North South University

CSE438L: Data Communication &

Network Lab
Lab Class 2: Introduction to Packet Sniffing
IP Address (IPv4 & IPv6):
An Internet Protocol address (IP address) is a numerical label assigned to each device (e.g., computer,
printer) participating in a computer network that uses the Internet Protocol for communication. i.e.
192.168.10.17. There are two formats of IP addressing is accepted these days 32 – bit format
(IPv4) and a newer version 128 – bit format (IPv6). We are interested and will be working with
IPv4 as it is accepted every by every hosts and widely used.

TCP/IP Model:
Although OSI 7 layer model is accepted as the ideal model in reality TCP/IP model is used
in most internet networks. TCP/IP protocols map to a four-layer conceptual model. Details
will be covered in theory class.

Figure: Comparison of OSI model and TCP/IP Model and their logical over view.
Courtesy of GURU99.com
Figure: The logical mapping between OSI basic reference model and the TCP/IP stack
Courtesy of Researchgate

Network Packet:
A network packet is a formatted unit of data carried by a packet-switched network. When
data is formatted into packets, packet switching is possible and the bandwidth of the
communication medium can be better shared among users than with circuit switching.

Figure 5: TCP/IP Packet Header

IP packets will be covered in details in class. To know more about it please check
out the link https://www.tutorialspoint.com/ipv4/ipv4_packet_structure.htm
 Communication Protocol:
In telecommunications, a communication protocol is a system of rules that allow two or more
entities of a communications system to transmit information via any kind of variation of a
physical quantity. These are the rules or standard that defines the syntax, semantics and
synchronization of communication and possible error recovery methods. Protocols may be
implemented by hardware, software, or a combination of both.
Few of the protocols we’ll be dealing with in this lab:

 TCP - Transmission Control Protocol (TCP), which uses a set of rules to exchange
messages with other Internet points at the information packet level
 UDP - The User Datagram Protocol (UDP) is one of the core members of the Internet
protocol suite. UDP uses a simple connectionless transmission model with a
minimum of protocol mechanism.
 DHCP - The Dynamic Host Configuration Protocol (DHCP) is a standardized network
protocol used on Internet Protocol controlled by a DHCP server to dynamically distributes
network configuration parameters, such as IP addresses, for interfaces and services
 HTTP - The Hypertext Transfer Protocol (HTTP) is an application protocol for
transporting web contents in the network.
 FTP - The File Transfer Protocol (FTP) is a standard network protocol used to transfer
computer files between a client and server on a computer network.
 SSH - Secure Shell (SSH) is a cryptographic network protocol for operating network
services securely over an unsecured network. The best known example application is
for remote login to computer systems by users.
These are few of the basic protocols many other protocols are used in telecommunication and
computer networks. To know more protocols you can visit this link,
https://en.wikipedia.org/wiki/Transmission_Control_Protocol.

Some important Command line tools

In the command window of your machine type in the following commands.

 ping – if a host is reachable

 tracert – Path that a packet is taking to rich a computer
 nslookup – Name server lookup, finds the IP address for a corresponding domain name
 ipconfig – shows the information about machines Ethernet adapters.

Packet Sniffing
One’s understanding of network protocols can often be greatly deepened by “seeing
protocols in action” and by “playing around with protocols” – observing the sequence of
messages exchanged between two protocol entities, delving down into the details of
protocol operation, and causing protocols to perform certain actions and then observing
these actions and their consequences. This can be done in simulated scenarios or in a
“real” network environment such as the Internet. In the Wireshark labs you’ll be doing in
this course, you’ll be running various network applications in different scenarios using
your own computer
The basic tool for observing the messages exchanged between executing protocol
entities is called a packet sniffer. As the name suggests, a packet sniffer captures
(“sniffs”) messages being sent/received from/by your computer; it wil l also typically
store and/or display the contents of the various protocol fields in these captured
messages. A packet sniffer itself is passive. It observes messages being sent and
received by applications and protocols running on your computer, but never sends
packets itself. Similarly, received packets are never explicitly addressed to the packet
sniffer. Instead, a packet sniffer receives a copy of packets that are sent/received
from/by application and protocols executing on your machine

The packet capture library receives a copy of every link-layer frame that is sent from or
received by your computer. Recall from the discussion from section 1.5 in the text
(Figure 1.241) that messages exchanged by higher layer protocols such as HTTP, FTP,
TCP, UDP, DNS, or IP all are eventually encapsulated in link-layer frames that are
transmitted over physical media such as an Ethernet cable. In Figure 1, the assumed
physical media is an Ethernet, and so all upper-layer protocols are eventually
encapsulated within an Ethernet frame. Capturing all link-layer frames thus gives you all
messages sent/received from/by all protocols and applications executing in your
computer.

