- Start wireshark and view the packets that are being picked up by your computer.
- Look at several packets and then complete the following :
- Look at a packet that is using TCP and then answer the following:
i. What is the source port? Why is this source port used?
Source Port: 49207
This was a request from my computer.
.
Source Port: 49207
This was a request from my computer.
.
ii. What is the destination port? Why is this destination port used?
TCP: https 443
This destination port indicates my secure TCP connection.
TCP: https 443
This destination port indicates my secure TCP connection.
iii. What is the flag? Why is this flag used?
This flag is used because an acknowledgement has been received.
Flag: 0x10 (ACK)
000. …. …. = Reserved: Not set (my note when click on
…0 …. …. = Nonce: Not set
…. 0… …. = Congestion window Reduced (CWR): Not set
…. .0.. …. = ECN-Echo: Not set
…. ..0. …. = Urgent: Not set
…. …1 …. = Acknowledgement: Not set
…. …. 0… = Push: Not set
….. …. .0.. = Reset: Not set
…. …. ..0. = Syn: Not set
…. …. …0 = Fin: Not set
window size: 48775
This flag is used because an acknowledgement has been received.
Flag: 0x10 (ACK)
000. …. …. = Reserved: Not set (my note when click on
…0 …. …. = Nonce: Not set
…. 0… …. = Congestion window Reduced (CWR): Not set
…. .0.. …. = ECN-Echo: Not set
…. ..0. …. = Urgent: Not set
…. …1 …. = Acknowledgement: Not set
…. …. 0… = Push: Not set
….. …. .0.. = Reset: Not set
…. …. ..0. = Syn: Not set
…. …. …0 = Fin: Not set
window size: 48775
iv. What is the source and destination IP address? Is this packet coming or going from your computer? (Use IP config command from the command
prompt to view the IP address of your computer).
Source: 24.74.205.178; Destination address: 67.202.208.171
This packet is going from my computer.
prompt to view the IP address of your computer).
Source: 24.74.205.178; Destination address: 67.202.208.171
This packet is going from my computer.
v. What is the Time To Live for this packet? What does TTL mean?
TTL: 128
Indicates that the packet is allowed 128 more hops before it is discarded, if it keep traveling across the network
TTL: 128
Indicates that the packet is allowed 128 more hops before it is discarded, if it keep traveling across the network
vi. What is the Differentiated Services field? List the current value. What does this mean? List 4 other possible values.
The differentiated services field is to inform routers what level of precedence they should apply when processing the incoming packet. Match packets with default dcp.
0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
…. ..0. = ECN- Capable Transport (ECT): 0
…. …0 = ECN-CE: 0
Total Length: 40
Identification: 0x25ba (9658)
The differentiated services field is to inform routers what level of precedence they should apply when processing the incoming packet. Match packets with default dcp.
0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
…. ..0. = ECN- Capable Transport (ECT): 0
…. …0 = ECN-CE: 0
Total Length: 40
Identification: 0x25ba (9658)
vii. What is the protocol field set to? What does this mean?
Protocol field IP (0x0800)
Protocol: TCP (6)
Window size: 48775
IPv4; Header length: 20 bytes
The TCP protocol is a IP segment, to enable TCP/IP to internetwork,
Protocol field IP (0x0800)
Protocol: TCP (6)
Window size: 48775
IPv4; Header length: 20 bytes
The TCP protocol is a IP segment, to enable TCP/IP to internetwork,
It provides information about how and where data should be delivered, the data source
and destination address.
and destination address.
viii. What else did you see that was interesting about the IP packet?
There is a lot of information that informs you about the data that you are sending and receiving. The version of the IP protocol that I am using and the Header length; the differentiated service field; the total length and identification; flags; fragment offset; time to live and the protocol field.
There is a lot of information that informs you about the data that you are sending and receiving. The version of the IP protocol that I am using and the Header length; the differentiated service field; the total length and identification; flags; fragment offset; time to live and the protocol field.
ix. What is the framing type used?
Ethenet_11
Ethenet_11
x. What is the source and destination MAC addresses? Is this frame coming or going from your computer? (Use IP config /all command from the command prompt to view the MAC address of your computer).
Source: FirstINT_8b:a4:81 (00:40:ca:8b:a4:81)
Destination: address:Cadant_33:20:c1 (00:01:5c:33:20:c1)
Type: IP (0x0800)
Source: FirstINT_8b:a4:81 (00:40:ca:8b:a4:81)
Destination: address:Cadant_33:20:c1 (00:01:5c:33:20:c1)
Type: IP (0x0800)
xi. What else did you see that was interesting about the Frame?
That it shows the MAC address and protocol field.
That it shows the MAC address and protocol field.
- Look at a packet that is using UDP and then answer the following:
i. What is the source port? Why is this source port used?
Source Port: 532058
This is port that my computer is using.
Source Port: 532058
This is port that my computer is using.
ii. What is the destination port? Why is this destination port used?
Destination: domain 53
This is my destination.
Destination: domain 53
This is my destination.
iii. What is the flag? Why is this flag used?
