Questions must be answered in your own words rather with a screenshot, except when asked to take screenshots specifically, of course.
• When taking screenshots, only capture the area relevant to the question. (Example screenshots are typically provided.) Points will be deducted if
screenshots are taken for the entire desktop where the relevant area is only a small part of it.
• Do not convert the file to PDF format. A Word file should be submitted
MIS 564 Wireshark Project (105 points)
Name: Click or tap here to enter text.
Important!
All commands in the project should be run on a same computer connected to a same network so that answers in different questions can be cross-checked.
In this project, you will use Wireshark to capture and analyze network packets. Wireshark is one of the most popular network protocol analyzers, and is the de facto standard that most professional and education institutions use today. Wireshark enables you to see all packets sent and received by your computer. Go to www.wireshark.org to download and install Wireshark.
Watch the two Wireshark tutorials listed below to learn the basics of Wireshark:
· Tutorial 1. A YouTube video. This tutorial explains filter in detail.
· Tutorial 2. A LinkedIn Learning video. A great introduction to Wireshark.
Some instructions in this assignment are based on a Windows computer, if you only have access to a Mac computer and do not know the corresponding commands, you can use a Citrix virtual desktop provided by the university https://www.uis.edu/its/services-uis/instructional-technology#citrix.
Requirements:
· Questions must be answered in your own words rather with a screenshot, except when asked to take screenshots specifically, of course.
· When taking screenshots, only capture the area relevant to the question. (Example screenshots are typically provided.) Points will be deducted if screenshots are taken for the entire desktop where the relevant area is only a small part of it.
· Do not convert the file to PDF format. A Word file should be submitted.
1. Your Computer’s Network Settings
1.1 Open a command prompt window. Run command ipconfig/all to find the IP addresses of your computer and its DNS server(s). Take a screenshot of the results (see an example below). Use the information listed under “Ethernet adapter Local Area Connection”, “Wireless LAN adapter Wi-Fi”, etc. Do not use the information listed under “Ethernet adapter Npcap Loopback Adapter”. List your computer’s IP address (list all addresses displayed: IPv4, IPv6, temporary) and its DNS severs (list all DNS servers if there are multiple) below the screenshot. – 5 points
|
Insert your answer and/or screenshot below in this box. |
1.2 We’ve learned many protocols in this class, most of which operate at a particular layer of the Internet model. Match the following protocols with their Internet model layers by placing, i.e. copy and paste, them in the corresponding row in the table below. – 5 points
SMTP, IMAP, POP3, FTP, Ethernet II, PPP, TCP, IPv4, UDP, IPv6, DNS
|
Layer |
Protocol |
|
Application Layer |
HTTP, |
|
Transport Layer |
|
|
Network Layer |
|
|
Data Link Layer |
2. HTTP Packets
In this part of the project, you will use Wireshark to capture and analyze HTTP packets.
· Start Wireshark.
· Select a network interface, such as Wi-Fi or Local Area Connection. If multiple interfaces are listed, you need to select the one that is used for Internet access.
· Click “Capture” > “Start” to start capturing packet.
· Open a Web browser. Visit one or more unencrypted website. (Most of today’s websites are encrypted, which will prevent you from viewing the HTTP messages in Wireshark.) To find an unencrypted website, Google “List of HTTP websites for testing” and select a website whose URL starts with http:// instead of https://, such as http://www.softwareqatest.com/index.html or http://www.testingmcafeesites.com/. Once you are on the website, click a few links to generate some network traffic.
· In Wireshark, stop capturing packet. (Click “Capture” > “Stop”.)
· In Wireshark, apply HTTP filter to display HTTP packets only (explained in the Wireshark tutorial videos).
· In the Packet List window, select one of the HTTP packets (it should say “HTTP” rather than “SSDP” under the column “Protocol”).
The three windows in the Wireshark are called “Packet List Window”, “Packet Detail Window”, and “Packet Content Window”, respectively in this document (see the picture below). The Packet List Window lists packets captured by Wireshark. The Packet Detail Window shows the details, including the types of protocols used at each network layer, for the packet selected in the Packet List Window.
