CS 60 Computer Networks


Wireshark Packet Sniffing Lab

The aim of this lab is to get familiar with Ethereal/Wireshark and packet sniffing. Note, Wireshark is the new version of Ethereal (you can use either version of the tool). We use both names interchangeably in the text that follows.

Wireshark is an open source software tool that we demoed in class that allows you to examine packets captured by any network interface on your machine.

You also use the skills developed in Lab1 to help you in the Lab2. So really get to know this stuff - Lab2 is devilishly tricky and requires you to reverse engineer a protocol just by sniffing packets - yes, it’s a puzzle you’ll have to solve it before you can implement the procotcol - but it will be fun!


Please send your answers for Lab1 to cs60@cs.dartmouth.edu by the due date.

The TA will acknowledge receipt of your emailed submission. Homework will be marked and returned to you one week after submission.

We recommend that you first install this software on your personal machine, as there are many interesting aspects of the program that require root access (see the URL at the bottom of the assignment to download Wireshark); the Lab 001 unix machines do not give you root privilege level to do packet capture. You can use Ethereal with a pre-captured trace to do the assignment on the Lab 001 machines if you wish. Please email the TA for the trace file to be used on the Lab 001 machines. Again, the loading of such traces does not require root access.

You will find when you attempt to install Ethereal that the most recent version of this software now has a new name, Wireshark. There are not any significant changes between Ethereal and Wireshark. The Wireshark websites observes this fact - Same developers, same code, different name. The Ethereal network protocol analyzer has changed its name to Wireshark. You will find that either using Wireshark, or older versions of Ethereal will be suitable for performing this lab. The choice is entirely up to you.

Please work through each of the tasks discussed below. Each task will specify material you are required to hand in. For submission please tar all the material into a single file and submit it to via email as discussed above. A number of the questions will touch on concepts that we have not yet fully covered in class. Do not worry. Just answer the questions best you can. For a higher-level course like CS60 we expect you will consult the textbook, the web and other courses to guild you. Please note, as always, citations must be provided with your answers if you consult any external source for information.

OK, lets start looking at packets!

1) To get started please read introduction to wireshark/etherealwhich is the handout that gives an introduction to Ethereal. Note, that this supplementary document provides background to the lab and installation information. The questions below are not taken from the textbook.

2) Start a capture session using Ethereal. Capture traffic when you are opening a web page in your browser. Open the web page http://www.dartmouth.edu. Please save the trace you use in the lab and submit it with your answers. To save go to “File” and select save file (e.g., call it trace).

3) Examine the trace and find the exchange of packets between your machine and the web server (the host providing the web pages to your machine). Can you find an example packet in the packet exchange where the packet contains details about the type of your web browser (e.g., if it is Fire Fox, Internet Explorer, Safari, etc.) being used? What is the value you found in the packet trace? Why do you think that the client informs the server of this information? Take a look at the source html for the page your client downloaded (i.e., http://www.dartmouth.edu). Do you see any of the attributes found in the packet (e.g.,browser type) in the html source or any of the other attributes in the same packet that contains the browser type? If you can not find these attributes in the html source why do you think that is in fact the case?

4) In the trace you can see many protocols listed. There is a lot going on under the hood (Ed. better word is bonnet). Some of these protocols are called transport protocols. Which transport protocol is used between your machine and the web server? Why would you think this one is used instead of an alternative? You will see that other protocols are captured in your trace. One such protocol is HTTP. What is the relationship between the transport protocol you identified and HTTP? Both protocols are used to satisfy your browser’s request for a web page. Why is more than one protocol used?

5) In the trace you will find IP addresses within the packets. Find an example packet in the trace where the IP address associated with your machine is present. Provide this example packet with your submission (take a screen dump or cut and past the packet). Why is the IP address present in the particular packet you selected (what purpose does it serve)? How are IP addresses and port numbers used, to address what specifically?

6) We discussed protocol layers in class. Which layer is the IP associated with and why isnt it associated with say the application layer? (sounds like a tricky question but why is routing at the layer it is at and not another, say, higher layer).

7) We have not discussed the MAC (medium access control) address in class yet. But you can find the MAC address of your machine using ifconfig a on unix, Linux, windows, and OSX machines - at the command line. (Why not read the manual pages on ifconfig - a very handy command). Each node has a unique Link Layer MAC address. Can you find the MAC address for your machine in the trace. What is the MAC address of your machine? Provide a trace of the packet in which you found it (take a screen dump or cut and past the packet). Why do you think a MAC address is needed given that your machine has an IP address (it would be more precise to say that the IP address is associated with one of the network interfaces on your machine, this is true also of the MAC address).

8) There are an large number of protocols found in the trace - many you are not familiar with. Also, you maybe surprised at the large number of packets are being transmitted - even when your machine is idle, i.e., not doing any application layer work. Consider the short trace you just captured. You will see many different protocols listed in the trace. Excluding the HTTP and TCP protocols identify as many of the other protocols as you can. Choose a couple of these protocols from your list and describe in more detail what they are and what are they being used to support. You can use google here or go to the IETF site for more information on the Internet protocols - there are many. Recall a protocol is the core of a layer that provides a service to a higher layer try and determine what the services are for the two protocols you select from your list. Search to see if you can find an RFC for any of the protocols within your trace (one example RFC database is: http://www.rfc-editor.org/rfc.html). Can you find the RFCs for the two protocol selected from your trace. Dig into the RFC is there a state machine? Furthermore, do a little research and find out more about the RFC process, what role does the RFC process perform? How does it work? OK we are done. Great job! You learnt a lot.

Where to get Wireshark

Where to get Ethereal/Wireshark for Mac, Windows, and Linux:

Wireshark download

Note, there is a problem with MacBooks sniffing the WiFi network - Ethernet works. For Macs you need to run with x windows and run sudo wireshark. You need root access (type sudo on the MAC). If need assistance mail the TA who will happy assist.

Thanks to Michael Diamond for the following cribe sheet to get wireshark running on the Mac. CS60 Installing Wireshark on OSX

You can always login to one of the Linux machines in L001 and use the file that the TA has set up to do the lab - using data that we have already collected as canned data. You can not actually run your own capture without root access on those machines so using the file is the only way to do the lab on the L001 machines. TA will follow up and let you know where the canned capture file can be found.

If you use L001 machines you can’t sniff packets but to answer the questions use this precanned trace that we captured exampletrace.pcap . It is in PCAP format so not visible. Just save it to you L001 machine and open it inside wireshark.


OK. You are done.

Tip: Make sure you always logout when you are done and see the prompt to login again before you leave the terminal.