output, and Options, as shown
below.
The Input window allows you to select
which of your computer’s interfaces you will
use for capture. You can see that the
computer where I took this screenshot has
Wi-Fi and a bunch of Ethernet interfaces, as
well as the loopback interface. Only one of
them is in use, so I will pick that one. The

4 We recommend using Google Chrome in this lab as it has proven to be stable and works well in all environments.

PAGE 6 OF 13 AUGUST 30, 2024

fi
fi
fi
fi
fi
ffi
fi
fi
 LAB # 0: INTRODUCTION TO WIRESHARK VERSION 4.0.3

Input window also allows you to specify a capture filter (this is di erent from
the packet display lter that we saw before). You will need to use the Promiscuous
mode in all the labs, so make sure it is selected as an option when selecting the
correct interface.
The Output window lets you choose to dump all the
collected packets into a le. This is handy for scripting
(Would not you love to grab a 5MB capture le at
midnight every night? Who would not?) Note that
you can limit the le sizes. I generally do not touch
anything in this window.

The Options window lets you specify when the

capture should quit (in packets, les, size, or time),
controls the listing section of the main window during
the capture (update or not? Scroll or not?) as well as
choose to resolve names or not. You can choose any of
these options or leave the default con guration

5. You can use most of the default values in the Options window, but we advise you to
check Show capture information during live capture. This option
will help you in the labs to have a summary of the type of packets (e.g., TCP) being
captured in real-time. The network interfaces (i.e., the physical connections) that
your computer has to the network will be shown in the Interface pull-down menu
at the top of the Capture Options window. In case your computer has more than one
active network interface (e.g., if you have both a wireless and a wired Ethernet
connection), you will need to select an interface that is being used to send and
receive packets. After selecting the network interface, click Start. Packet capture
will now begin - all packets visible to your network interface (including those being
sent/received from/by your computer) are now being captured by Wireshark!
6.Note: Depending on your Wireshark version and
your operating system, the Wireshark - Capture
Information window might not appear. Once you
begin packet capture, a packet capture summary window will
appear. This is the window that you decided not to hide in
the previous step. This window summarizes the number of
packets of various types (di erent protocols) that are being
captured, and (importantly!) contains the Stop Capture
button5 that will allow you to stop packet capture. Do NOT
stop packet capture yet.

5 You can also stop the capture from the Capture menu or with the “stop” button in the toolbar.

PAGE 7 OF 13 AUGUST 30, 2024

fi
fi
fi
ff
fi
fi
fi
ff
 LAB # 0: INTRODUCTION TO WIRESHARK VERSION 4.0.3

7. While Wireshark is running, enter the URL http://captive.apple.com and have that
page displayed in your browser. Make sure to clear your browser cache if you have
previously displayed this webpage -- you want to get it across the internet, not from
your cache. To display this page, your browser will contact the HTTP server at
captive.apple.com and exchange HTTP messages with the server to download this
(very simple) webpage, as discussed in section 2.2 of the text. The Ethernet Frames
containing these HTTP messages will be captured by Wireshark.
8. After your browser has displayed the (very simple) webpage, stop the Wireshark
packet capture. This will cause the Wireshark capture window to disappear and the
main Wireshark window to display all packets captured since you began packet
capture. You now have live packet data that contains all protocol messages exchanged
between your computer and other network entities! The HTTP message exchanges
with the Apple web server should appear somewhere in the listing of packets
captured. But there will be many (many!) other types of packets displayed as well
(e.g., the many di erent protocol types shown in the Protocol column). Even though
the only action you took was to download a web page, many other protocols were
running on your computer that are unseen by the user (as well as data sent via various
protocols by other computers on your network). We will learn much more about
these protocols as we progress through the course! For now, you should just be
aware that there is often much more going on than “meet the eye”!
9. Type in http (all protocol names are in lowercase in Wireshark) into the display lter
speci cation window at the top of the main Wireshark window. Then select Apply
display filter (white and blue arrow) in the lter toolbar. This will cause only
the HTTP messages to be displayed in the packet-listing window. Add the lter
ip.src == <your IP address> || ip.dst == <your IP address> to lter
out tra c that is not going to or from your computer. This will keep other people’s
tra c private and get rid of lots of HTTP exchanges from other computers that you
do not care about. Filters are combined with C operators. For example, if your IP
address is 169.1.19.87, then your lter should be http && (ip.src ==
169.1.19.87 || ip.dst == 169.1.19.87).
10.Select the rst HTTP GET message that was sent from your computer (i.e., Web
Browser) to the captive.apple.com HTTP server.6 When you select the HTTP GET
message, the Ethernet Frame, IP Datagram, TCP Segment, and HTTP Message
header information will be displayed in the packet header window.7 By clicking the
arrows to the left side of the packet details window, minimize the amount of Frame,
Ethernet, Internet Protocol, and Transmission Control Protocol information
displayed. Maximize the amount of information displayed about the Hypertext
Transfer Protocol (HTTP) protocol. Your Wireshark display should now look roughly