analyzer

operating

capture
Transport (TCP/UDP)
Network (IP)
Link (Ethernet)
Physical

to/from network to/from network

Figure 1: Packet sniffer structure

The second component of a packet sniffer is the packet analyzer, which displays the
contents of all fields within a protocol message. In order to do so, the packet analyzer
must “understand” the structure of all messages exchanged by protocols. For example,
suppose we are interested in displaying the various fields in messages exchanged by
the HTTP protocol in Figure 1. The packet analyzer understands the format of Ethernet
frames, and so can identify the IP datagram within an Ethernet frame. It also
understands the IP datagram format, so that it can extract the TCP segment within the
IP datagram. Finally, it understands the TCP segment structure, so it can extract the
HTTP message contained in the TCP segment. Finally, it understands the HTTP
protocol and so, for example, knows that the first bytes of an HTTP message will
contain the string “GET,” “POST,” or “HEAD,”

See pages with specific response code type http.response.code. List of

Response codes
200 OK

Standard response for successful HTTP requests. The actual response will depend on the
request method used. In a GET request, the response will contain an entity corresponding to the
requested resource. In a POST request, the response will contain an entity describing or
containing the result of the action.[7]

201 Created

The request has been fulfilled, resulting in the creation of a new resource.[8]

202 Accepted

The request has been accepted for processing, but the processing has not been completed. The
request might or might not be eventually acted upon, and may be disallowed when processing
occurs.[9]

203 Non-Authoritative Information (since HTTP/1.1)

The server is a transforming proxy (e.g. a Web accelerator) that received a 200 OK from its
origin, but is returning a modified version of the origin's response.[10][11]

204 No Content

The server successfully processed the request and is not returning any content.[12]

205 Reset Content

The server successfully processed the request, but is not returning any content. Unlike a 204
response, this response requires that the requester reset the document view.[13]

206 Partial Content (RFC 7233)

The server is delivering only part of the resource (byte serving) due to a range header sent by
the client. The range header is used by HTTP clients to enable resuming of interrupted
downloads, or split a download into multiple simultaneous streams.[14]
207 Multi-Status (WebDAV; RFC 4918)

The message body that follows is an XML message and can contain a number of separate
response codes, depending on how many sub requests were made.[15]

208 Already Reported (WebDAV; RFC 5842)

The members of a DAV binding have already been enumerated in a previous reply to this
request, and are not being included again.[16]

226 IM Used (RFC 3229)

The server has fulfilled a request for the resource, and the response is a representation of the
result of one or more instance-manipulations applied to the current instance.[17]

Wireshark and Network Administration:

Wireshark is a free and open source packet analyzer. It is used for network troubleshooting, analysis,
software and communications protocol development, and education. Originally named Ethereal.

Getting Wireshark
In order to run Wireshark visit the link, http://www.wireshark.org/download.html.
The site has its installation guidelines. The Wireshark FAQ has a number of helpful hints and
interesting tidbits of information, particularly if you have trouble installing or running Wireshark.

Primary Features:
Wireshark has the ability to sniff incoming and outgoing packets with in the network. If the
network has Promiscuous Mode (Explained below) enabled this software can sniff packets
coming and going from other computers connected in the local network.

Promiscuous Mode:
In a network, promiscuous mode allows a network device to intercept and read each network
packet that arrives in its entirety. This mode of operation is sometimes given to a network snoop
server that captures and saves all packets for analysis (for example, for monitoring network usage).
Normal adapter receives frames sent to the local MAC address promiscuous mode enabled
network controller broadcast packets address FF-FF-FF-FF-FF-FF hence allowed computers can
receive everything, independent of destination MAC. Useful for packet sniffing

Running Wireshark:
Wireshark’s initial has graphical user interface shown in Figure 6. After selecting the
network main window of for packet sniffing appear.
Figure 6: User interface of Wireshark

Figure 7: User interface of Wireshark

Filtering:

 Protocol Filter – Filter by protocol type in the protocol short from in the filter input box,
i.e. http, tcp, udp etc.
 Source IP Filter – Filter by ip source by ip.src == “ip address”
 Destination IP Filter – Filter by ip destination by ip.dst == “ip address”
 Compound instruction - Compound instruction and used to filter by using logical
conjugation operators.

Lab Task:
 Visit a website and capture its DNS packets and HTTP packets using Wireshark.

Reference:

https://en.wikipedia.org/wiki/Computer_network
https://en.wikipedia.org/wiki/IP_address
https://en.wikipedia.org/wiki/Network_packet
https://technet.microsoft.com/en-us/library/cc958821.aspx?f=255&MSPPError=-2147217396
https://en.wikipedia.org/wiki/Transmission_Control_Protocol
https://en.wikipedia.org/wiki/User_Datagram_Protocol
http://searchsecurity.techtarget.com/definition/promiscuous-mode