Professional Documents
Culture Documents
--------------------------------------------------------------------------------------------------------------------
Name : Preeti
Div : TY-C
Roll No : 69
Batach : B2
GR Number : 11811321
Wireshark is an open-source packet analyzer, which is used for education, analysis,
software development, communication protocol development, and network
troubleshooting.
A packet is a unit of data which is transmitted over a network between the origin and
the destination. Network packets are small, i.e., maximum 1.5 Kilobytes for Ethernet
packets and 64 Kilobytes for IP packets. The data packets in the Wireshark can be
viewed online and can be analyzed offline.
1. Ethernet
describes how network devices can format and transmit data so other devices
on the same local or campus area network segment can recognize, receive and
process the information. An Ethernet cable is the physical, encased wiring over
that is, with a wired rather than wireless connection -- likely use Ethernet. From
businesses to gamers, diverse end users depend on the benefits of Ethernet
Destination Source
Preamble Address Address Frame Type Data FCS
of 192.168.43.1.
The Wireshark capture below shows the packets generated by a ping being
issued from a PC host to its default gateway. A filter has been applied to
Wireshark to view the ARP and ICMP protocols only. The session begins with an
ARP query for the MAC address of the gateway router, followed by four ping
The filter does not block the capture of unwanted data; it only filters what
5. From the command prompt window, ping the default gateway of your PC.
7. Examine the first Echo (ping) request in Wireshark. The Wireshark main
window is divided into three sections: the packet list pane (top), the
Packet Details pane (middle), and the Packet Bytes pane (bottom).
8. We can click any line in the middle section to highlight that part of the
frame (hex and ASCII) in the Packet Bytes pane (bottom section). Click the
Internet Control Message Protocol line in the middle section and examine
what is highlighted in the Packet Bytes pane.
2. TCP / IP
The Internet Protocol (IP) is the address system of the Internet and has the core
function of delivering packets of information from a source device to a target device. IP
is the primary way in which network connections are made, and it establishes the basis
of the Internet. IP does not handle packet ordering or error checking. Such functionality
requires another protocol, typically TCP.
through the mail. The message is written down and the puzzle is broken into pieces.
Each piece then can travel through a different postal route, some of which take longer
than others. When the puzzle pieces arrive after traversing their different paths, the
pieces may be out of order. The Internet Protocol makes sure the pieces arrive at their
destination address. The TCP protocol can be thought of as the puzzle assembler on the
other side who puts the pieces together in the right order, asks for missing pieces to be
resent, and lets the sender know the puzzle has been received. TCP maintains the
connection with the sender from before the first puzzle piece is sent to after the final
piece is sent.
addressed and routed from the source device to the target device, and the target does
not send an acknowledgement back to the source. That’s where protocols such as the
Transmission Control Protocol (TCP) come in. TCP is used in conjunction with IP in order
to maintain a connection between the sender and the target and to ensure packet
order.
After the TCP filter has been applied, the first three packets (top section) display
the sequence of [SYN], [SYN, ACK], and [ACK] which is the TCP three-way
handshake.
TCP is routinely used during a session to control datagram delivery, verify datagram
arrival, and manage window size. For each data exchange between the FTP client and
FTP server, a new TCP session is started. At the conclusion of the data transfer, the TCP
session is closed. When the FTP session is finished, TCP performs an orderly shutdown
and termination.
In Wireshark, detailed TCP information is available in the packet details pane (middle
section). Highlight the first TCP datagram from the host computer, and expand portions
The expanded TCP datagram appears similar to the packet detail pane
The image above is a TCP datagram diagram. An explanation of each field is provided
for reference : The TCP source port number belongs to the TCP session host that
The TCP destination port number is used to identify the upper layer protocol or
application on the remote site. The values in the range 0–1,023 represent the
“well-known ports” and are associated with popular services and applications (as
described in RFC 1700), such as Telnet, FTP, and HTTP. The combination of the source IP
address, source port, destination IP address, and destination port uniquely identifies
Note: In the Wireshark capture above, the destination port is 21, which is FTP. FTP
The Sequence number specifies the number of the last octet in a segment.
The Acknowledgment number specifies the next octet expected by the receiver.
The Code bits have a special meaning in session management and in the treatment of
segments.
● SYN — Synchronize, only set when a new TCP session is negotiated during the
TCP three-way handshake.
The Options has only one option currently, and it is defined as the maximum TCP
Using the Wireshark capture of the first TCP session startup (SYN bit set to 1), fill in
information about the TCP header. Some fields may not apply to this packet.
From the VM to CDC server (only the SYN bit is set to 1):
In the second Wireshark filtered capture, the CDC FTP server acknowledges the request
from the VM. Note the values of the SYN and ACK bits.
Information regarding the SYN-ACK message.
In the final stage of the negotiation to establish communications, the VM sends an
acknowledgment message to the server. Notice that only the ACK bit is set to 1, and the
3. UDP :
The User Datagram Protocol, or UDP, is a communication protocol used across the
data is transferred. This allows data to be transferred very quickly, but it can also cause
packets to become lost in transit — and create opportunities for exploitation in the
packets is better than waiting. Voice and video traffic are sent using this protocol
because they are both time-sensitive and designed to handle some level of loss. For
example VOIP (voice over IP), which is used by many internet-based telephone services,
operates over UDP. This is because a staticy phone conversation is preferable to one
1. Start Wireshark.
4. Stop Wireshark.
5. Analysis of captured packets
4. ICMP
The Internet Control Message Protocol (ICMP) is a network layer protocol used by
network devices to diagnose network communication issues. ICMP is mainly used to
determine whether or not data is reaching its intended destination in a timely manner.
Commonly, the ICMP protocol is used on network devices, such as routers. ICMP is
crucial for error reporting and testing, but it can also be used in distributed
3. Run Wireshark.
5. Make sure you have internet connection or ping will be failedJ. Here is the
snapshot for successful ping to Google. We can see 0% loss. That means ICMP
7. Analysis on ICMP ( Let’s check what happens in Wireshark when we ping to
Google)
--------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------