Laboratory 2 – Wireshark Sniffer

Go to the polish version

Purpose of exercise


The aim of the exercise is to familiarize yourself with the program WireShark (Ethereal) for the analysis of

network traffic and knowledge and analysis of selected network protocols.




Wireshark is a popular sniffer available for multiple operating systems – tool to capture packets, analyze network performance, test it, build reports and perform a number of other extremely useful for an administrator tasks.

The tool is available for both majority of Windows and Unix platforms and is available free of charge.

Network analyzers enable a thorough analysis of the data transmitted in the subnet to which the computer is connected with the program. You can thus obtain information about the type of services and protocols used in the network, the addresses of computers with which users are connected to the subnet, the content of the transmitted data, etc. This allows a better understanding of the network, facilitates the possible location of the error or intrusion, gives information used to improve the performance of network or its modernization.


Sniffers are also one of the favorite tools of network intruders. In a local network, through appropriate manipulation of its infrastructure, eg. using ARP poisoning allow other users to capture packets and in this way listen.


Literature and the required information


Wireshark user manual

ISO/OSI model

Selected network protocols (IP, ICMP, TCP, UDP, HTTP, DNS, ARP, FTP- documents

RFC (eg., books, articles, web pages).

Fundamentals of Ethernet (books, articles, web pages).


Tasks to be performed:


For the selected tasks (below) familiarize yourself with the description of selected network protocols using: RFCs (Request For Comments), materials about networks (wikipedia, etc.)

Read the WireShark instructions and its operation.


With the help of Wireshark perform THREE of the following activities plus mandatory EIGHT last task:


  1. Run the ping program specifying a DNS name. Analyze the captured data in a file – ARP, ICMP, DNS. (I DO THIS TASK)


  1. Run the tracert for different stations providing domain address. Analyze the captured data in a file – ARP, ICMP, DNS.
  2. Launch your web browser for the selected network address and analyze the captured data in a file – HTTP, DNS.


  1. Start the FTP program, log on to any address, upload your file and analyze the captured data to a file and capture the password – FTP, DNS.


  1. Intercept the transmission of any communicator protocol skype, GG, Facebook communicator Sametime etc)


  1. Capture sending or receiving e-mail with your email program (Outlook, Thunderbird) and password to logon to intercept e-mail program to a server – the protocol smtp, pop3


  1. Start the selected https page and analyze the captured data.
  2. Go to the selected page containing the login panel (not secure https), enter the password and capture it in the WireShark. Show this process on printscrens.


Prepare a written report with the analysis o tasks performed.

The report should be implemented according to the following schedule:


  1. The introduction, the purpose of the exercise.
  2. Description of the main features of the selected network protocols (exchange of information, the format of packets, etc.).
  3. Analysis of the obtained logs from Wireshark (for the protocol, after having been filtered).
  4. Conclusions.


Description: ARP (Address Resolution Protocol) is used to obtain the MAC address by station A (or Ethernet address) station, which is the gateway to the station A.

No. 15. The station with the IP address need the MAC address of station, which is the gateway (gateway) for the station Therefore sends a broadcast frame (broadcast) address target MAC as ff: ff: ff: ff: ff: ff.

No. 16. By definition, the gate that must be in the same subnet as the station for which is the gateway. Therefore receives a broadcast frame and respond to it by sending its MAC address. At this point, the station with the IP address know the MAC address of your gateway, so it can start sending IP packets to the station located in different subnets.




On the assessment of this exercise will affect: a theoretical background to the exercise of range of selected protocols, real-time execution of tasks in the laboratory and

commissioned a report on the following (after completing the task) activities.


REPORTS please send a pdf file within 7 days to (with  the Read receipt option)


Download WireShark


a description of the layers of the TCP / IP protocols and links


Application layer – includes HTTP, SMTP, FTP, NFS, NIS, LPD, Telnet. Application layer protocols are included as data transport layer protocols.


Transport layer – includes UDP and TCP. The first package provides almost no validation of transmission, and the other guarantees their lossless delivery. Frames of transport layer contain themselves as data in the IP network layer.


Network layer – contains protocols DNS, ICMP, IP, IGMP, RIP, OSPF and EGP. IP is responsible for finding a recipient for the network. Frames of these protocols are transported by the link-layer protocols.


link layer – contains the ARP and RARP support low-level packet transmission


IMPORTANT : During laboratory use the filter like this:


Examples of reports


The first example

The second example


HELP – how to filter data:


If we want the computer to filter with regards to the IP address in the filter box, type


ip.addr ==


If we want to locate the physical address of the host of the MAC, execute as follows:


eth.addr == 11: 22: ff: ff: 22: 11


If you are looking for more than one computer, you can use the conjunction or


eth.addr == 11: 22: ff: ff: 22: 11 or eth.addr == 11: 33: ff: ff: 33: 11


To use the exclusion – that is, all addresses outside of the specified, add the front



! (ip.addr ==


analysis of traffic on port 80


tcp.port == 80


dedicated filter to the analysis of http






For more information about http filter go to:



Gadu-Gadu session analysis


Gadu-Gadu is one of the most popular instant messaging in Poland. Thanks to Mr. Arthur Kołodziej we can download a plug into Wireshark, allowing the analysis of GG protocol.

Description of the installation and file with the plug can be found at After copying a file to the directory plugins / restart Wireshark.

In the filter we should type:


and then observe packets of login requests, sent messages, as well as the change of status.


HTTPS transmission




FTP transmission


ftp or ftp-data


capture passwords in plain FTP:


ftp.request.command == „USER” or ftp.request.command == „PASS”




smtp and pop3


If you want to filter out initially only source e-mail addresses, from which messages are sent, use the filter:


smtp.req.command == „MAIL” and

smtp.req.parameter contains „FROM”


If we’re interested in messages recipients, we can set the filter:

smtp.req.command == „RCPT”


To filter out only messages, enter as a filter

pop.response.indicator == „+ OK”

and pop.response.description contains „octets”


If you are interested in capturing explicit password, use

pop.request.command == „PASS”