Name: Nguyễn Hữu Chiến

Student ID: 2110855

Class: L02

Wireshark Intro

1. List 3 different protocols that appear in the protocol column in the

unfiltered
packet-listing window in step 7 above.
Answer: 3 different protocol:
- TCP
- HTTP
- QUIC

2. How long did it take from when the HTTP GET message was sent until
the HTTP OK reply was received?
Answer: about 0.32s.
 3. What is the Internet address of the gaia.cs.umass.edu (also known as
www.net.cs.umass.edu)? What is the Internet address of your
computer?
Answer:
- My computer: 10.229.26.150
- Gaia.cs.umass.edu: 128.119.245.12

4. Print the two HTTP messages (GET and OK) referred to in question 2
above.
- GET’s HTTP message:
No. Time Source Destination Protocol Length Info
42 13:16:55.152287 10.229.26.150 128.119.245.12 HTTP 536 GET /wireshark-
labs/INTRO-wireshark-file1.html HTTP/1.1
Frame 42: 536 bytes on wire (4288 bits), 536 bytes captured (4288 bits) on
interface \Device\NPF_{7A4B7FB4-26DE-4877-ACAF-B53424195D80}, id 0
Ethernet II, Src: a2:54:70:e7:9c:c6 (a2:54:70:e7:9c:c6), Dst:
HewlettPacka_a6:09:74 (f4:ce:46:a6:09:74)
Internet Protocol Version 4, Src: 10.229.26.150, Dst: 128.119.245.12
Transmission Control Protocol, Src Port: 20175, Dst Port: 80, Seq: 1, Ack: 1, Len:
482
Hypertext Transfer Protocol
GET /wireshark-labs/INTRO-wireshark-file1.html HTTP/1.1\r\n
Host: gaia.cs.umass.edu\r\n
Connection: keep-alive\r\n
Upgrade-Insecure-Requests: 1\r\n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36\r\n
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,i
mage/apng,*/*;q=0.8,application/signedexchange;v=b3;q=0.7\r\n
Accept-Encoding: gzip, deflate\r\n
Accept-Language: en-US,en;q=0.9,vi;q=0.8\r\n
\r\n
[Full request URI: http://gaia.cs.umass.edu/wireshark-labs/INTRO-wireshark-
file1.html]
[HTTP request 1/2]
[Response in frame: 63]
[Next request in frame: 66]
- OK’s HTTP message:
No. Time Source Destination Protocol Length Info
63 13:16:55.473284 128.119.245.12 10.229.26.150 HTTP 492 HTTP/1.1 200 OK
(text/html)
Frame 63: 492 bytes on wire (3936 bits), 492 bytes captured (3936 bits) on
interface \Device\NPF_{7A4B7FB4-26DE-4877-ACAF-B53424195D80}, id 0
Ethernet II, Src: HewlettPacka_a6:09:74 (f4:ce:46:a6:09:74), Dst:
a2:54:70:e7:9c:c6 (a2:54:70:e7:9c:c6)
Internet Protocol Version 4, Src: 128.119.245.12, Dst: 10.229.26.150
Transmission Control Protocol, Src Port: 80, Dst Port: 20175, Seq: 1, Ack: 483,
Len: 438
Hypertext Transfer Protocol
HTTP/1.1 200 OK\r\n
Date: Mon, 08 Apr 2024 06:16:55 GMT\r\n
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.33 mod_perl/2.0.11
Perl/v5.16.3\r\n
Last-Modified: Mon, 08 Apr 2024 05:59:01 GMT\r\n
ETag: "51-6158f80918130"\r\n
Accept-Ranges: bytes\r\n
Content-Length: 81\r\n
Keep-Alive: timeout=5, max=100\r\n
Connection: Keep-Alive\r\n
Content-Type: text/html; charset=UTF-8\r\n
\r\n
[HTTP response 1/2]
[Time since request: 0.320997000 seconds]
[Request in frame: 42]
[Next request in frame: 66]
[Next response in frame: 98]
[Request URI: http://gaia.cs.umass.edu/wireshark-labs/INTRO-wireshark-
file1.html]
File Data: 81 bytes
Line-based text data: text/html (3 lines)
 Wireshark HTTP

1. Is your browser running HTTP version 1.0 or 1.1? What version of

HTTP is the server running?
Answer: My browser running HTTP version is 1.1 and version of HTTP in
my server running 1.1 too.

