Assignment - 1 

 
-------------------------------------------------------------------------------------------------------------------- 

Name : Preeti 

Div : TY-C 

Roll No : 69 

Batach : B2 

GR Number : 11811321 

Subject : Computer Networks Technology Lab Assignment 

----------------------------------------------------------------------------------------------------------- 

Topic - Protocol stacks of Internet 

-------------------------------------------------------------------------------------------------------------------- 

Cross validate the header message formats of

Ethernet, IP, ICMP, TCP and UDP using packets
captured through Wireshark.
-------------------------------------------------------------------------------------------------------------------- 

What is Wireshark ?  

Wireshark  is  an  open-source  packet  analyzer,  which  is  used  for  education,  analysis, 
software  development,  communication  protocol  development,  and  network 
troubleshooting.  

It  is  used to track the packets so that each one is filtered to meet our specific needs. It is 

commonly  called as a sniffer, network protocol analyzer, and network analyzer. It is 
also  used  by  network  security  engineers  to  examine  security  problems.  Wireshark  is  a 
free  to  use  application  which  is  used  to  apprehend  the  data  back  and  forth.  It  is  often 
called  a  free  packet  sniffer  computer  application.  It  puts  the  network  card  into  an 
unselective mode, i.e., to accept all the packets which it receives. 
What is a packet? 

A packet is a unit of data which is transmitted over a network between the origin and 
the destination. Network packets are small, i.e., maximum 1.5 Kilobytes for Ethernet 
packets and 64 Kilobytes for IP packets. The data packets in the Wireshark can be 
viewed online and can be analyzed offline. 

Wireshark Front Page 

 
 1. Ethernet  

Ethernet  is  the  traditional technology for connecting devices in a wired local area 

network  (LAN)  or  wide  area  network  (WAN), enabling them to communicate with 

each  other  via a protocol -- a set of rules or common network language. Ethernet 

describes  how  network  devices  can  format  and  transmit  data  so  other  devices 

on  the  same  local  or  campus  area  network  segment  can  recognize,  receive  and 

process  the  information.  An  Ethernet  cable  is  the  physical,  encased  wiring  over 

which the data travels.  

Connected  devices  accessing  a  geographically  localized  network  with  a  cable  -- 

that  is,  with  a  wired  rather  than  wireless  connection  --  likely  use  Ethernet.  From 

businesses  to  gamers,  diverse  end  users  depend  on  the  benefits  of  Ethernet 

connectivity, which include reliability and security. 

 

Using Wireshark to Examine Ethernet Frames 

Review the Ethernet II header field descriptions and lengths. 

  Destination  Source       
Preamble  Address  Address  Frame Type  Data  FCS 

8 Bytes  6 Bytes  6 Bytes   2 Bytes   46 – 1500  4 Bytes 

Bytes   
 

Examine the network configuration of the PC 

My PC host IP address is 192.168.43.116 and the default gateway has an IP address 

of 192.168.43.1. 
  

Examine Ethernet frames in a Wireshark capture. 

The Wireshark capture below shows the packets generated by a ping being 

issued from a PC host to its default gateway. A filter has been applied to 

Wireshark to view the ARP and ICMP protocols only. The session begins with an 

ARP query for the MAC address of the gateway router, followed by four ping 

requests and replies. 

Using Wireshark to Capture and Analyze Ethernet Frames 

1. Determining the IP address of the default gateway on our PC. 

2. Start capturing traffic on our PC NIC. 

3. Observe the traffic that appears in the packet list window 

 
 4. Filter Wireshark to display only ICMP traffic  

We can use the filter in Wireshark to block visibility of unwanted traffic. 

The filter does not block the capture of unwanted data; it only filters what 

to display on the screen. For now, only ICMP traffic is to be displayed. 

5. From the command prompt window, ping the default gateway of your PC. 

6. Stop capturing traffic 

7. Examine the first Echo (ping) request in Wireshark. The Wireshark main 

window is divided into three sections: the packet list pane (top), the 

Packet Details pane (middle), and the Packet Bytes pane (bottom).  

8. We can click any line in the middle section to highlight that part of the 

frame (hex and ASCII) in the Packet Bytes pane (bottom section). Click the 

Internet Control Message Protocol line in the middle section and examine 
what is highlighted in the Packet Bytes pane. 

2. TCP / IP  

The Internet Protocol (IP) is the address system of the Internet and has the core 

function of delivering packets of information from a source device to a target device. IP 

is the primary way in which network connections are made, and it establishes the basis 

of the Internet. IP does not handle packet ordering or error checking. Such functionality 
requires another protocol, typically TCP. 

The TCP/IP relationship is similar to sending someone a message written on a puzzle 

through the mail. The message is written down and the puzzle is broken into pieces. 

Each piece then can travel through a different postal route, some of which take longer 

than others. When the puzzle pieces arrive after traversing their different paths, the 
pieces may be out of order. The Internet Protocol makes sure the pieces arrive at their 

destination address. The TCP protocol can be thought of as the puzzle assembler on the 

other side who puts the pieces together in the right order, asks for missing pieces to be 

resent, and lets the sender know the puzzle has been received. TCP maintains the 

connection with the sender from before the first puzzle piece is sent to after the final 

piece is sent. 

