Faculty of Science &

Technology
This assignment requires students
to:

Become familiar with Wireshark capture filters.

Document the qualifiers used in capture filters.

Construct and use capture filters to capture specific network traffic.

Include screen shots of captured network traffic and present them with associated
discussion.

Part 1 Wireshark and traffic capture basics

Describe what the term promiscuous mode means in relation to capturing network
traffic with Wireshark and similar network traffic analysers.

Answer: To collect the traffic from 802.11 other than Unicast to & from the host machine where the
wireshark is running, Multicast traffic and Broadcast traffic, the network adaptor needs to put itself
into monitor mode so that the filter mentioned is switched off and all packets received are delivered to
the host.
[ 1 mark ]
The Capture > Options dialog allows the Name Resolution of Network Layer names.
Describe what this means and describe how it could be used for capturing network
traffic.
ANSWER:

CRICOS Provider No. 00103D

Page 1 of 18

Faculty of Science &

Technology
.

1. Name resolution tries to resolve the numerical address (for example, the MAC
address, the IP address, and port) to its corresponding name, under the category
where these options are defined.
2. Resolve MAC address by converting the MAC address to a human-readable format;
for example 28:cf:e9:1e:df:a9 will translate to 192.168.1.101.
3. Resolve network-layer names (IP name resolution) to convert the IP address to its
corresponding hostname (for example, 216.58.220.46 will translate to google.com).
4. Resolve transport-layer names (TCP/UDP port name resolution) to convert wellknown ports to human-readable format (for example, 443 will translate to https).
5. Use external the network name resolver to perform a reverse DNS lookup for each
unique IP address (for example 216.58.196.14 will translate tons4.google.com) also
referred as reverse DNS lookup.
[ 1 mark ]
Describe the difference between a network switch and a network hub. Then explain how
switched networks limit the network traffic that is visible to Wireshark in comparison to
networks that used hubs. (Note switches are the technology used in todays computer
networks)
ANSWER: Hubs and switches are different types of network equipment that connect
devices. They differ in the way that they pass on the network traffic that they receive.

CRICOS Provider No. 00103D

Page 2 of 18

Faculty of Science &

Technology

Hubs is a multi-port repeater. This

type of device simply passes on
(repeats) all the information it
receives, so that all devices connected to its ports receive that information. Hubs repeat
everything they receive and can be used to extend the network. However, this can result
in a lot of unnecessary traffic being sent to all devices on the network. Hubs pass on
traffic to the network regardless of the intended destination; the PCs to which the
packets are sent use the address information in each packet to work out which packets
are meant for them. In a small network repeating is not a problem but for a larger, more
heavily used network, another piece of networking equipment (such as a switch) may be
required to help reduce the amount of unnecessary traffic being generated.
Switches: Switches control the flow of network traffic based on the address information
in each packet. A switch learns which devices are connected to its ports (by monitoring
the packets it receives), and then forwards on packets to the appropriate port only. This
allows simultaneous communication across the switch, improving bandwidth. This
switching operation reduces the amount of unnecessary traffic that would have occurred
if the same information had been sent from every port (as with a hub).
Switches and hubs are often used in the same network; the hubs extend the network by
providing more ports, and the switches divide the network into smaller, less congested
sections.
Using HUB or Switch: In a small network (less than 30 users), a hub (or collection of
hubs) can easily cope with the network traffic generated and is the ideal piece of
equipment to use for connecting the users.
When the network gets larger (about 50 users), you may need to use a switch to divide
the groups of hubs, to cut down the amount of unnecessary traffic being generated.
If there is a hub or switch with Network Utilization LEDs, you can use the LEDs to view
the amount of traffic on the network. If the traffic is constantly high, you may need to
divide up the network using a switch.
When adding hubs to the network (to add more users), there are rules about the number
of hubs you can connect together. Switches can be used to extend the number of hubs
that you can use in the network.
[ 2 marks ]
In TCP/IP networking IP addresses are used to identify specific computers (or hosts) on
the network, clients use ports numbers to specify a particular instance of a client
program (for example a specific tab on a web browser) and servers normally use well
known port numbers on which to listen for client requests. For instance ftp at the
server uses ports 20 and 21.
From the web or any other source determine the well-known port numbers of the
following server programs:
ftp data---20
ftp control---21
http---80
NTP---123
Ssh-----22
Also find the well know port numbers for 6 other network protocols and describe the
function that each protocol performs.
CRICOS Provider No. 00103D

