Assignement Nr

Name Surname Group

Klevis Papa BINF 2A

Task 1: Packet analysis using Wireshark

1. Capturing “Ping PDU”

Step 1. Open the Wireshark program and after selecting the interface where you will monitor the
packets you will receive, start monitoring by clicking at the menu Capture/Start.
At the Command Line of your computer, execute the command : ping www.epoka.edu.al. After
receiving the ping response, stop the monitoring process at Wireshark. Using the information that is
shown at the command line window, respond to the following questions 1 and 2.

1. Which is the IO address of www.epoka.edu.al?

PING epoka.edu.al (69.48.185.170): 56 data bytes

2. Write the Ping statistics for this address?

--- epoka.edu.al ping statistics ---

8 packets transmitted, 8 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 51.008/154.595/395.222/109.031 ms

Step 2. Examine the Packet List Pane in Wireshark. Locate the Ping packets. You can reference the
addresses that are shown in the message shown at the command line window. At the Packet List Pane
window of Wireshark find:

3. Which protocol is used by Ping?

ICMP
4. What is the full name of the protocol?
Internet Control Message Protocol

5. What is the name of both messages of ping?

1. Echo Request
2. Echo Reply
6. Are both source and destination addresses listed at the window the addresses you were expecting?
Yes/No. Why?
Yes there are two IPs, my computer and the web server The eco request was sent from 192.168.100.26 to
69.48.185.170 . Also, Echo (ping) reply was sent from 69.48.185.170 to 192.168.100.26.

7. Write the data of both packets sent from ping?

Echo (ping) request id=0x0001, seq = 2/512 , ttl=128( reply in 3483)

 Assignement Nr

Echo (ping) reply id=0x0001, seq = 2/512 , ttl=49( request in 3482)

8. What is the IP address of your computer?

Source Address: 192.168.100.26

Hapi 3. Choose with the mouse the first echo request package on the list. The information about this
package will be displayed to you at Packet Detail Pane. Click on each of the 4++ on the left of each row
to expand the information.
 Assignement Nr

As you can see, details of each section and protocol will be expanded further. Observe this information for a few
minutes. At this stage of your knowledge you may not fully understand the information displayed, but only note
the information you know.

9. Localize two different types of “Source” and “Destination”. Why are there two types?

Destination: Apple_97:19:87 (3c:22:fb:97:19:87)

Address: Apple_97:19:87 (3c:22:fb:97:19:87)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)

Source: HuaweiTechno_4e:97:99 (98:35:ed:4e:97:99)

Address: HuaweiTechno_4e:97:99 (98:35:ed:4e:97:99)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)

Having both types allows flexibility and efficiency in network communication. The globally unique address ensures
global uniqueness and facilitates device identification, while the individual address enables efficient one-to-one
communication between devices.

10. Which protocols are on the Ethernet frame?

Type: IPv4 (0x0800)

While you selected a row at Packet Detail Pane, a piece or all information on Packet Bytes Pane will be
illuminated. This shows the specific binary values representing that information in the PDU. At this stage
of your knowledge, it is not necessary to understand this information in detail.

Step 4. Go to the File menu and select Close. Click Continue Without Saving when the dialog window
appears..

2. Capture of HTTP PDU

Step 1. Start catching packets. Considering Wireshark is executed from the previous step, start capturing
packets by clicking on the Start option on the Wireshark Capture menu.
Note: Capture options do not need to be restored if we are continuing to work in the open window of
the program.
Open a web browser on your computer that is running wireshark.
Enter the URL of a server or www.yahoo.com or enter an IP address. When the web page is fully loaded,
stop capturing packets at Wireshark.
Step 2. Expand the Wireshark Packet List and look at the PDU list. Locate and identify TCP and HTTP packages
associated with webpage uploading.
Step 3. "On the Packet List Pane select the HTTP package that has the "text/html"" note in the Info column."
In Packet Detail Pane click on "+" next to "Line-based text date: html"

1. When this information expands what appears?

<TITLE>Upload page for TCP Wireshark Lab</TITLE>\n
<body bgcolor="#FFFFFF">\n
<p><font face="Arial, Helvetica, sans-serif" size="4"> Congratulations! <br> </font>\n
\n
 Assignement Nr

<P><font face="Arial, Helvetica, sans-serif"> You've now transferred a copy of alice.txt from\n
your computer to \n
gaia.cs.umass.edu. You should now stop Wireshark packet capture. It's time to start analyzing the
captured Wireshark packets! </font>\n
\n
</FORM>\n
\n
\n

Examine the highlighted part of Byte Panel. This shows the HTML data carried by the package. A piece of data
captured in the HTTP session can be displayed as in the figure.