6You may have other applications and services running on your computer that use HTTP. In such a case, you will
have to dig through them and gure out which was the rst HTTP GET message being sent to the Apple servers.
7 Recall that the HTTP GET message that is sent to the web server is contained within a TCP Segment, which
is contained in an IP Datagram, which is encapsulated in an Ethernet Frame. If this process of encapsulation is
not quite clear yet, review section 1.5 in the textbook.

PAGE 8 OF 13 AUGUST 30, 2024

ffi
fi
ffi
fi
ff
fi
fi
fi
fi
fi
fi
fi
 LAB # 0: INTRODUCTION TO WIRESHARK VERSION 4.0.3

like the gure below. (Note, in particular, the minimized amount of protocol
information for all protocols except HTTP, and the maximized amount of protocol
information for HTTP in the packet-header window). As you can see the HTTP
request contains all the information related to the request (e.g., accepted language,
HTTP version, accepted encoding, details about the web browser and host, etc.)

11.To use Wireshark e ectively, you need to learn how to lter the results so you are not
wading through too much data. Wireshark uses two di erent lters, one to
lter the results that get captured and another to lter the results that are
displayed. Unfortunately, both use di erent languages to specify the lter.
You have already been introduced to display lters using a C-like set of operators.
You can also use a more English-like term to describe the same operators. For
instance, the lter you used earlier http && (ip.src == 169.1.19.87 ||
ip.dst == 169.1.19.87) can also be speci ed as http and (ip.src eq
169.1.19.87 or ip.dst eq 169.1.19.87). Another powerful operator you
should know about is contains which, you might have guessed, does a substring
match. The actual values being combined can come from any of the protocols and
any of the protocol elds that Wireshark knows about (called “dissector” in
Wireshark lingo). So, you might search for HTTP tra c from Macintosh computers
with http.user_agent contains AppleWebKit. Take a look at the Wireshark
User Manual about Display lters.
12.The capture time of each packet is quite important, so is displayed in the packet
listing area as the second column (Time). By default, this time is the "number of
seconds since the beginning of capture." However, you have control over what is displayed.

PAGE 9 OF 13 AUGUST 30, 2024

fi
fi
fi
ff
fi
fi
ff
fi
fi
ffi
fi
fi
ff
fi
fi
 LAB # 0: INTRODUCTION TO WIRESHARK VERSION 4.0.3

Explore the View ➙ Time Display Format menu to see display formats as well
as precision choices. Also of interest is the ability to change the time reference so
that all times are displayed relative to the capture time of a chosen packet. First,
choose a packet from the display list by clicking on it. Then, go to the Edit ➙
Set/Unset Time Reference, which will toggle your choice to use the chosen
packet as the reference. When set, you will see the time for that packet changed to
*REF*. All other packets’ time8 has been changed to seconds before or after the
capture of that reference packet9. This is a particularly handy way to gure out
round-trip time (RTT). Set the rst HTTP request (GET) packet as the reference,
then nd the rst HTTP response packet. The time given on the HTTP reply will
be the number of seconds it took from the request packet for it to arrive. No
arithmetic calculations were necessary!
13.The display lter language is also used to de ne rules that Wireshark uses to assign
colors to particular packets in the user interface. Take a look at “Customizing
Wireshark” of the Wireshark User Guide to learn about coloring rules. Using the
captured packets, practice temporary color changes by selecting a packet and then
pressing <ctrl> 1, <ctrl> 2 (<cmd> for Apple users), etc. Also, examine the
coloring rules dialog and experiment with de ning permanent coloring rules (you
might want to export the default set of coloring rules before messing around with
them).
14.Capture lters are also quite useful. They let you restrict the amount of data you
collect in the rst place. Whereas display lters do not change the contents of the
data that Wireshark collects, merely which of the packets that have been captured
are displayed in the packet-listing window. Capture lters are entered in the Filter
eld of the Capture Options dialog box. The capture language is based on
tcpdump and requires a bit more protocol knowledge to use (e.g., the port number
of HTTP tra c). For now, simply experiment with host <ip address> to ensure
you do not capture data from other network users.
15.Exit Wireshark
Congratulations! You have now completed setting up an important network engineering
tool and learning a bit about its operation.