Page 3 of 18

Faculty of Science &

Technology
HTTPS- 443--- Another protocol for
transmitting data securely over the
World Wide Web is Secure HTTP (S-HTTP). Whereas SSL creates a secure connection
between a client and a server, over which any amount of data can be sent securely, SHTTP is designed to transmit individual messages securely. SSL and S-HTTP, therefore,
can be seen as complementary rather than competing technologies. Both protocols were
approved by the Internet Engineering Task Force (IETF) as a standard.
SNMP ---161--Short for Simple Network Management Protocol, a set of protocols for
managing complex networks. The first versions of SNMP were developed in the early 80s.
SNMP works by sending messages, called protocol data units (PDUs), to different parts of
a network. SNMP-compliant devices, called agents, store data about themselves in
Management Information Bases (MIBs) and return this data to the SNMP requesters
Telnet---23-- Telnet is a terminal emulation program for TCP/IP networks such as the
Internet. The Telnet program runs on your computer and connects your PC to a server on
the network. You can then enter commands through the Telnet program and they will be
executed as if you were entering them directly on the server console. This enables you to
control the server and communicate with other servers on the network. To start a Telnet
session, you must log in to a server by entering a valid username and password. Telnet is
a common way to remotely control Web servers.
BGP---179---Border Gateway Protocol, an exterior gateway routing protocol that enables
groups of routers (called autonomous systems) to share routing information so that
efficient, loop-free routes can be established. BGP is commonly used within and between
Internet Service Providers (ISPs).
SMTP25--- Simple Mail Transfer Protocol, a protocol for sending e-mail messages
between servers. Most e-mail systems that send mail over the Internet use SMTP to send
messages from one server to another; the messages can then be retrieved with an e-mail
client using either POP or IMAP. In addition, SMTP is generally used to send messages
from a mail client to a mail server. This is why you need to specify both the POP or IMAP
server and the SMTP server when you configure your e-mail application.
TFTP----69---- TFTP uses the User Datagram Protocol (UDP) and provides no security
features. It is often used by servers to boot diskless workstations, X-terminals, and
routers.
[ 2 marks ]

CRICOS Provider No. 00103D

Page 4 of 18

Faculty of Science &

Technology

Part 2 : Capture filters

In this section of the assignment you

are required to learn the syntax for creating Wireshark Capture Filters. Then document
and use capture filters to capture specific network traffic.

Discussion of Berkeley Packet Filter (BPF) syntax

The following discussion gives a brief explanation of the BPF syntax to help you get
started with constructing your own capture filters.
Wireshark capture filters use the Berkeley Packet Filter (BPF) syntax to specify particular
traffic. This syntax is used by the libpcap (in Unix/Linux) and Winpcap (in Windows)
libraries that are used by Wireshark to capture network traffic.
Note WinDump is the Windows version of a Linux/Unix program called TCPDump and
hence TCPDump documentation applies to capture filter syntax as used on Windows
machines.
Syntax
The BPF syntax consists of one or more Primitives that specify a particular type of
traffic to capture.
Some examples of simple primitives are shown below:
(i)
(ii)
(iii)
(iv)

host 192.168.12.22
host google.com
src host google.com
tcp port 80

Things to note about these primitives:

Primitives start with one or more qualifiers (eg. host, src host, dst host etc.)
Primitives end with an ID (eg. 192.168.12.22, google.com, 80 etc.)
Note If you use named IDs like google.com then you need to enable name
resolution in the capture filter dialog box when specifying capture filters.
In summary a capture filter consists of one or more primitives and those primitives
consist of one or more qualifiers followed by an ID.

{ <------- primitive ------> } { operator } { <primitive -> }

dst host 192.168.12.13
80

&&

tcp port

The references dst, host, tcp and port are called qualifiers.
The references 192.168.12.13

CRICOS Provider No. 00103D

and 80 are called IDs.

Page 5 of 18

Faculty of Science &

Technology

The boxed example above also

shows the AND operator being
used to join two primitives to make a
capture filter expression. The AND operator is one of the three possible operators that
are allowed in capture filters, the other two are OR and NOT.

Sources of documentation of the Berkeley Filter Syntax that you should refer to are:
Documentation that describes the BPF syntax can be found at
https://www.winpcap.org/docs/docs_40_2/html/group__language.html
There are also good cheat sheets for TCPDump (Wireshark Capture Filters) and
Wireshark Display filters at: http://packetlife.net/library/cheat-sheets/
The Wireshark Users Guide (Access from Help in Wireshark)

End of discussion of BPF syntax

Documenting BPF qualifier syntax

There are three types of BPF qualifiers:

Type (3)
Dir (2)
Proto (8)

The Type qualifier has three possible options: host, net and port. The other two
qualifier types also have associated options, there are 4 options associated with Dir
qualifier type and 8 options associated with Proto qualifier type (please disregard the
fddi, decnet options as they are seldom used in todays networks).
You are required to describe what each qualifier means and list a total of 10 capture filter
examples that incorporate at least 1 qualifier and one ID, and explain how each capture
filter works.

