Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze Transmission Control Protocol (TCP) traffic.

Readings edit

Preparation edit

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.
  3. Install Wireshark.
  4. Install the Telnet client.

Activity 1 - Capture TCP Traffic edit

To capture TCP traffic:

  1. Start a Wireshark capture.
  2. Open a command prompt.
  3. Type telnet www.google.com 80 and press Enter.
  4. Close the command prompt to close the TCP connection.
  5. Stop the Wireshark capture.

Activity 2 - Analyze TCP SYN Traffic edit

To analyze TCP SYN traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane. To view only TCP traffic related to the web server connection, type tcp.port == 80 (lower case) in the Filter box and press Enter.
  2. Select the first TCP packet, labeled http [SYN].
  3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol frame.
  4. Expand Ethernet II to view Ethernet details.
  5. Observe the Destination and Source fields. The destination should be your default gateway's MAC address and the source should be your MAC address. You can use ipconfig /all to confirm.
  6. Expand Internet Protocol Version 4 to view IP details.
  7. Observe the Source address. Notice that the source address is your IP address.
  8. Observe the Destination address. Notice that the destination address is the IP address of one of Google's web servers.
  9. Expand Transmission Control Protocol to view TCP details.
  10. Observe the Source port. Notice that it is a dynamic port selected for this connection.
  11. Observe the Destination port. Notice that it is http (80).
  12. Observe the Sequence number. Notice that it is 0 (relative sequence number). To see the actual sequence number, select the Sequence number to highlight the sequence number in the bottom Wireshark bytes pane.
  13. Expand Flags to view flag details.
  14. Observe the flag settings. Notice that SYN is set, indicating the first segment in the TCP three-way handshake.

Activity 3 - Analyze TCP SYN, ACK Traffic edit

To analyze TCP SYN, ACK traffic:

  1. In the top Wireshark packet list pane, select the second TCP packet, labeled SYN, ACK.
  2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol frame.
  3. Expand Ethernet II to view Ethernet details.
  4. Observe the Destination and Source fields. The destination should be your MAC address and the source should be your default gateway MAC address.
  5. Expand Internet Protocol Version 4 to view IP details.
  6. Observe the Source address. Notice that the source address is the Google web server IP address.
  7. Observe the Destination address. Notice that the destination address is your IP address.
  8. Expand Transmission Control Protocol to view TCP details.
  9. Observe the Source port. Notice that it is http (80).
  10. Observe the Destination port. Notice that it is the same dynamic port selected for this connection.
  11. Observe the Sequence number. Notice that it is 0 (relative sequence number). To see the actual sequence number, select Sequence number to highlight the sequence number in the bottom Wireshark bytes pane.
  12. Observe the Acknowledgement number. Notice that it is 1 (relative ack number). To see the actual acknowledgement number, select Acknowledgement number to highlight the acknowledgement number in the bottom pane. Notice that the actual acknowledgement number is one greater than the sequence number in the previous segment.
  13. Expand Flags to view flag details.
  14. Observe the flag settings. Notice that SYN and ACK are set, indicating the second segment in the TCP three-way handshake.

Activity 4 - Analyze TCP ACK Traffic edit

To analyze TCP ACK traffic:

  1. In the top Wireshark packet list pane, select the third TCP packet, labeled http ACK.
  2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol frame.
  3. Expand Ethernet II to view Ethernet details.
  4. Observe the Destination and Source fields. The destination should be your default gateway MAC address and the source should be your MAC address.
  5. Expand Internet Protocol Version 4 to view IP details.
  6. Observe the Source address. Notice that the source address is your IP address.
  7. Observe the Destination address. Notice that the destination address is the Google web server IP address.
  8. Expand Transmission Control Protocol to view TCP details.
  9. Observe the Source port. Notice that it is the same dynamic port selected for this connection.
  10. Observe the Destination port. Notice that it is http (80).
  11. Observe the Sequence number. Notice that it is 1 (relative sequence number). To see the actual sequence number, select Sequence number to highlight the sequence number in the bottom Wireshark bytes pane.
  12. Observe the Acknowledgement number. Notice that it is 1 (relative ack number). To see the actual acknowledgement number, select Acknowledgement number to highlight the acknowledgement number in the bottom pane.
  13. Expand Flags to view flag details.
  14. Observe the flag settings. Notice that ACK is set, indicating the third segment in the TCP three-way handshake. The client has established a TCP connection with the server.