Turn-in
The goal of this rst lab is primarily to introduce you to Wireshark. The following questions
will demonstrate that you have been able to get Wireshark up and running, have explored
some of its capabilities, and understand what is being presented to you by analyzing HTTP
web interactions.

8 And other cumulative columns that you are displaying!

9Be careful here! Once a packet is set as a reference, it will remain as one until you manually remove the set of the
packet. This can be problematic once you start analyzing your PCAP les!

PAGE 10 OF 13 AUGUST 30, 2024

fi
fi
fi
fi
ffi
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
 LAB # 0: INTRODUCTION TO WIRESHARK VERSION 4.0.3

Answer the following questions, based on your Wireshark experimentation. Make sure to
answer fully in your report. Include screenshots and annotations to illustrate where
you got the data in ALL questions. Remember, you are looking at live network data and the
graders do not have access to the same view you have. So, you MUST use descriptions,
screenshots, and annotations to prove to them that you know what you are
talking about in EACH question of this lab (and ALL following labs).
0. Go back and re-read the "Some Comments About (All) Lab Reports" section. Make
sure that you fully understand what is expected from you when creating a Lab Report for
each of the Labs in this class, including this initial lab (Lab 0).
1. List up to ten (10) di erent protocols that appear in the Protocol column in the
un ltered packet-listing window in step 3.7 above. As I do not have control over the
data owing over your network at the time of your lab, I do not know exactly how many
and what protocols those will be. I do expect that you have a bunch (if less than ve
(5), please look harder). Just list out those that you see, but do not bother to list
more than ten (10). (5 Points)
2. In step 3.7 of the procedures, how long did it take from when the rst HTTP GET
message was sent until the rst HTTP OK reply was received? What about the time
from when the second HTTP GET was sent until the second HTTP OK for that request
was received? What is the total time from the rst HTTP GET request until the last
HTTP response was received in the interaction between your computer and the Apple
servers? Include the necessary screenshots and describe where you got ALL the data to
answer this question. (15 Points)
3. Again using the link in step 3.7, what is the Internet address (IP address) of the Apple
captive server? What is the Internet address of your computer10? (This might be a
private address if you are behind a NAT device. No worries, we will learn about that
later!) Include a screenshot and describe where you got the data to answer this
question. (10 Points)
4. Let’s analyze the rst HTTP request (GET) and HTTP reply for the connection
between your computer and the Apple servers (step 3.7 in the procedure). What HTTP
version is your browser (e.g., Google Chrome) running? What version of HTTP is
Apple’s server running? What languages (e.g., English (en) (if any)) does your browser
indicate that it can accept to the server? What is the status code returned from the
server to your browser when replying to your request? What is the meaning of this
code? When was the HTML le that you are retrieving last modi ed at the server?
How many bytes of content (Content-Length) are being returned to your browser? (15
points).
5. How many packets did you capture (the total of all protocols, not just HTTP)? Now,
use display lters to determine how many packets contain your IPv4 address11 (hint: Use

Apple supports IPv6 for some connections. If your computer is using an IPv6 to connect to the Apple server that is
10

ne. You will have to report your ndings. If you want, you can repeat the steps at the CMU campus where you are
more likely going to use an IPv4 address. Either IPv4 or IPv6 addresses are valid for this exercise and this lab.
11 If your computer is using an IPv6 report on your IPv6 ndings.