IP is a connectionless protocol, which means that each unit of data is individually 

addressed and routed from the source device to the target device, and the target does 

not send an acknowledgement back to the source. That’s where protocols such as the 

Transmission Control Protocol (TCP) come in. TCP is used in conjunction with IP in order 

to maintain a connection between the sender and the target and to ensure packet 

order. 

Identify TCP Header Fields and Operation Using a Wireshark 

1. Start a Wireshark capture. 

  

2. Analyze the TCP fields 

After the TCP filter has been applied, the first three packets (top section) display 

the sequence of [SYN], [SYN, ACK], and [ACK] which is the TCP three-way 

handshake. 

TCP is routinely used during a session to control datagram delivery, verify datagram 

arrival, and manage window size. For each data exchange between the FTP client and 

FTP server, a new TCP session is started. At the conclusion of the data transfer, the TCP 

session is closed. When the FTP session is finished, TCP performs an orderly shutdown 

and termination. 

In Wireshark, detailed TCP information is available in the packet details pane (middle 

section). Highlight the first TCP datagram from the host computer, and expand portions 

of the TCP datagram, as shown below. 

The expanded TCP datagram appears similar to the packet detail pane  
  

The image above is a TCP datagram diagram. An explanation of each field is provided 

for reference : The TCP source port number belongs to the TCP session host that 

opened a connection. The value is normally a random value above 1,023. 

The TCP destination port number is used to identify the upper layer protocol or 

application on the remote site. The values in the range 0–1,023 represent the 

“well-known ports” and are associated with popular services and applications (as 

described in RFC 1700), such as Telnet, FTP, and HTTP. The combination of the source IP 

address, source port, destination IP address, and destination port uniquely identifies 

the session to the sender and receiver. 

Note: In the Wireshark capture above, the destination port is 21, which is FTP. FTP 

servers listen on port 21 for FTP client connections. 

The Sequence number specifies the number of the last octet in a segment. 

The Acknowledgment number specifies the next octet expected by the receiver. 

The Code bits have a special meaning in session management and in the treatment of 

segments. 

● ACK — Acknowledgment of a segment receipt. 

● SYN — Synchronize, only set when a new TCP session is negotiated during the 
TCP three-way handshake. 

● FIN — Finish the request to close the TCP session. 

The Urgent pointer is only used with an Urgent (URG) flag when the sender needs to 

send urgent data to the receiver. 

The Options has only one option currently, and it is defined as the maximum TCP 

segment size (optional value). 

Using the Wireshark capture of the first TCP session startup (SYN bit set to 1), fill in 

information about the TCP header. Some fields may not apply to this packet. 

From the VM to CDC server (only the SYN bit is set to 1): 

In the second Wireshark filtered capture, the CDC FTP server acknowledges the request 

from the VM. Note the values of the SYN and ACK bits. 

 
Information regarding the SYN-ACK message. 

In the final stage of the negotiation to establish communications, the VM sends an 

acknowledgment message to the server. Notice that only the ACK bit is set to 1, and the 

Sequence number has been incremented to 1. 

3. UDP : 

The User Datagram Protocol, or UDP, is a communication protocol used across the 

Internet for especially time-sensitive transmissions such as video playback or DNS 

lookups. It speeds up communications by not formally establishing a connection before 

data is transferred. This allows data to be transferred very quickly, but it can also cause 
packets to become lost in transit — and create opportunities for exploitation in the 

form of DDoS attacks.  

UDP is commonly used in time-sensitive communications where occasionally dropping 

packets is better than waiting. Voice and video traffic are sent using this protocol 

because they are both time-sensitive and designed to handle some level of loss. For 

example VOIP (voice over IP), which is used by many internet-based telephone services, 

operates over UDP. This is because a staticy phone conversation is preferable to one 

that is crystal clear but heavily delayed. 

1. Start Wireshark. 

2. Run Iperf UDP server at 192.168.1.5 system. 

3. Run Iperf UDP client at 192.168.1.6 system. 

4. Stop Wireshark. 
5. Analysis of captured packets 

4. ICMP  

The Internet Control Message Protocol (ICMP) is a network layer protocol used by 

network devices to diagnose network communication issues. ICMP is mainly used to 
determine whether or not data is reaching its intended destination in a timely manner. 

Commonly, the ICMP protocol is used on network devices, such as routers. ICMP is 

crucial for error reporting and testing, but it can also be used in distributed 

denial-of-service (DDoS) attacks. 

1. We can use a ping tool to get ICMP requests and reply. 

2. Open command line or terminal in Windows or Linux respectively. 

3. Run Wireshark. 

4. Run ping www.google.com. 

5. Make sure you have internet connection or ping will be failedJ. Here is the 

snapshot for successful ping to Google. We can see 0% loss. That means ICMP 

request packets = ICMP reply packets. 

6. Stop Wireshark and put “ICMP” as a filter in Wireshark. 

7. Analysis on ICMP ( Let’s check what happens in Wireshark when we ping to 

Google) 
 

--------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------