2. What languages (if any) does your browser indicate that it can accept
to the server?
Answer: It is en-US, en. It’s can find out in Accept-Language in Hypertext
Transfer Protocol of GET Request Method.

3. What is the IP address of your computer? Of the gaia.cs.umass.edu

server?
- IP address of gaia.cs.umass.edu server is 128.119.245.12.
- IP address of my computer is 192.168.1.3.

4. What is the status code returned from the server to your browser?
Answer: The status code returned from the sever to my browser is 200.
5. When was the HTML file that you are retrieving last modified at the
server?
Answer: The HTML file that I are retrieving last modified at Sun, 07 Apr
2024 05:59:02 GMT.

6. How many bytes of content are being returned to your browser?

Answer: It’s 128 bytes. See picture below for the number.
7. By inspecting the raw data in the packet content window, do you see
any headers within the data that are not displayed in the packet-
listing window? If so, name one.
Answer: No all of the headers can be found in the raw data.
8. Inspect the contents of the first HTTP GET request from your browser
to the server. Do you see an “IF-MODIFIED-SINCE” line in the HTTP
GET?
Answer: No, I don’t see “IF-MODIFIED-SINCE” line in the HTTP GET.
9. Inspect the contents of the server response. Did the server explicitly
return the contents of the file? How can you tell?
Answer: Yes, I can tell it because I see many contents in the Packet Details
tab.
10. Now inspect the contents of the second HTTP GET request from your
browser to the server. Do you see an “IF-MODIFIED-SINCE:” line in the
HTTP GET? If so, whatinformation follows the “IF-MODIFIED-SINCE:”
header?
Answer: Yes, I see “IF-MODIFIED-SINCE:” line in the HTTP GET. The
information follows it is Sun, 07 Apr 2024 05:59:02 GMT. See it in picture
below.
11. What is the HTTP status code and phrase returned from the server in
response to this second HTTP GET? Did the server explicitly return
the contents of the file? Explain.
Answer: The status code and phrase returned from the server is HTTP/1.1
304 Not Modified.You can see it in picture below. The server didn’t return
the contents of the file since the browser loaded it from its cache.

12. How many HTTP GET request messages did your browser send?
Which packet number in the trace contains the GET message for the
Bill or Rights?
 Answer: There are only one HTTP GET request messages. The packet
number of it is 175. See picture below.

13. Which packet number in the trace contains the status code and
phrase associated with the response to the HTTP GET request?
Packet number in trace contains the status code is 190. The information
can find out in picture in Question 12.
14. What is the status code and phrase in the response?
Answer: It’s 200.
15. How many data-containing TCP segments were needed to carry the
single HTTP response and the text of the Bill of Rights?
Answer: There are 4 data-containing TCP segments. You can see it in
[Segment count], I blacken out it in picture.

16. How many HTTP GET request messages did your browser send? To
which Internet addresses were these GET requests sent?
There are 3 HTTP GET request messages:
First is 128.119.245.12
Second is 128.119.245.12
Last is 178.79.137.164.
See there in picture below
17. Can you tell whether your browser downloaded the two images
serially, or whether they were downloaded from the two web sites in
parallel? Explain.
Answer: They were downloaded from web sites serially. This can found out
by checking the TCP ports. In this case the 2 images were transmitted over
2 TCP connections therefore they were downloaded serially. First TCP I
present in 1st picture and the other in 2th picture.

