Professional Documents
Culture Documents
Wireshark Intro
2. How long did it take from when the HTTP GET message was sent until
the HTTP OK reply was received?
Answer: about 0.32s.
3. What is the Internet address of the gaia.cs.umass.edu (also known as
www.net.cs.umass.edu)? What is the Internet address of your
computer?
Answer:
- My computer: 10.229.26.150
- Gaia.cs.umass.edu: 128.119.245.12
4. Print the two HTTP messages (GET and OK) referred to in question 2
above.
- GET’s HTTP message:
No. Time Source Destination Protocol Length Info
42 13:16:55.152287 10.229.26.150 128.119.245.12 HTTP 536 GET /wireshark-
labs/INTRO-wireshark-file1.html HTTP/1.1
Frame 42: 536 bytes on wire (4288 bits), 536 bytes captured (4288 bits) on
interface \Device\NPF_{7A4B7FB4-26DE-4877-ACAF-B53424195D80}, id 0
Ethernet II, Src: a2:54:70:e7:9c:c6 (a2:54:70:e7:9c:c6), Dst:
HewlettPacka_a6:09:74 (f4:ce:46:a6:09:74)
Internet Protocol Version 4, Src: 10.229.26.150, Dst: 128.119.245.12
Transmission Control Protocol, Src Port: 20175, Dst Port: 80, Seq: 1, Ack: 1, Len:
482
Hypertext Transfer Protocol
GET /wireshark-labs/INTRO-wireshark-file1.html HTTP/1.1\r\n
Host: gaia.cs.umass.edu\r\n
Connection: keep-alive\r\n
Upgrade-Insecure-Requests: 1\r\n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36\r\n
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,i
mage/apng,*/*;q=0.8,application/signedexchange;v=b3;q=0.7\r\n
Accept-Encoding: gzip, deflate\r\n
Accept-Language: en-US,en;q=0.9,vi;q=0.8\r\n
\r\n
[Full request URI: http://gaia.cs.umass.edu/wireshark-labs/INTRO-wireshark-
file1.html]
[HTTP request 1/2]
[Response in frame: 63]
[Next request in frame: 66]
- OK’s HTTP message:
No. Time Source Destination Protocol Length Info
63 13:16:55.473284 128.119.245.12 10.229.26.150 HTTP 492 HTTP/1.1 200 OK
(text/html)
Frame 63: 492 bytes on wire (3936 bits), 492 bytes captured (3936 bits) on
interface \Device\NPF_{7A4B7FB4-26DE-4877-ACAF-B53424195D80}, id 0
Ethernet II, Src: HewlettPacka_a6:09:74 (f4:ce:46:a6:09:74), Dst:
a2:54:70:e7:9c:c6 (a2:54:70:e7:9c:c6)
Internet Protocol Version 4, Src: 128.119.245.12, Dst: 10.229.26.150
Transmission Control Protocol, Src Port: 80, Dst Port: 20175, Seq: 1, Ack: 483,
Len: 438
Hypertext Transfer Protocol
HTTP/1.1 200 OK\r\n
Date: Mon, 08 Apr 2024 06:16:55 GMT\r\n
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33 mod_perl/2.0.11
Perl/v5.16.3\r\n
Last-Modified: Mon, 08 Apr 2024 05:59:01 GMT\r\n
ETag: "51-6158f80918130"\r\n
Accept-Ranges: bytes\r\n
Content-Length: 81\r\n
Keep-Alive: timeout=5, max=100\r\n
Connection: Keep-Alive\r\n
Content-Type: text/html; charset=UTF-8\r\n
\r\n
[HTTP response 1/2]
[Time since request: 0.320997000 seconds]
[Request in frame: 42]
[Next request in frame: 66]
[Next response in frame: 98]
[Request URI: http://gaia.cs.umass.edu/wireshark-labs/INTRO-wireshark-
file1.html]
File Data: 81 bytes
Line-based text data: text/html (3 lines)
Wireshark HTTP
2. What languages (if any) does your browser indicate that it can accept
to the server?
Answer: It is en-US, en. It’s can find out in Accept-Language in Hypertext
Transfer Protocol of GET Request Method.
4. What is the status code returned from the server to your browser?
Answer: The status code returned from the sever to my browser is 200.
5. When was the HTML file that you are retrieving last modified at the
server?
Answer: The HTML file that I are retrieving last modified at Sun, 07 Apr
2024 05:59:02 GMT.
