Description

Introduction
In this lab, you will use a “packet sniffer” called Wireshark to capture and analyze TCP packets generated between the PC browser and a web server, such as matrix.senecacollege.ca. When the application layer of the TCP/IP protocol stack creates an HTTP message, that message is “encapsulated” by a transport layer header. The header identifies the protocol TCP which is used to make a reliable connection to a web server. TCP uses a three-way handshake to establish a connection and a three-way handshake to take down a connection between the two hosts. The Internet layer adds a header indicating the logical IP address, but is also responsible to retrieve the MAC address which is passed to the Data Link layer for addition into the LAN header. You will see how the Internet layer uses a protocol called ARP (Address Resolution Protocol) to find the MAC or Ethernet address of the next link. Lastly, you will see the message syntax and sequence of the HTTP protocol.
Objective:
1. Demonstrate basic packet capturing with Wireshark
2. Examining the TCP handshake used to set and take down a reliable connection 3. Examine how the Internet layer uses ARP
Instructions:
1. Use the MyApps folder to locate Wireshark
2. Click the Launch button to open Wireshark
3. Use ipconfig /all at a command prompt to get the IP and physical addresses of the local machine.
Physical Address of host E4-B3-18-6D-2E-28
IP Address of host 192.168.1.2
IP Address of default gateway 192.168.1.1
Physical address of default gateway fe80::3e90:66ff:fec6:e4f8%17

4. Before we capture packets delete the ARP cache. This area of memory keeps a mapping or IP addresses to MAC addresses. We want to delete any previous entry so that the protocol ARP will need to be used in our capture
5. Open a command line windows as administrator and type the following: netsh interface ip delete arpcache
Capturing and Examining TCP Packets

TCP Connection Setup: 3-way Handshake
1. Close all the browser windows before starting wireshark.
2. Select an Interface to capture called
“Ethernet” which shows activity on it. Similar to the screen shot above
3. On wireshark select the interface for packet capturing (ethernet or wifi)
4. On the capture menu click the Start button
5. Open the browser and navigate to matrix.senecacollege.ca
6. When the web page loads, close the client window and wait a couple of seconds
7. Return to Wireshark and Stop capture.
8. Save the capture as a file called learnname_L3_capture. This is important, if you need to return to the original file after applying display filters.
9. Type in the Display filter text box ip.addr==142.204.165.128 (if accessing from outside Seneca network. If this does not work ping matrix.senecacollege.ca and get the ip address from the ping reply message) or ip.addr==10.102.108.5 (from Seneca network).This will show the beginning of your conversation with the matrix server. Your Wireshark window should look like the screen shot below.

6. Notice the first conversation between your host to the server is a [SYN] packet with an info number of 49912 (yours will be different). The latter is a TCP flag which tells the server to open a connection to the host. Notice SEQ=0. Click on the [SYN] packet and open the drop-down arrow on the Transmission Control Protocol in the Details pane in the middle Wireshark window.
7. In the top Wireshark packet list pane, select the second TCP packet, labeled SYN, ACK with the same info number 49912.
8. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / Transmission Control Protocol frame.
9. Expand Ethernet II to view Ethernet details. Answer the following questions in the table below:
10. Observe the Destination and Source fields.
11. Expand Internet Protocol Version 4 to view IP details.
12. Observe the Source and Destination IP addresses.
13. Expand Transmission Control Protocol to view TCP details.
14. Observe the Source and Destination ports.
15. Observe the Sequence number. Notice that it is 0 (relative sequence number). To see the actual sequence number, select Sequence number to highlight the sequence number in the bottom Wireshark bytes pane.
16. Observe the Acknowledgement number. Notice that it is 1 (relative ack number). To see the actual acknowledgement number, select Acknowledgement number to highlight the acknowledgement number in the bottom pane. Notice that the actual acknowledgement number is one greater than the sequence number in the previous segment.
17. Expand Flags to view flag details.
18. Observe the flag settings. Notice that SYN and ACK flags are set, indicating the second segment in the TCP three-way handshake.
19. Complete the FIN ACK packet analysis table. [0.4 Marks]
FIN ACK Packet Analysis
What is the source MAC address of this packet? (should be the default gateway physical address) Source: SmartRG_c6:e4:f8 (3c:90:66:c6:e4:f8)
What is the destination address of this packet?
(should be the host physical address) Destination: IntelCor_6d:2e:28
(e4:b3:18:6d:2e:28)
What is the source IP address of this packet?
(should be the matrix server IP address) Source: 142.204.165.128
What is the destination IP address of this packet?
(should be the host IP address) Destination: 192.168.1.2
What is the destination port of this packet? (should be a local dynamic port created for this connection) Destination Port: 53486
What is the source port of this packet?
(should be port 80) Source Port: 443