Activity 5 - Analyze TCP FIN ACK Traffic edit

To analyze TCP FIN ACK traffic:

  1. In the top Wireshark packet list pane, select the fourth TCP packet, labeled http FIN, ACK.
  2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol frame.
  3. Expand Ethernet II to view Ethernet details.
  4. Observe the Destination and Source fields. The destination should be your default gateway MAC address and the source should be your MAC address.
  5. Expand Internet Protocol Version 4 to view IP details.
  6. Observe the Source address. Notice that the source address is your IP address.
  7. Observe the Destination address. Notice that the destination address is the Google web server IP address.
  8. Expand Transmission Control Protocol to view TCP details.
  9. Observe the Source port. Notice that it is the same dynamic port selected for this connection.
  10. Observe the Destination port. Notice that it is http (80).
  11. Observe the Sequence number. Notice that it is 1 (relative sequence number).
  12. Observe the Acknowledgement number. Notice that it is 1 (relative ack number).
  13. Expand Flags to view flag details.
  14. Observe the flag settings. Notice that FIN and ACK are set, indicating the first segment in the TCP teardown handshake. The client has indicated it is closing the TCP connection with the server.

Activity 6 - Analyze TCP FIN ACK Traffic edit

To analyze TCP FIN ACK traffic:

  1. In the top Wireshark packet list pane, select the fifth TCP packet, labeled FIN, ACK.
  2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol frame.
  3. Expand Ethernet II to view Ethernet details.
  4. Observe the Destination and Source fields. The destination should be your MAC address and the source should be your default gateway MAC address.
  5. Expand Internet Protocol Version 4 to view IP details.
  6. Observe the Source address. Notice that the source address is the Google web server IP address.
  7. Observe the Destination address. Notice that the destination address is your IP address.
  8. Expand Transmission Control Protocol to view TCP details.
  9. Observe the Source port. Notice that it is http (80).
  10. Observe the Destination port. Notice that it is the same dynamic port selected for this connection.
  11. Observe the Sequence number. Notice that it is 1 (relative sequence number).
  12. Observe the Acknowledgement number. Notice that it is 2 (relative ack number).
  13. Expand Flags to view flag details.
  14. Observe the flag settings. Notice that FIN and ACK are set, indicating the second segment in the TCP three-way handshake. The server has indicated it is closing the TCP connection with the client.

Activity 7 - Analyze TCP ACK Traffic edit

To analyze TCP ACK traffic:

  1. In the top Wireshark packet list pane, select the sixth TCP packet, labeled http ACK.
  2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol frame.
  3. Expand Ethernet II to view Ethernet details.
  4. Observe the Destination and Source fields. The destination should be your default gateway MAC address and the source should be your MAC address.
  5. Expand Internet Protocol Version 4 to view IP details.
  6. Observe the Source address. Notice that the source address is your IP address.
  7. Observe the Destination address. Notice that the destination address is the Google web server IP address.
  8. Expand Transmission Control Protocol to view TCP details.
  9. Observe the Source port. Notice that it is the same dynamic port selected for this connection.
  10. Observe the Destination port. Notice that it is http (80).
  11. Observe the Sequence number. Notice that it is 2 (relative sequence number).
  12. Observe the Acknowledgement number. Notice that it is 2 (relative ack number).
  13. Expand Flags to view flag details.
  14. Observe the flag settings. Notice that ACK is set, indicating the third segment in the TCP teardown handshake. The client has acknowledged the server closing the TCP connection.
  15. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

References edit