1. Learn What Protocol Analysis Means

Introduction to Networking & Network Management

Engineering Science Department

Wireshark_tcp_udp Experiment Your Name: Your Station: Your Computer:

You Partners: Date:

A. Objectives 1. Learn what protocol analysis means 2. Learn how to use Wireshark 3. Monitor traffic at specific port & capture tcp/udp traffic data on an interface 4. Analyze the tcp & udp segments, their structures & contents 5. Understand how the tcp & udp protocols can help the web & dns applications to provide services

A. Configuration & Network Setup No configuration is needed for this experiment. Each student needs to do the experiment on her/his own & submit the report. Note that you can save the Wireshark captures in your Ubuntu Document folder with your name.

B. Procedure

1. Boot the computer watch for the display to show a list of OSs (e.g., Ubuntu, Ubuntu backup, & Windows 7) for you to choose. Select & highlight UBUNTU (NOT Ubuntu Backup) & Enter for the UBUBTU OS to boot. You may need to enter the password that your instructor provides to be able to see the UBUNTU screen when it timesout.

2. Open a Terminal page by the command “sudo wireshark -i eth0 -c 10”. This opens the Wireshark screen in the Ubuntu screen. Make sure you see for the “Capture Options”: Interface = eth0, Capture Filter = tcp, & Stop Capture = after “10” packets. Then click “Start”.

3. On the Ubuntu screen click the Firefox to open www.sonoma.edu/engineering (default page). The eth0 port should allow you to get to the Internet. tcp provides the http application reliable connection for the webpage to download.

4. The captured packets pop up in the top panel of the Wireshark screen. On the Wireshark screen go to View at the top menu & drop down ”Expand All” is checked & the Link, Network, & Transport layers are enabled. Note the encapsulations of “http packet by tcp”, “tcp by ip”, & “ip by the Ethernet frame”.

Question Answer Which computer (A, B, C, D) did you use for Wireshark? List of the packets in the top panel Can you identify the 3-way TCP handshake, if so list the segments? Which message is the third tcp segment?

. Now select the third tcp segment on the top panel & use the middle & bottom panels of the Wireshark to identify the following fields, write the # of bytes for each field & the content in the table below. The ifconfig command & the tcp protocol (https://en.wikipedia.org/wiki/Transmission_Control_Protocol) can help answering some of the questions.

Question # of # of Content byte byte

AMK 4/8/2018 1 Introduction to Networking & Network Management

s in s in Dec Hex The source eth0 address in the frame in decimal & hex Is this the same as the eth0 address of the source computer? The destination eth0 address in the frame in decimal & hex The source computer ip address in decimal & hex Is this the same as the ip address of the source computer? The destination computer ip address in decimal & hex The source tcp port address in decimal & hex The destination tcp port address in decimal & hex The Sequence # in decimal & hex? Are they the same as you expect? Explain why not The ACK # in decimal & hex values The header length including the flags & reserved fields? Explain The code (flag) bits The calculated window size The bits of the checksum in hex The bits of the urgent field Any options used in this message? Do these fields look okay to you? Explain What is TLSv1.2 protocol? How many TLSv1.2 messages do you see? Explain briefly what the TLSv1.2 messages do

. Next, let us use similar analysis for the udp messages. Start the Wireshark with filter “udp.port == 53” (on some computers “port 53” may work) to capture dns (Domain Name Server) traffic at eth0 port of your computer. Open another terminal page on your computer screen & enter the Linux command “nslookup www.sonoma.edu”. dns uses udp to identify the ip address of the desired webpage quickly without establishing a connection. You will soon see the packets captured on the Wireshark panels for your analysis.

Question Answer Which computer (A, B, C, D) did you use for Wireshark? List of the packets in the top panel. Any dns message? State what port 53 in the capture filter identifies.

. You should see a dns query & a dns response packet in the top panel. First, select the query packet & from the middle & bottom panels of the Wireshark identify the following fields. Write the # of bytes & the content for each field in the table below. Verify some of the contents of the fields by the commands ifconfig & nslookup on the terminal screen.

Question # of # of Content byte byte s in s in Dec Hex The source eth0 address field in the frame in decimal & hex

AMK 4/8/2018 2 Introduction to Networking & Network Management

Is this address the same as the source computer eth0 address? The destination eth0 address field in the frame in decimal & hex The version of ip packet used in decimal & hex The header length in decimal & hex The total length of the ip packet in decimal & hex The identification of the ip packet in hex The flags The fragment offset in decimal & hex The time to live in decimal & hex The protocol field in decimal & hex The checksum in hex The source computer ipv4 address in decimal & hex Is this address the same as the source computer ip address? The destination computer ipv4 address in decimal & hex The source udp port address in decimal & hex The destination udp port address in decimal & hex What application does the destination port address signify? The udp length in decimal & hex? The udp checksum in decimal & hex The ipv4 address of the Sonoma.edu server (from Terminal page)

. Under the “Domain Name System (query)” check the following field.

Transaction ID in hex Flags in hex Question in hex Answer in hex Authority in hex Additional RRs Queries in xex Google the ASCII codes & find the hex representation of www.sonoma.edu & write it on the right side. Are these what you expected?

C. Report A.1. Type all your responses to the questions in the tables above including your observations & comments neatly. A.2. Make sure to power off all the devices, remove the cables & return them to the cabinet, & clean up your station. A.3. Submit your report by the due date.

AMK 4/8/2018 3