Before the HTTP session begins, the TCP session must be created. This looks in the first three rows of session,
numbers 10, 11, 12. Use your Wireshark output and answer the following questions.
 Assignement Nr

1. Fill the table using the information shown at the HTTP session.
Web browser IP address Source Address: 128.119.245.12
Web server IP address Destination Address: 192.168.100.26
Transport layer protocol (UDP/TCP) Protocol: TCP (6)
Web browser port number Source Port: 80
Webserver port number Destination Port: 53907
Language Accept-Language: en-US,en;q=0.9\r\n

2. Which computer starts the HTTP session and how ?

Web browser IP address: 128.119.245.12
By analyzing the initial packages exchanged between the client and server, we can determine which computer
starts the HTTP session. The HTTP request contains the “text/html” content type. The computer that sends the
packet to the server to establish the TCP connection is the one that initiates the HTTP session.

3. Which computer starts signaling the end of an HTTP session and how?

Web server IP address: 192.168.100.26

Once we have identified the TCP packets sent by the server with the FIN flag set, we can confirm the end of the
TCP connection and, consequently, the end of the HTTP session initiated by the server.
The end of an HTTP session or destination is the IP of the web server.

4. Select the first row of HTTP protocol, the GET request from the web browser. Refer to the figure
above. Look at the middle window of Wireshark to examine protocols in layers. If necessary, extend the
information.
Source Address: 192.168.100.7
Destination Address: 192.229.221.95

5. Which protocol is carried (encapsulated) within the TCP segment?

HTTP is carried within the TCP segment. HTTP uses TCP as its underlying transport protocol to ensure reliable data
delivery of data.
Encapsulation type: Ethernet (1)

6. Expand the last record of the protocol, and each subfield. This is the information sent to the web
server. Fill the table using the information from the protocol
Protocol Version 4
Request Method GET
*Request URI [RequestURI:
http://gaia.cs.umass.edu/wireshark-labs/lab3-
1-reply.htm]
Language Accept-Language: */*\r\n
 Assignement Nr

*Request URL is the way to the required document. In the first browser, the road is the root directory of the
webserver. Although no page is required, some web servers are configured to display the default file if there is
one.

The web server responds with the next HTTP package. In the example figure above this is in line 15. The
answer to the web browser is possible because the web server (1) understands the type of request and
(2) has a return file. “Crackers” often send unknown or confusing requests to the web server in order to
stop the server's work or gain access to the command line server. Also, a request for an unknown web
page can result in a error message.

7. Choose the web server response and then switch to the middle window of Wireshark. Open all HTTP
sub-fields. Notice the information from the server. In this response there are only a few lines of text
(web server responses may contain hundreds or millions of bytes). The web browser understands the
answer and correctly formats the data in the browser window.

8. Which is the web server response to the Get request by the web client?
Response Phrase: Not Modified

9. Whats the meaning of this response?

The requested code resource has not been modified since the last time it was requested and it’s instructing the
client to use its cached copy.
 Assignement Nr

Go to the File menu and select Close. Click Continue Without Saving when the dialog window appears.
Close Wireshark.

3. Reflection
Consider the encapsulation information related to network data capture that Wireshark can provide.
Connect this to models with OSI and TCP/IP layers. It's important to know and connect the presented protocols,
the relevant layer and the type of encapsulation model with the information Wireshark provides.

4. Challenge
Discuss how you can use a protocol analyzer such as Wireshark to:

1. Troubleshoot failing to successfully upload a webpage to your computer browser.

You can troubleshoot webpage uploading problems that don't function properly into your computer browser by
using Wireshark. Start by opening Wireshark and logging network traffic on the interface that is connected to the
internet. Try launching your browser and visiting the webpage that isn't uploading after that. With Wireshark,
carefully review the recorded packets to identify any strange activity, such as failed HTTP requests or server
problems. 404 stands for "Not Found" in HTTP status codes, which are very important to pay attention to since
they can indicate more severe issues. Additionally, check for DNS resolution problems if the browser is having
problems resolving the webpage's domain name. It's also important to look at TCP handshake failures and
timeouts, as these can be signs of network connectivity issues.Finally, focus on relevant traffic and identify the
issue's primary source by utilizing Wireshark's filtering capability.

2. Identify the data traffic required by users on the network.

To find out what data traffic users require, launch the program and enable network traffic capture on the relevant
interface. To concentrate on communication pertaining to users, use Wireshark's filtering features to isolate
traffic coming from specific IP addresses or devices. Next, look at other protocols to determine the types of traffic
users are generating, such as SMTP for email and HTTP for web browsing. Look through the packet contents to
find out more about the kind of data being sent and differentiate between database queries and file transfers.
Additionally, watch for patterns in traffic to spot consistent user actions, including recurring connections to
specific servers for necessary services.Network managers can effectively monitor and optimize network resources
by using Wireshark in a methodical manner, taking into account user traffic patterns.