CSIS 100

LAB: WIRESHARK PACKET CAPTURE ASSIGNMENT TUTORIAL

While you will use this tutorial to run your lab, you will need to put your screenshots and
answers to the questions in the Lab: Wireshark Packet Capture Assignment Template.
The template is all that is needed for your submission.
Installing Wireshark:
Before you begin this lab, you will need to install Wireshark on your computer.
WINDOWS USERS:
Go to this link to install Wireshark:
https://www.wireshark.org/download.html
MAC USERS:
Follow in the instructions in the Lab 1 folder called “Special Instructions for Installing
Wireshark on a Mac.”
Step-by-Step Tutorial:
1. Launch Wireshark. It will open to the main screen shown below.

Page 1 of 8
 CSIS 100

2. Click on the interface that you want to monitor (mine is highlighted above) and
click Start to begin capturing network packets.

Below is a sample of what a capture screen looks like. Do not worry about everything on
the screen. There are lots of packets and frames going on inside your network Broadcast
domain.

In this sample, I ran a 12.0790100 second capture and received 824 packets.
3. Stop this first capture by clicking the Stop icon on the toolbar or by selecting
“Stop” from the Capture menu.

4. Close all programs you are currently running except WireShark and your word
processor.
5. Now click the Start icon (or the Start option on the Capture menu) to run another
capture.

Page 2 of 8
 CSIS 100

You will be prompted to save your changes. Click “Continue without saving”
when prompted and run the capture for 30 seconds.
6. While the capture is running, open a web browser and go to www.bbc.com.
7. Stop the capture session (after 30 seconds).
Scroll down to the bottom of your capture list. The “No.” column represents the
packets captured. The “Time” column shows the time elapsed since the
beginning of the capture.
8. Highlight the row of the last packet captured.
Paste a screenshot of your Wireshark screen in the in the appropriate section of the Lab:
Wireshark Packet Capture Assignment Template (Screenshot #1).

Colors in Wireshark
Notice that some of the rows in your output may be shaded blue, green, black or
red. These colors have meaning in Wireshark. Packets that have the HTTP and
TCP protocols are shaded green by default, while packets that use the DNS and
UDP protocols are shaded light blue.
9. To view this behavior for yourself, click on the header of the Protocol column to
sort the column in alphabetical order. You should now easily see protocols
grouped together and the colors in which they appear.
Take a screenshot and paste it in the appropriate section (Screenshot #2) of the Lab:
Wireshark Packet Capture Assignment Template.

Although it is not recommended that you change the default color assignments when you
are first learning Wireshark, it is possible to apply different coloring rules by selecting
“Coloring Rules” from the “View” menu. Once you are more familiar with Wireshark
and its many capabilities, you can examine the use of color to help analyze network
traffic using this and other Color options on the View menu.
Filtering Packets
Most likely, you have captured quite a lot of packets in this exercise. What if you
want to find a particular packet in your list? One way would be to scroll through the
list until you see the correct one.
For example, assume that you want to find the packet that calls the web server to
retrieve (GET) the main google.com page. You will need to look for the line that
has “GET/HTTP/1.1” in the info column. You may need to look at several packets
until you see one that shows www.Google.com in the bottom pane. See the screen
shot below.

Page 3 of 8
 CSIS 100

The easier way of doing this is to filter your results by typing “HTTP” in the filter
textbox at the top of your screen. By using this filter, you exclude any rows that do not
have HTTP in their “Protocol” or “Info” columns.

Now, you try…

10. Enter “HTTP” in the filter textbox at the top of your screen and press the Enter
key (or click the Apply button). Scroll down to the bottom of your list.
Take a screenshot and paste it in the appropriate section (Screenshot #3) of the Lab:
Wireshark Packet Capture Assignment Template.

Page 4 of 8
 CSIS 100

Now, it’s time to examine individual packets…

Examining Packet Contents
11. Click on the first row of your output where you see HTTP in the protocol column
and “GET / HTTP/1.1” in the Info column. This is the packet you want to
examine.
In the bottom pane you will see a bunch of numbers. Those are the contents of
the packet in hexadecimal. Just to the right of that you see the contents of the
packet in English.
Although the packet’s contents are displayed in this lower right-hand box, you
will probably agree that they are still difficult to read. In fact, looking at a packet
does not always tell the full story. An easier way of viewing not only the
contents of the current packet, but also the contents of the packets in a
“conversation” is to follow the whole TCP stream (that is, view the whole
conversation). For now, think of a conversation as the back-and-forth dialog
between a client and a server. In a later class, you’ll learn a more precise
definition.
To view a conversation, make sure that you’ve highlighted the first row of your
output that has “GET / HTTP/1.1” in the Info column. Next, select “Follow TCP
Stream” from the Analyze menu as shown below.

This will open a screen that shows the contents of the “GET” packet that requests
information from the web server, as well as the information that was returned by
the web server (which is contained in a different packet.) As you can see,
Wireshark is powerful, and we’ve only scratched the surface in this exercise!

Page 5 of 8
 CSIS 100

Now, you try…

Click on the first row in your Wireshark capture that has “GET / HTTP/1.1” in
the Info column. Next, select “Follow TCP Stream” from the Analyze menu.
Take a screenshot and paste it in the appropriate section (Screenshot #4) of the Lab:
Wireshark Packet Capture Assignment Template.

Finally, click the Close button on this window, and you will return to the main Wireshark
screen.
Examining Source and Destination fields
Although we have only looked at the Protocol and Info columns in Wireshark, the other
columns are also very important. Notice that there are two columns entitled “Source”
and “Destination”. The Source column represents the origination point of a packet,
expressed in terms of an IP address. IP addresses are displayed as four numbers,
separated by periods, such as 192.168.10.1. This is called “dotteddecimal format” and
represents a computer’s logical address. Before a packet can be sent across a network, it
must have a source IP address as well as a destination IP address. Compare this to
receiving a letter in the mail: A letter must have your street address before it can be
delivered. This is the destination address. The return address on the letter is the source
address.
Now, let’s look at the source and destination address on the packet you just analyzed.
12. Click on the first “GET / HTTP/1.1” row in your capture and notice the IP
address in the Source column. Is this your IP address? Let’s verify this.
13. WINDOWS USERS: Open a command prompt by clicking on your Start Menu
in Windows and selecting Command Prompt. (You may need to enter “cmd” in
the search textbox to view the link for the command prompt.)

Page 6 of 8
 CSIS 100

MAC USERS: To view your IP address, you will need to follow the steps
outlined in this link: http://www.wikihow.com/Find-Your-IP-Address-on-a-Mac
You should use your Network screen that shows your IP address for screenshots
required in question 15 (IPCONFIG output)

14. Once the command prompt is opened, enter “ipconfig /all” (without the quotes) at
the prompt. Scroll through the output and find the row that displays your IPv4
Address.

Page 7 of 8
 CSIS 100

Take a screenshot of your ipconfig /all output (or Network screen for Mac users) and paste it
in the appropriate section (Screenshot #5) of the Lab: Wireshark Packet Capture
Assignment Template.

Page 8 of 8