To inform me if my datagram was fragmented,
0x00
0… …. = Reserved bit: Not set
.0.. …. = Don’t fragments: Not set
..0. …. = More fragments: Not set
Fragments offset: 0
Protocol: UDP (17)
To inform me if my datagram was fragmented,
0x00
0… …. = Reserved bit: Not set
.0.. …. = Don’t fragments: Not set
..0. …. = More fragments: Not set
Fragments offset: 0
Protocol: UDP (17)
iv. What is the source and destination IP address? Is this packet coming or going from your computer?
This packet is going from my computer.
Source: 24.74.205.178
Destination: 209.18.47.61
Source: 24.74.205.178
Destination: 209.18.47.61
v. What is the Time To Live for this packet? What does TTL mean?
128
Indicates that the packet is allowed 128 more hops before it is discarded, if it keep traveling across the network.
128
Indicates that the packet is allowed 128 more hops before it is discarded, if it keep traveling across the network.
vi. What else did you see that was interesting about the IP packet?
The version of the IP protocol that I am using and the Header length; the differentiated service field; the total length and identification; flags; fragment offset; time to live and the protocol field.
The version of the IP protocol that I am using and the Header length; the differentiated service field; the total length and identification; flags; fragment offset; time to live and the protocol field.
vii. What is the framing type used?
Ethernet_11
Ethernet_11
viii. What is the source and destination MAC addresses? Is this frame coming or going from your computer?
This is going from my computer.
Source: FirstINT_8b:a4:81 (00:40:ca:8b:a4:81)
Destination: Cadant_33:20C1 (00:01:5c:33:20:c1)
This is going from my computer.
Source: FirstINT_8b:a4:81 (00:40:ca:8b:a4:81)
Destination: Cadant_33:20C1 (00:01:5c:33:20:c1)
ix. What else did you see that was interesting about the Frame
Domain Name system (query); Transaction ID: 0x0778; Flag: 0x0100 (Standard query)
Additional RRs: 0
Queries
cmbrown249.blogspot.com: type A, class IN
Type: A (Host address)
Class: IN (0x0001)
Domain Name system (query); Transaction ID: 0x0778; Flag: 0x0100 (Standard query)
Additional RRs: 0
Queries
cmbrown249.blogspot.com: type A, class IN
Type: A (Host address)
Class: IN (0x0001)
*Under; User Datagram Protocol,
Src Port53058 (53058), Dst Port: domain (53)
checksum: 0xe68e [validation disabled]
checksum: 0xe68e [validation disabled]
- Intercept several TCP packets until you can view the three way handshake (read about this on pg 118 and 119). What are the sequence and acknowledgement numbers on all 3 segments?
Sequence number and Acknowledgement number
407 233
( Psh, Ack) 407 233
233 465
- Intercept an ARP frame. List the following:
i. What is the destination MAC address? Why is this address used?
Target MAC address: 00:00:00_00:00:00
This is the hardware address
Target MAC address: 00:00:00_00:00:00
This is the hardware address
ii. What is the source MAC address? Why is this address used?
Sender MAC address: Cadant_33:20:C1
Hardware of the intended receiver
Sender MAC address: Cadant_33:20:C1
Hardware of the intended receiver
iii. What is the destination IP address? Why is this address used?
Target IP address: 10.212.8.15
the IP address of the hardware.
Target IP address: 10.212.8.15
the IP address of the hardware.
iv. What is the source IP address? Why it this address used?
Sender IP address: 10.212.0.1
IP address of the intended receiver.
Sender IP address: 10.212.0.1
IP address of the intended receiver.
v. Write a paragraph about anything else your learned from capturing an ARP frame.
ARP frame is Ethernet_11; the source MAC address, and the destination address
Address: Broadcast (ff:ff:ff:ff:ff:ff); …. …1 …. …. …. …. = IG bit: Group address (multicast/broadcast); Type: ARP (0x0806)
(Under Resolution Protocol (request) Hardware type: Ethernet (0x0001) Protocol type: IP (0x0800) Hardware size: 6; Protocol size: 4; Opcode: request (0x0001)
ARP frame is Ethernet_11; the source MAC address, and the destination address
Address: Broadcast (ff:ff:ff:ff:ff:ff); …. …1 …. …. …. …. = IG bit: Group address (multicast/broadcast); Type: ARP (0x0806)
(Under Resolution Protocol (request) Hardware type: Ethernet (0x0001) Protocol type: IP (0x0800) Hardware size: 6; Protocol size: 4; Opcode: request (0x0001)
- Write at least a half page about Wireshark? What did you learn? What was interesting? Do you feel this is a valuable program? Etc;
There is a lot of interesting things you can learn about your packets. Some of the information can be confusing. Some of the information was that I viewed using UDP was interesting, but some of the data packets MAC address was a bit confusing. I realize that the packets can be view as you send them in descending order. I found UDP on my blog address, which was surprising to me. I looked and looked for a UDP protocol and by luck I scroll down almost the bottom and I found one. When I learn more about all of this information, I will be able to analyze the data with a better understanding, maybe this is a bit too much to comprehend at once, because some of the information is not that clear especially about the three-way handshake, I think that there should be a filter for it.
No comments:
Post a Comment