ANSWER:
BPF qualifier:
Type qualifier:
This qualifier gives information about the ID name or number it refers to.
Dir qualifier:
It gives information about the transfer directions either to or from the ID name or
number.
Proto qualifier:
CRICOS Provider No. 00103D

Page 6 of 18

Faculty of Science &

Technology

It limits the match or searching to a

specific protocol.
Capture filter examples:

src 192.168.1.1 && port 80

This expression would capture traffic only with source IP address 192.168.1.1 and either
from source or destination port 80.
Filtering the traffic may be based on the device MAC address, IPv4 address, IPv6 address
or DNS hostname. Example we need to capture the traffic of a particular host which is
communicating with the server on our network, so we can create a filter using host
qualifier from the server side that would facilitate in capturing all traffic associated with
the host IPv4 address.
host 123.3.20.27
If we are in IPv6 network address, we can create a filter using host qualifier from the
server side that would facilitate in capturing all traffic associated with the host IPv6
address.
host 2001:db8:85a3:8d3:1319:8a2e:370:7348
We would also capture using device hostname,
host testserver
if we are not sure about the IP address, as it would change for host we would implement with MAC
address by prefixing ether protocol qualifier with host,

ether host 00-1a-52-a0-e2-a0

To capture traffic coming from a particular host with IP address 123.3.20.27
src host 123.3.20.27
To capture traffic going to a particular host with IP address 123.3.20.27
dst host 123.3.20.27 or dst 123.3.20.27
To capture traffic based on ports used n packets for example capturing only in port
8080
port 8080
The port filters would also be combined with transfer direction src or dst qualifier,
To capture the traffic which is leaving to the web server on a standard HTTP protocol port
80?
dst port 80
icmp a protocol filter to receive only ICMP packets that represents destination
unreachable messages(type 3)
icmp[0]==3

CRICOS Provider No. 00103D

Page 7 of 18

Faculty of Science &

Technology

A common protocol filter is to

capture TCP packets, with any flag in
set condition

TCP packets with RST flag set,

tcp[13] & 4 == 4
icmp[0] ==8 ||icmp[0]==0 to represent an echo request or echo reply.
icmp[0] ==8 && icmp[0]==0 to represent an echo request and echo reply.
To capture all traffic except port 8080
!port 8080

[ 3 marks ]

Documenting the 3 logical operators for combining primitives

The boxed example above show the logical AND operator ( && ) being used to combine
two primitives. There are two other such logical operators.

Answer: In wireshark -AND , OR, NOT play a major role in unique filtering which gives
more strength to combine more filters together.

CRICOS Provider No. 00103D

Page 8 of 18

Faculty of Science &

Technology

Document all three logical operators and give one example of how each could be used in
a capture filter.
[ 1 mark ]

Implementing BPF capture filters

In this section of the assignment you are required to create a range of capture filters,
implement those capture filters in Wireshark and take a screenshot of associated
captured traffic.
Your screen captures must include the Time, Source, Destination and Protocol fields
of the Wireshark display along with at least two packets (the graphic below shows three,
packets 7,8 & 9).
CRICOS Provider No. 00103D

Page 9 of 18

Faculty of Science &

Technology

Because the Time field is displayed

to such a fine resolution your
screenshot capture will be unique
from all other students doing this assignment. This will therefore act as an automatic
plagiarism detector.

After creating an appropriate capture filter you may need to generate appropriate traffic
for Wireshark to capture. For instance, if you create a Capture Filter to capture ftp traffic
you will need to run an ftp client to effect the traffic capture. Likewise, when capturing
web traffic you could use a browser to generate appropriate traffic. To capture ICMP
traffic you might use the ping command because it uses the ICMP protocol to query other
hosts.

Example capture filter:

Filter requirements
Capture all traffic between your computer (that is running Wireshark) and the Google
search engine in response to the query caviar being entered.
Procedure:
Open a browser to www.google.com
CRICOS Provider No. 00103D

Page 10 of 18

Faculty of Science &

Technology

From the Wireshark interface

select:
Capture > Options >
Select the desired interface (or select all interfaces)
Enter host google.com in the capture filter entry area
Select the display option Resolve network layer names
Start the capture
Then enter the word caviar
into the google query field of the browser
Wireshark will captures the require traffic.

Note

Make sure you have selected the correct network interface, or select
all interfaces if you are unsure.