PAGE 11 OF 13 AUGUST 30, 2024

fi
fi
fl
fi
fi
ff
fi
fi
fi
fi
fi
fi
fi
fi
 LAB # 0: INTRODUCTION TO WIRESHARK VERSION 4.0.3

ip.addr to lter for your IPv4 address instead of the clumsy ip.src or ip.dst
format I taught you in Step 3.8). What is this lter you used? Now, reverse the lter to
determine how many packets do not contain your IPv4 address. There are two ways to
reverse the lter (depending on where you put the not in the lter) and they give
di erent numbers. What are the two ways to reverse the lter and which one gives the
correct answer? Why does the other way give a wrong answer? Hint: ip.addr implies
using IPv4 (version 4 of the internet protocol.) (15 Points)
6. Use your newly acquired Wireshark skills to start a new capture process to get the
network data when your browser loads the homepage of the University of Washington
(http://www.washington.edu). Make sure to type http:// in the address bar so that you
get the HTTP version of the page, not the HTTPS version12. Stop your capture before
you start your analysis. You can use any tool/service being o ered by Wireshark to
answer these questions (In fact, we encourage you to explore the Wireshark tools/
services to better lter your data and answer the questions!) How many packets did you
capture from the University of Washington only (hint: you might need to use some
display lters to only see the packets from your computer to the University of
Washington server)? Are all of them HTTP? How many HTTP requests did you make?
Are all the replies "200 OK"? Did you nd anything else interesting? Please ensure you
have examined this packet capture in detail, using appropriate Wireshark functionality.
Write up what you saw (please include screen captures where necessary). (25 Points)
7. A necessary ability to develop when using Wireshark is to unlock its full potential to
help you with your analysis. Using the data you captured in the previous question
(question 6) display only the HTTP tra c between your computer and the University
of Washington server. Now, using the Statistics drop-down menu, use one of the
available tools to answer these questions: What is the total number of captured packets
in your File? How many packets are currently being displayed (in number of packets and
percentage)? What is the average packet size (in Bytes (B)) for both the captured and
displayed packets? What is the average throughput of both captured and displayed
packets (in both bytes/s and bits/s)? What tool in the Statistics drop-down menu
provided you with all this information? (10 points)
8. Wireshark allows you to display as much information as you need, including the
Colums that you want to observe/analyze. Using the Wireshark documentation, add a
new column to your packet-listing window to display the Cumulative Bytes. How
did you do this? Using the data from question 6 lter the HTTP tra c from your
computer to the University of Washington server. Using only the packet-listing window
and the Column data answer the following questions (you might also want to use some
packets as possible references): What is the total time from the very rst HTTP
request to the last HTTP response in the interaction between your computer and the
University of Washington server? How many bytes were exchanged in the whole
interaction (from the very rst HTTP request to the last HTTP response)? How did
you obtain/analyze this information? (5 points)

For some MAC users, Safari might not allow you to get the HTTP version of the webpage.
12

My suggestion is to use another web browser (e.g., Google Chrome).

PAGE 12 OF 13 AUGUST 30, 2024

ff
fi
fi
fi
fi
fi
ffi
fi
fi
fi
fi
ff
fi
ffi
fi
fi
 LAB # 0: INTRODUCTION TO WIRESHARK VERSION 4.0.3

We just scraped the surface of what Wireshark can do to help you analyze network data. My
advice for all future labs is to learn how to use Wireshark e ectively to help you in your
analysis of the data. In particular, all the useful tools/services available in the Statistics
and Analyze drop-down menus!

Lab Report
Write a report of your interactions and answer the questions. Make sure to include enough
details to ensure we understand that you understand what is going on. For instance, your
(many, many, many) included screenshots should probably be annotated to show
where a number came from -- do not assume that because you know how to read a
Wireshark screen we know that you know it. Our graders will not make that assumption.
So, prove it to us by describing/annotating every value you nd from Wireshark
and your screenshots.
Turn in your answers in a single PDF le and submit it to the Lab0 “Assignment” on
Gradescope. Make sure to submit your answers — every year we seem to get one student
who submits this handout instead (and thus gets a zero score. Ooops!)
In Gradescope, Map the questions in the assignment to the corresponding page(s)
in your document (i.e., Lab Report). Students who fail to map a question
correctly will lose all the points for that question13.
Do not forget to save (and name) all your PCAP les for your future analysis.

13 If you have never done this, here is a video that shows the process: https://youtu.be/nksyA0s-Geo?t=117

PAGE 13 OF 13 AUGUST 30, 2024

fi
fi
ff
fi