2.1 With an HTTP packet selected in the Packet List Window (it should say “HTTP” rather than “SSDP” under the column “Protocol”), take a screenshot of the Packet List Window. (See an example below.) Make sure that words in your screenshot are big enough for easy reading. – 5 points
|
Insert your answer and/or screenshot below in this box. |
2.2 Take a screenshot of the entire Packet Detail window (Do NOT expand any entries in the window. see an example below.) Make sure that all information in the window is included in your screenshot. What are the source and destination IP addresses of the packet? – 5 points
|
Insert your answer and/or screenshot below in this box. |
2.3 HTTP request messages start with a method, such as GET. Do some research on the Internet about commonly used HTTP request methods. Describe each method briefly. – 5 points
|
Insert your answer and/or screenshot below in this box. |
2.4 In the Packet Detail Window, click on the > icon before the HTTP entry to expand it. Take a screenshot of the Packet Detail window. Is the packet an HTTP request or response message? Why? – 5 points
|
Insert your answer and/or screenshot below in this box. |
2.5 Expand the transport layer protocol entry in the Packet Detail Window. Take a screenshot of the Packet Detail window. Answer the following questions below the screenshot. What is the transport layer protocol used in this packet? What are the source and destination port numbers? What is the length of the transport layer header? – 5 points
|
Insert your answer and/or screenshot below in this box. |
2.6 Expand the network layer protocol entry in the Packet Detail Window. Take a screenshot of the Packet Detail window. Answer the following questions below the screenshot. What is the network layer protocol used in this packet? What is the total length or the payload length of the packet at the network layer? – 5 points
|
Insert your answer and/or screenshot below in this box. |
2.7 What is the data link layer protocol used in this packet? What are the source and destination data link layer addresses? (Answers can be found in the Packet Detail Window.) – 5 points
|
Insert your answer and/or screenshot below in this box. |
3. SMTP and POP Packets
In this part of the project, you will use Wireshark to analyze email packets. Two Wireshark files – SMTP_Capture.pcap, POP3_Capture.pcap – that contain SMTP and POP3 packets are posted in the course site. Download the files to your computer. You do not need to capture packets yourself for this part of the project.
· The SMTP_Capture.pcap packet file contains packets sent between an email client (IP address: 192.168.1.100) and server (IP address: 128.196.40.4) where the client sent an email to the server. Packet 8 is the start of the email that identifies the sender.
· Do some research on the Internet about SMTP commands. In Wireshark, these commands are listed under the Info column.
· In Wireshark, open the SMTP_Capture.pcap file.
· Clear the HTTP filter if it’s still there.
3.1 Do some research on the Internet and explain the concept and process of the Three-Way TCP handshake in a short paragraph. Must list the three steps. – 5 points
|
Insert your answer and/or screenshot below in this box. |
Questions 3.2 to 3.4 are based on the file SMTP_Capture.pcap.
3.2 Take a screenshot of the first three TCP packets from the Packet List window in Wireshark. The three packets form the TCP handshake process. Examine information in the Packet Detail window. List the source IP address, source port number, destination IP address, and destination port number of the three TCP packets. – 5 points
|
Insert your answer and/or screenshot below in this box. |
· Packet 14 contains the first part of the email message that the user wrote.
3.3 List the SMTP packets, by the packet number, that were sent from the client to the server before packet 14. (Hint: In the Packet List window, packets sent from client to server are marked “C:” in the Info field.) Explain the purpose of each packet. (You might need to do some research on the Internet on the meaning of SMTP commands, such as EHLO in packet 5). – 5 points
|
Insert your answer and/or screenshot below in this box. |
3.4 The SMTP command for sending the message body of an email is DATA (listed under the Info column in Wireshark). The message body is usually broken down into multiple packets because it is too big to fit into one packet. Starting from packet 14, how many packets was the email message broken down into and sent from the client to the server? List the packet numbers. – 5 points
|
Insert your answer and/or screenshot below in this box. |
· The POP3 packet file contains packets sent between an email client (IP address: 128.196.239.91) and server (IP address: 128.192.40.4) where the client retrieved an email from the server.