Capturing traffic from/to another machine (2 marks)

In network analysis you will frequently need to capture all traffic or specific traffic
between your machine that is running Wireshark and another specified machine.
For this exercise you should generate traffic between the machines with the ping
command.
Create capture filters that will:
1. Capture all traffic between your machine (the one running Wireshark) and
another machine. Use the IP address of the other machine to identify it in the
filter.
2. Capture all traffic between your machine (the one running Wireshark) and
another machine. Use the MAC address of the other machine to identify it.
3. Capture all traffic from the other machine. Use either the IP or MAC address of
the remote machine to identify it.
4. Capture only ICMP traffic between the two machines
Your discussion for this section should:
include two screenshots
list all capture filters you used
describe how each capture filter works.
Answer: In this experiment the communication between to machine was done by ping
command. As we know ping uses ICMP(Internet Control Message Protocol) where the
source(192.168.126.70) sends an ICMP echo-request message to the destination
host(192.168.126.149). The ping program sets a sequence identifier which gets
incremented with each echo-request message. It also sets a TTL (Time-to-live)
period.Ping also inserts the sending time in the data section of the message. If the host is
alive and responding, it sends an ICMP echo-reply message back to the source. Ping
notes the time of the arrival of the response message, uses the sending time in the
message part and calculates the Round-trip time

CRICOS Provider No. 00103D

Page 11 of 18

Faculty of Science &

Technology

CRICOS Provider No. 00103D

Page 12 of 18

Faculty of Science &

Technology

Excluding particular
network traffic (2 marks)

Create a set of capture filters that will:

Capture broadcast traffic only
ANSWER: Any packet goes for all stations on a network-segment is called broadcast
traffic. Broadcast addresses are usually used by ARP, DHCP, and other protocols that do
some sort of discovery. Ethernet has designated the all-ones address (ff:ff:ff:ff:ff:ff) for
broadcast traffic IPv4. Similarly, the all-ones IP address (255.255.255.255) is broadcast

Exclude broadcast traffic

ANSWER: eth.dst==ff:ff:ff:ff:ff:ff --- Ethernet Broadcast only
(eth.dst[0] & 1) ------ Ethernet Multicast only (least significant bit of first
address byte set)

CRICOS Provider No. 00103D

Page 13 of 18

Faculty of Science &

Technology

Capture all traffic from a range of network addresses but exclude broadcast
traffic

ANSWER : eth.dst!=ff:ff:ff:ff:ff:ff ------ all except Ethernet Broadcast

!(eth.dst[0] & 1)------all except Ethernet Multicast (least significant bit of
first address byte not set)
In this case, I have selected a network range 192.168.126.0/24 for filtering and
excluded the broadcast protocol by syntax: eth.dst!=ff:ff:ff:ff:ff:ff.

Briefly discuss how each capture filter works.

Using port numbers in capture filters (1 mark)

Create capture filters that will capture the following types of network traffic:
1. DNS traffic
ANSWER: Domain Name System is a name resolution protocol used for converting name
into ip address. Googles dns is 8.8.8.8 & 8.8.4.4. Since googlr is fast I use the below
example capturing packets from host machine (192.168.126.70) to google dns(8.8.8.8)

CRICOS Provider No. 00103D

Page 14 of 18

Faculty of Science &

Technology

2. DNS traffic being sent from your machine

ANSWER: By specifying more filtering by only DNS packets and then it should only
request from the host machine(192.168.126.70).

CRICOS Provider No. 00103D

Page 15 of 18

Faculty of Science &

Technology

3. DHCP traffic in either direction

ANSWER: Dynamic Host Configuration Protocol (DHCP) is a client/server protocol that
automatically provides an Internet Protocol (IP) host with its IP address. Bootp is one of
the dhcp protocol mainly used for this purpose.

Challenge exercise (zero marks)

The BPF syntax can detect specific content at specific offsets from the start of network
packets.
CRICOS Provider No. 00103D

Page 16 of 18

Faculty of Science &

Technology

An example of such syntax would be

tcp[13] & 4 == 4
This particular capture filter can detect TCP packets that have the RST flag set.
Describe this syntax so that a layman could understand how such filters work.

CRICOS Provider No. 00103D

Page 17 of 18

Faculty of Science &

Technology
Marking Criteria
This assignment is worth 15% of ITECH1003 assessment.
The assignment must be submitted before the due date/time to ensure assessment
penalties as stipulated in the course description are not applied.
The marks for each section are shown against each requirement above.
Students are required to demonstrate their understanding of each part of the assignment
clearly and concisely and if specified include associated Wireshark screenshots and clear
discussion to demonstrate you have fully understood the topic.
Students should realise that any screenshot taken by them will be unique by virtue of
Wiresharks precise time display, hence if identical screenshots appear in two separate
assignments then it will be immediately identified as plagiarism. Therefore all students
need to interact with Wireshark to capture their own traffic and ensure that no other
student has access to their screenshot files.
All screen captures that you use in the assignment report must include the Time,
Source, Destination and Protocol fields of the Wireshark display along with at least
two network packets as outlined on page 3 of this assignment specification.
Please acknowledge by way of referencing, if you have used information from books,
papers, websites and other published and unpublished materials.
Students should submit their completed report as a single word or pdf document to
Moodle by the due date as specified on your ITECH1003 course description.

CRICOS Provider No. 00103D

Page 18 of 18