Lab 6
Packet Sniffing with Wireshark
10/27/08
Natasha Busch

Objectives: To learn how to use a packet sniffing protocol analyzer software package. This is a good way to get a snapshot of what people are doing on the network. Alot of systems administrators use these.

Equipment List:
I used a lab computer ans the software called Wireshark.

Notes and Observations: I observed packets that were being passed on the computer i was on. The network traffic info was very informational. It was a step by step process of what packets were being passed back and forth on the network. If u choose different types of IP you will get different kinds of informaiton. It kinda worried me that you could see usernames and passwords as well.

Diagrams and figures:
I have none for this lab.

References and Questions:
I reference the handout and the Networking book by Jeffery S. Beasley. Also, I aske professor Genereux questions in which I did not write down.

Questions:
One of the TCP has 60 bytes on wire/captured, the source was 74.125.95.102 and the destinnation was 10.10.3.2.

In the top frame we viewed and ARP protocol type packet. The hardware type was Eternet, size 6. Protocol type IP, size 4. Target was MAC, and Targe was IP. There is different types of information in each of the IP types of data packets.
I wrote down in my notes as well: source prot: http(80). destination port: alaris_disk(3613). sequence number 1 (realitive). header length: 20 bytes.

The frames where my username and password were supplied. The security is not here on the FTP protocol. The process of FTP transfer is straight up, you can get peoples user names and passwords on this protocol layer. These frames litterally list the username and password information with no security.

The protocols encapsulated on the DNS query frame were IP and UDP they are both transport layer protocol.

On the ICMP frame the procols are IP, ICMP, and Ethernet II. ICMP is a layer 2 frame type and it stands for Internet Message Control Protocol.

In the frames containing HTTP info I noticed it took 15 frames to download the web page. the diffent types of protocols used are; ethernet, IP, TCP, http and data-text-lines. Accordingly it was layer 2 working with layer3, then 4, and finally 7 was the next one shown (the http). I could see these five layers were working together.

The protocol headers i viewed under the first frame carrying a HTTP GET request were:
IP, layer 3: version, total length, and protocol. HTTP, layer 7: Accept, referer, and Connection. Ehernet, layer 2: Destination address, Source address, Type. TCP layer 4: Source Port, Destination port, and Sequence number. The user agent infor said Mozilla 4.0. (The layers are the numbers listed after each)

In the ARP request and response frames this is what is happening; Sending and recieving requests to everyone asking for IP addresses for packet transfers. Who has it? so and so is here, tell so and so. so and so is IP adress …

1. The purpose of sequence numbers is to keep frames in order
2. The pupose of source and destination addresses is to tell where info is to go and where it came from.
3. The DNS gives out addresses.
4. HPPT and FRP protocols are used for Web Addressing.
5. I think having a tool freely availible can be implemented in business situations where an administrator is watching traffic on the network. Also, if there are problems transmitting info you can capture packets to see where the problem is occurring. I dont want my neighbor to have it on a unsecured wireless LAN, or in a hotel. I really wouldn’t want someone in the computer labs to use it either.