Assignment on Wireshark

Goal of this Assignment

To get familiar with Wireshark tool and all its features by analyzing some protocols in the
context of network security.

Introduction
Wireshark is the world‟s most popular network analyzer. Available for free to all as an open
source tool,Wireshark runs on a variety of platforms and offers the ideal „first responder‟ tool for
IT professionals. Wireshark is available for numerous operating systems, including Windows,
Apple Mac OS X, Debian GNU/Linux,FreeBSD, Gentoo Linux, HP-UX, Mandriva Linux,
NetBSD, OpenPKG, Red Hat Fedora/Enterprise Linux, rPathLinux, Sun Solaris/i386, Sun
Solaris/Sparc and Ubuntu. Wireshark has matured into a feature rich tool for analyzing wired and
wireless network traffic. As long as you stay within the laws and corporate policies that regulate
the use of Wireshark, you can troubleshoot and secure your network more efficient with an
inside look at network communications. Wireshark supports a common interface across multiple
platforms with menu-based, icon-based or right click functionality for trace file manipulation and
interpretation.
Instructions
1. Perform the given below exercises and answer the question asked in each activity. It‟s an
individual work.
2. Maximum Marks of this assignment are 13 Marks.
3. For each activity the grades will be awarded. Grades are A (13-10), B (9-6) & C (>5).
A grade: - who will complete all the activities successfully.
B grade: - who will complete at least 2 activities successfully and not have copied.
C grade: - who will complete only 1 activity successfully and not have copied.
Copied file and answers will be cancelled.
4. How to save the captured packets:-
You can save the captured packets in Wireshark simply by using the File Save as...
menu item. You can choose which packets to save and file format (i.e. should be in jpeg
format). At last, combined all the image files in a folder whose naming should be like
this:- <ROLLNO>_<FirstName>. Text files (in which you have to write the answers of
some questions) also you have to include in this folder with the same name which has
been given in the naming conventions below.
5. Naming Conventions:-
Filename should be like Activity no.-Exercise No. or Activity no.-Exercise No.-
Question No. for example
In activity 1, Exercise 1, its image name will be 1-1
In activity 1, Exercise 2, its name will be 1-2 for Q1 its name will be 1-2-1 etc.
Assignment Exercise
Activity 1:- Certificate Analysis and examining the SSL/TLS handshaking
procedure by using Wireshark.

Exercise (1-4):-
1. Do a Wireshark trace of any website of your choice (should be begin with
https://).Provide an image from your trace to support your answer as mentioned in the
instructions (highlight specific parts in the snapshot). Also, specify the web browser used
and its version, and the SSL/TLS version used by the browser in the trace.

2. Answer the following Questions based on the above trace and also provide an image for
each question to support your answers:-

Q1. What number identifies the SSL Handshake content type?

Q2. What number identifies the SSL Application Data content type?
Q3. What number identifies the SSL Change Cipher Spec content type?
Q4. In your Wire shark trace, what all sets of messages is bundled together into single
frames?
Q5. What is the cipher suite selected for this session?
Q6. What are the first 5 cipher suites, suggested by the client machine?
Q7. What is ClientRandomValue included in the Client Hello message?
Q8. Is it possible for you to learn the pre-master secret from this trace? If yes, provide the
pre-master secret. If not, explain your answer.
Q9. Establish another (fresh) session with your chosen website, (close the browser and
start a new session from the same browser), and identify whether the answers to each of
the above questions (Q1-Q8) change or not?

3. Certificate Analysis
There‟s a few ways we can analyze a web certificate.

1. Firefox Method

Launch Firefox, go to Preferences->Advanced->View Certificates->Add Exception. To

get the certificate of the remote server, type in the URL and select Get Certificate. Select
View to get a more detailed overview of the certificate‟s contents.

2. Chrome Method

To view a certificate on Chrome, you can navigate to the website, select the padlock icon
on the navigation bar, and then select Certificate Information. Select Details to see all the
certificate information.
4. Analyze the certificate of any website by using all methods mentioned above and Answer
the following Question:-

a. Who has signed the certificate, i.e., who is the CA? Is the CA trusted by your
browser?
b. What is the certification authority, hierarchy for the certificate?
c. Has the certificate expired?
d. What digital signature scheme is used to sign the certificate?
e. What cryptosystem is used to generate the public (private) keys for the subject,
regions?
f. What is the public key that‟s been certified (just copy-paste it)?
Activity 2:- Examine the SMTP traffic using Wireshark

Exercise (1-2):-
1. Capture the SMTP traffic. Provide an image to support your answers.
2. Answer the following Question and also provide an image to support your answer:-
Q1. What is the Ethernet address of the SMTP client, and what is the Ethernet address of
the SMTP server?
Q2. What is the IP address of the SMTP client, and what is the IP address of the SMTP
server?
Q3. Which frame was used to generate the To: header line in the message?
Q4. Which frame acknowledged the Subject: header line in the message?
Q5. Which frames generated the body of the message?
Q6. What TCP port was used on SMTP client, and what TCP port was used on the SMTP
server?
Q7. Why does Wireshark label some of the frames as TCP and some as SMTP?

Activity 3:- Examine the TCP packet using Wireshark

Exercise (1-2):
1. In this activity, you have to investigate the behavior of TCP protocol in detail. You have
to analyze a trace of the TCP segments sent and received in transferring a file from your
computer to a remote server by using a Wireshark. For this you have to access a web
page that will allow you to enter the name of a file stored (any type) on your computer
and then transfer the file to the web server. Filter the TCP segments .Provide the
screenshot.
2. Answer the following questions and provide an image to support your answers:-
Q1. What is the IP address and TCP port number used by the client computer (source)?

Q2. What is the IP address of remote server? On what port number it is sending and receiving
TCP segments for this connection?
Q3. What is the sequence number of the TCP SYN segment that is used to initiate the TCP
connection between the client computer and the server? What is it in the segment that identifies
the segment as a SYN segment?

Q4. What is the sequence number of the SYNACK segment sent by the server to the client
computer in reply to the SYN? What is the value of the Acknowledgement field in the SYNACK
segment? How did server determine that value? What is it in the segment that identifies the
segment as a SYNACK segment?

Q5. What is the sequence number of the TCP segment containing the HTTP POST command?.

Q6. Consider the TCP segment containing the HTTP POST as the first segment in the TCP
connection. What are the sequence numbers of the first six segments in the TCP connection. At
what time was each segment sent? When was the ACK for each segment received? Given the
difference between when each TCP segment was sent, and when its acknowledgement was
received, what is the RTT value for each of the six segments?

Note: Wireshark has a nice feature that allows you to plot the RTT for each of the TCP
segments sent. Select a TCP segment in the “listing of captured packets” window that is
being sent from the client to the server. Then select: Statistics->TCP Stream
Graph>Round Trip Time Graph.

Q7. What is the length of each of the first six TCP segments?

Q8. What is the throughput (bytes transferred per unit time) for the TCP connection? Explain how
you calculated this value.

Reference
[1] Download Source:- https://www.wireshark.org/download.html

[2] Installation Guide:- https://www.wireshark.org/docs/wsug_html/

[3] Tutorial Source:- https://www.lifewire.com/wireshark-tutorial-4143298

[4] Study Guide :- Laura Chappell, “Wireshark Network Analysis: The official Wireshark
Certified Network Analyst Study Guide”, 2nd edition”.