12. How many HTTP GET request messages did your browser send?
Which packet number in the trace contains the GET message for the
Bill or Rights?
Answer: There are only one HTTP GET request messages. The packet
number of it is 175. See picture below.
13. Which packet number in the trace contains the status code and
phrase associated with the response to the HTTP GET request?
Packet number in trace contains the status code is 190. The information
can find out in picture in Question 12.
14. What is the status code and phrase in the response?
Answer: It’s 200.
15. How many data-containing TCP segments were needed to carry the
single HTTP response and the text of the Bill of Rights?
Answer: There are 4 data-containing TCP segments. You can see it in
[Segment count], I blacken out it in picture.
16. How many HTTP GET request messages did your browser send? To
which Internet addresses were these GET requests sent?
There are 3 HTTP GET request messages:
First is 128.119.245.12
Second is 128.119.245.12
Last is 178.79.137.164.
See there in picture below
17. Can you tell whether your browser downloaded the two images
serially, or whether they were downloaded from the two web sites in
parallel? Explain.
Answer: They were downloaded from web sites serially. This can found out
by checking the TCP ports. In this case the 2 images were transmitted over
2 TCP connections therefore they were downloaded serially. First TCP I
present in 1st picture and the other in 2th picture.
18. What is the server’s response (status code and phrase) in response to
the initial HTTP GET message from your browser?
Status code: 401 , Phrase: Authorization Required.
19. When your browser’s sends the HTTP GET message for the second
time,what new field is included in the HTTP GET message?
Answer: The new field is Authorization.
The content in it is Basic d2lyZXNoYXJrLXN0dWRlbnRzOm5ldHdvcms.
Wireshark DNS
1. Run nslookup to obtain the IP address of a Web server in Asia. What is
the IP address of that server?
Answer: I choose www.vnexpress.net for this question. It’s address is
111.65.249.59
4. Locate the DNS query and response messages. Are then sent over UDP
or TCP?
Answer: They are sent over UDP (User Datagram Protocol) in picture.
5. What is the destination port for the DNS query message? What is the
source port of DNS response message?
Answer: The destination port and source port of DNS is the same 53
7. Examine the DNS query message. What “Type” of DNS query is it? Does
the query message contain any “answers”?
Answer: It’s a type A Standard Query and it doesn’t contain any answers.
8. Examine the DNS response message. How many “answers” are
provided? What do each of these answers contain?
Answer: There are two answer in the DNS response message. Each content
of each in picture below.
9. Consider the subsequent TCP SYN packet sent by your host. Does the
destination IP address of the SYN packet correspond to any of the IP
addresses provided in the DNS response message?
Answer: The first SYN packet was sent to
2001:ee0:4f0c:ac70:e47a:34c7:94c7:59ee which corresponds to the first IP
address provided in the DNS response message.
10. This web page contains images. Before retrieving each image,
does your host issue new DNS queries?
Answer: No
11. What is the destination port for the DNS query message? What is the
source port of DNS response message?
Answer: The destination port of the DNS query is 53 and the source port of
the DNS response is 53 too.
12. To what IP address is the DNS query message sent? Is this the IP
address of your default local DNS server?
Answer: It’s sent to 2001:ee0:4f0c:ac70:e47a:34c7:94c7:59ee, this is
Temporary IP address, we can see from the ipconfig -all, in default local
DNS server.
13. Examine the DNS query message. What “Type” of DNS query is it? Does
the query message contain any “answers”?
Answer: The query is of type A and it doesn’t contain any answers.
14. Examine the DNS response message. How many “answers” are
provided? What do eachof these answers contain?
Answer: The response DNS message contains three answers, one of it
containing the name of thehost, the type of address, the class, and the IP
address.
15. Provide a screenshot
16. To what IP address is the DNS query message sent? Is this the IP
address of your default local DNS server?
Answer: It was sent to 2001:ee0:26::26 which is my default DNS server.
17. Examine the DNS query message. What “Type” of DNS query is it? Does
the query message contain any “answers”?
Answer: It’s a type NS DNS query that doesn’t contain any answers
18. Examine the DNS response message. What MIT nameservers does the
response message provide? Does this response message also provide
the IP addresses of the MIT namesers?
Answer: The nameservers are usw2, asia1, asia2, use2, ns1-37, ns1-173,
eur5 and use5. We can find their IP addresses if we expand the Additional
records field in Wireshark as seen below