· Do some research on the Internet about POP3 commands. In Wireshark, these commands are listed under the Info column.
· In Wireshark, open the POP3 packet file.
Questions 3.5 are based on the file POP3_Capture.pcap.
3.5 What is the port number for POP3 on the email server? (The information can be found in any POP packet.) – 2 points
|
Insert your answer and/or screenshot below in this box. |
4. DNS Packets
In this part of the project, you will use Wireshark to capture and analyze DNS packets. Follow the exact steps listed below. You might not be able to capture the needed packets otherwise.
· Open a Web browser, go to http://www.uchicago.edu/. Do not click on any links on the page. Close all other tabs/windows in your Web browser.
· Take the following two steps to clear DNS cache from your computer and Web browser:
i. Open a command prompt window, run command ipconfig/flushdns to clear DNS cache from your computer.
ii. Follow instructions on this website to clear DNS cache from your Web browser.
· In Wireshark, start packet capturing. Select “continue without saving” if prompted.
· In your Web browser, reload the University of Chicago home page (look for the reload/refresh button in or around the address box). Do not visit any other websites.
· In Wireshark, stop packet capturing.
· When applicable, questions in this section are based on packets captured in the above steps.
4.1 What is the Domain Name System? How are domain names resolved on the Internet? Must elaborate. Answer each question in a separate paragraph. Must answer in your own words. – 5 points
|
Insert your answer and/or screenshot below in this box. |
4.2 Redo Question 1.1. Take another screenshot of the results. Compare the results, i.e. your computer’s IP address(es) and its DNS servers, to those obtained in Question 1.1. Have the IP addresses changed? Is that what you expected? Why? – 5 points
|
Insert your answer and/or screenshot here. |
4.3 In Wireshark, apply a DNS filter to display DNS packets only. Locate the two packets for www.uchicago.edu (one query packet and one response packet). If necessary, adjust the width of the two IP address columns so that the entire IP addresses are visible. Take a screenshot(s) of the two packets in the Packet List Window (see an example below. The transaction ID, such as ox9952 in the example below, should match in the two packets.) If there are more than two packets in your screenshot, mark the two required packets in the screenshot or list their packet numbers below the screenshot. The example below shows the DNS packets for City of Springfield Web site. Notice that it says “Standard query” and “Standard query response” under the Info column. If you have difficulty in capturing the DNS packets for www.uchicago.edu, a different server name can be used. Just make sure that the two packets, i.e. the query and the response packets, match, i.e. having the same transaction ID. – 5 points
|
Insert your answer and/or screenshot below in this box. |
· The DNS packets in Questions 4.4 – 4.7 refer to the two DNS packets that you identified in Question 4.3.
4.4 As you have learned in answering Question 4.1, the two DNS packets that you captured are supposed to be sent between your computer and one of the DNS servers. Is that what had happened? Why or why not? Hint: look at the IP addresses. – 5 points
|
Insert your answer and/or screenshot below in this box. |
4.5 With the response DNS packet selected in the Packet List window, expand the Domain Name System entry and the Answers sub-entry in the Packet Detail window (see the example below). If there are sub-entries under Answers, expand those as well until you see a valid IP address. Take a screenshot of the entire Packet Detail window, starting from the “Frame …” line. – 5 points
|
Insert your answer and/or screenshot below in this box. |
4.6 Explain the meaning of the following fields in the Answers sub-entry in the DNS response packet: Name, Type, Class, Time to live, Address. (You might need to do some research on the Internet. Here’s a reference: https://blog.dnsimple.com/2015/03/whats-in-a-dns-response/ ) – 5 points
|
Insert your answer and/or screenshot below in this box. |
4.7 DNS often uses UDP, instead of TCP, at the transport layer. Is that the case for the DNS response packet that you captured? What are the source and destination port numbers in your DNS response packet? – 3 points
|
Insert your answer and/or screenshot below in this box. |
4.8 Why does DNS often use UDP, instead of TCP, at the transport layer? Must elaborate. (You might need to research the question on the Internet.) – 5 points
|
Insert your answer and/or screenshot below in this box. |