Laboratory 2 – Wireshark Sniffer

Go to the polish version

Purpose of exercise

 

The aim of the exercise is to familiarize yourself with the program WireShark (Ethereal) for the analysis of

network traffic and knowledge and analysis of selected network protocols.

 

Introduction

 

Wireshark is a popular sniffer available for multiple operating systems – tool to capture packets, analyze network performance, test it, build reports and perform a number of other extremely useful for an administrator tasks.

The tool is available for both majority of Windows and Unix platforms and is available free of charge.

Network analyzers enable a thorough analysis of the data transmitted in the subnet to which the computer is connected with the program. You can thus obtain information about the type of services and protocols used in the network, the addresses of computers with which users are connected to the subnet, the content of the transmitted data, etc. This allows a better understanding of the network, facilitates the possible location of the error or intrusion, gives information used to improve the performance of network or its modernization.

 

Sniffers are also one of the favorite tools of network intruders. In a local network, through appropriate manipulation of its infrastructure, eg. using ARP poisoning allow other users to capture packets and in this way listen.

 

Literature and the required information

 

Wireshark user manual

ISO/OSI model

Selected network protocols (IP, ICMP, TCP, UDP, HTTP, DNS, ARP, FTP- documents

RFC (eg. Www.ietf.org), books, articles, web pages).

Fundamentals of Ethernet (books, articles, web pages).

 

Tasks to be performed:

 

For the selected tasks (below) familiarize yourself with the description of selected network protocols using: RFCs (Request For Comments), materials about networks (wikipedia, wazniak.mimuw.edu.pl etc.)

Read the WireShark instructions and its operation.

 

With the help of Wireshark perform THREE of the following activities plus mandatory EIGHT last task:

 

  1. Run the ping program specifying a DNS name. Analyze the captured data in a file – ARP, ICMP, DNS. (I DO THIS TASK)

 

  1. Run the tracert for different stations providing domain address. Analyze the captured data in a file – ARP, ICMP, DNS.
  2. Launch your web browser for the selected network address and analyze the captured data in a file – HTTP, DNS.

 

  1. Start the FTP program, log on to any address, upload your file and analyze the captured data to a file and capture the password – FTP, DNS.

 

  1. Intercept the transmission of any communicator protocol skype, GG, Facebook communicator Sametime etc)

 

  1. Capture sending or receiving e-mail with your email program (Outlook, Thunderbird) and password to logon to intercept e-mail program to a server – the protocol smtp, pop3

 

  1. Start the selected https page and analyze the captured data.
  2. Go to the selected page containing the login panel (not secure https), enter the password and capture it in the WireShark. Show this process on printscrens.

 

Prepare a written report with the analysis o tasks performed.

The report should be implemented according to the following schedule:

 

  1. The introduction, the purpose of the exercise.
  2. Description of the main features of the selected network protocols (exchange of information, the format of packets, etc.).
  3. Analysis of the obtained logs from Wireshark (for the protocol, after having been filtered).
  4. Conclusions.

 

Description: ARP (Address Resolution Protocol) is used to obtain the MAC address by station A (or Ethernet address) station, which is the gateway to the station A.

No. 15. The station with the IP address 156.17.43.50 need the MAC address of 156.17.43.62 station, which is the gateway (gateway) for the station 156.17.43.50. Therefore sends a broadcast frame (broadcast) address target MAC as ff: ff: ff: ff: ff: ff.

No. 16. By definition, the gate that must be in the same subnet as the station for which is the gateway. Therefore receives a broadcast frame and respond to it by sending its MAC address. At this point, the station with the IP address 156.17.43.50 know the MAC address of your gateway, so it can start sending IP packets to the station located in different subnets.

 

Evaluation

 

On the assessment of this exercise will affect: a theoretical background to the exercise of range of selected protocols, real-time execution of tasks in the laboratory and

commissioned a report on the following (after completing the task) activities.

 

REPORTS please send a pdf file within 7 days to eportal.ue.wroc.pl

 

Download WireShark

 

a description of the layers of the TCP / IP protocols and links

 

Application layer – includes HTTP, SMTP, FTP, NFS, NIS, LPD, Telnet. Application layer protocols are included as data transport layer protocols.

 

Transport layer – includes UDP and TCP. The first package provides almost no validation of transmission, and the other guarantees their lossless delivery. Frames of transport layer contain themselves as data in the IP network layer.

 

Network layer – contains protocols DNS, ICMP, IP, IGMP, RIP, OSPF and EGP. IP is responsible for finding a recipient for the network. Frames of these protocols are transported by the link-layer protocols.

 

link layer – contains the ARP and RARP support low-level packet transmission

 

 

Examples of reports

 

The first example

The second example

 

HELP – how to filter data:

 

If we want the computer to filter with regards to the IP address in the filter box, type

 

ip.addr == 1.2.3.4

 

If we want to locate the physical address of the host of the MAC, execute as follows:

 

eth.addr == 11: 22: ff: ff: 22: 11

 

If you are looking for more than one computer, you can use the conjunction or

 

eth.addr == 11: 22: ff: ff: 22: 11 or eth.addr == 11: 33: ff: ff: 33: 11

 

To use the exclusion – that is, all addresses outside of the specified, add the front

exclamation:

 

! (ip.addr == 1.2.3.4)

 

analysis of traffic on port 80

 

tcp.port == 80

 

dedicated filter to the analysis of http

 

http

 

== http.host www.onet.pl

 

For more information about http filter go to:

http: www.wireshark.org/docs/dfref/h/http.html

 

Gadu-Gadu session analysis

 

Gadu-Gadu is one of the most popular instant messaging in Poland. Thanks to Mr. Arthur Kołodziej we can download a plug into Wireshark, allowing the analysis of GG protocol.

Description of the installation and file with the plug can be found at http://www.wireshark-gg.xt.pl/GG.dll After copying a file to the directory plugins / restart Wireshark.

In the filter we should type:

gg

and then observe packets of login requests, sent messages, as well as the change of status.

 FILTERs:

HTTPS transmission

 

ssl

 

FTP transmission

 

ftp or ftp-data

 

capture passwords in plain FTP:

 

ftp.request.command == „USER” or ftp.request.command == „PASS”

 

e-mail

 

smtp and pop3

 

If you want to filter out initially only source e-mail addresses, from which messages are sent, use the filter:

 

smtp.req.command == „MAIL” and

smtp.req.parameter contains „FROM”

 

If we’re interested in messages recipients, we can set the filter:

smtp.req.command == „RCPT”

 

To filter out only messages, enter as a filter

pop.response.indicator == „+ OK”

and pop.response.description contains „octets”

 

If you are interested in capturing explicit password, use

pop.request.command == „PASS”