18. What is the server’s response (status code and phrase) in response to
the initial HTTP GET message from your browser?
Status code: 401 , Phrase: Authorization Required.
19. When your browser’s sends the HTTP GET message for the second
time,what new field is included in the HTTP GET message?
Answer: The new field is Authorization.
The content in it is Basic d2lyZXNoYXJrLXN0dWRlbnRzOm5ldHdvcms.
 Wireshark DNS
1. Run nslookup to obtain the IP address of a Web server in Asia. What is
the IP address of that server?
Answer: I choose www.vnexpress.net for this question. It’s address is
111.65.249.59

2. Run nslookup to determine the authoritative DNS servers for a

university in Europe.
Answer: I performed nslookup for a European University in Ioannina
Greece.
3. Run nslookup so that one of the DNS servers obtained in Question 2 is
queried for the mail servers for Yahoo! mail. What is its IP address?
Answer: The IP address of mail server of uoi.gr is 195.130.120.94

4. Locate the DNS query and response messages. Are then sent over UDP
or TCP?
Answer: They are sent over UDP (User Datagram Protocol) in picture.
5. What is the destination port for the DNS query message? What is the
source port of DNS response message?
Answer: The destination port and source port of DNS is the same 53

6. To what IP address is the DNS query message sent? Use ipconfig to

determine the IP address of your local DNS server. Are these two IP
addresses the same?
Answer: These are the same (2001:ee0:4f0c:ac70:e47a:34c7:94c7:59ee).

7. Examine the DNS query message. What “Type” of DNS query is it? Does
the query message contain any “answers”?
Answer: It’s a type A Standard Query and it doesn’t contain any answers.
8. Examine the DNS response message. How many “answers” are
provided? What do each of these answers contain?
Answer: There are two answer in the DNS response message. Each content
of each in picture below.

9. Consider the subsequent TCP SYN packet sent by your host. Does the
destination IP address of the SYN packet correspond to any of the IP
addresses provided in the DNS response message?
Answer: The first SYN packet was sent to
2001:ee0:4f0c:ac70:e47a:34c7:94c7:59ee which corresponds to the first IP
address provided in the DNS response message.
10. This web page contains images. Before retrieving each image,
does your host issue new DNS queries?
Answer: No
11. What is the destination port for the DNS query message? What is the
source port of DNS response message?
Answer: The destination port of the DNS query is 53 and the source port of
the DNS response is 53 too.

12. To what IP address is the DNS query message sent? Is this the IP
address of your default local DNS server?
Answer: It’s sent to 2001:ee0:4f0c:ac70:e47a:34c7:94c7:59ee, this is
Temporary IP address, we can see from the ipconfig -all, in default local
DNS server.
13. Examine the DNS query message. What “Type” of DNS query is it? Does
the query message contain any “answers”?
Answer: The query is of type A and it doesn’t contain any answers.

14. Examine the DNS response message. How many “answers” are
provided? What do eachof these answers contain?
Answer: The response DNS message contains three answers, one of it
containing the name of thehost, the type of address, the class, and the IP
address.
15. Provide a screenshot

16. To what IP address is the DNS query message sent? Is this the IP
address of your default local DNS server?
Answer: It was sent to 2001:ee0:26::26 which is my default DNS server.
17. Examine the DNS query message. What “Type” of DNS query is it? Does
the query message contain any “answers”?
Answer: It’s a type NS DNS query that doesn’t contain any answers
18. Examine the DNS response message. What MIT nameservers does the
response message provide? Does this response message also provide
the IP addresses of the MIT namesers?
Answer: The nameservers are usw2, asia1, asia2, use2, ns1-37, ns1-173,
eur5 and use5. We can find their IP addresses if we expand the Additional
records field in Wireshark as seen below

19. Provide a screenshot

20. To what IP address is the DNS query message sent? Is this the IP
address of your default local DNS server? If not, what does the IP
address correspond to?
Answer: The query is sent to 2001:ee0:26::26 which corresponds to default
local DNS server
21. Examine the DNS query message. What “Type” of DNS query is it? Does
the query message contain any “answers”?
Answer: It’s a standard type A query that doesn’t contain any answers
22. Examine the DNS response message. How many “answers” are
provided? What does eachof these answers contain?
Answer: One answer is provided in the DNS response message. It contains
the following:
bitsy.mit.edu: type A, class IN, addr 18.0.72.3
Name: bitsy.mit.edu
Type: A (Host Address) (1)
Class: IN (0x0001)
Time to live: 1533 (25 minutes, 33 seconds)
Data length: 4
Address: 18.0.72.3
23. Provide a screenshot