with the ACK=1, which tells the server the communication channel is now fully open and able to send data. Answer the following questions and complete the table below:
20. Observe the Destination and Source fields.
21. Expand Internet Protocol Version 4 to view IP details.
22. Observe the Source and Destination IP addresses.
23. Expand Transmission Control Protocol to view TCP details.
24. Observe the Source and Destination ports.
25. Observe the Sequence number. Notice that it is 1 (relative sequence number). To see the actual sequence number, select Sequence number to highlight the sequence number in the bottom Wireshark bytes pane.
26. Observe the Acknowledgement number. Notice that it is 1 (relative ack number). To see the actual acknowledgement number, select Acknowledgement number to highlight the acknowledgement number in the bottom pane.
27. Expand Flags to view flag details.
28. Observe the flag settings. Notice that ACK is set, indicating the third segment in the TCP threeway handshake. The client has established a TCP connection with the server.
29. Complete the ACK packet analysis table. [0.4 Marks]
ACK Packet Analysis
What is the source MAC address of this packet?
(should be the host physical address) Source: IntelCor_6d:2e:28 (e4:b3:18:6d:2e:28)
What is the destination address of this packet?
(should be the default gateway physical address) Destination: SmartRG_c6:e4:f8
(3c:90:66:c6:e4:f8)
What is the source IP address of this packet?
(should be the host IP address) Source: 192.168.1.2
What is the destination IP address of this packet?
(should be matrix server IP address) Destination: 142.204.165.128
What is the destination port of this packet?
(should be a port 80) Destination Port: 443
What is the source port of this packet?
(should be the local dynamic port) Source Port: 53486

TCP Connection Tear Down: 3-way handshake
1. The ending of a TCP connection also uses a 3-way handshake (there are multiple ways to end a TCP connection, we will only discuss one way)
2. Scroll down to after the application data has been sent and look for a TCP packet with the FIN and ACK flags set. This is the beginning step of a tear down. After the server has sent the http response message to the client, it sends a packet with the FIN ACK flags set which tells the client there is nothing more. The client responses with an ACK packet back to the server. Notice the ACK packet copies the SEQ number of the FIN ACK packet as the ACK number of the ACK packet and the SEQ number of the FIN ACK packet is used as the ACK number + 1. Thus, the server knows to which TCP connection the client is referring to and closes the connection.

3. A TCP connection is full duplex. At this state, the connection is half closed. The next step is for the client to send a FIN ACK packet to the server and the server responds with an ACK packet which closes the client side of the connection. Notice again how TCP copies the SEQ number of the FIN ACK packet as the SEQ number of the ACK packet and the ACK number is the SEQ number of the FIN ACK packet + 1.

ARP Protocol
1. The ARP protocol is used to map IP addresses to Ethernet addresses which is used on a LAN.
Since we deleted the ARP cache the default gateway physical address is not in the ARP cache, so ARP broadcasts to all hosts on the network, “whoever owns this IP address, please forward to me your MAC address” so I can send you some data. Notice it is the Internet layer that gets the physical or MAC address, which is added to the Data Link header. ARP proves that messages are forwarded link-by-link from source to destination.
2. Click on the first ARP packet.
3. Observe the details pane. Notice that the packet is encapsulated inside an Ethernet frame. Answer the following questions and complete the table below. [0.4 Marks]

ARP Request Packet
What type of ARP packet is this (Request/Reply)? Opcode: request (1)
What is the destination physical address of the ARP packet? Destination: Broadcast (ff:ff:ff:ff:ff:ff)
What type of casting is this address?
(Unicast, broadcast,multicast) Broadcast
What is the source physical address of the ARP packet? Source: SmartRG_c6:e4:f8
(3c:90:66:c6:e4:f8)
What is the sender’s IP address? Sender IP address: 192.168.1.1
What is the target’s IP address? Target IP address: 192.168.1.64

4. Scroll down to the next ARP packet.Click on the packet and observer the details pane. Answer the following questions: [0.4 Marks]

ARP Reply Packet
What type of ARP packet is this (Request/Reply)? Opcode: request (1)
What is the destination physical address of the ARP packet? Destination: Broadcast (ff:ff:ff:ff:ff:ff)
What type of casting is this address?
(Unicast, broadcast,multicast) Broadcast
What is the source physical address of the ARP packet? Source: SmartRG_c6:e4:f8
(3c:90:66:c6:e4:f8)
What is the sender’s IP address? Sender IP address: 192.168.1.1
What is the target’s IP address? Target IP address: 192.168.1.63

Other Common Protocols
Scroll through the list of protocols listed in Wireshark and identify 4 additional protocols. Provide a one sentence description of the protocol’s purpose. (use your own words, do not copy and paste) [0.25 Marks]
Protocol Description
UDP When sending and receiving information on the Internet, it is a communication protocol that is sent unilaterally from one side rather than from the other. UDP is short for the user datagram protocol.
DNS A TCP/IP network service that interprets a domain or host name as a numeric IP address in the network
HTTP HTTP (HyperText Transfer Protocol) is a protocol that transfers data quickly and easily in a distributed hypermedia environment
ICMP Abbreviation for Internet control message protocol. TCP/IP protocol allows IP network IP status and error information to be shared and is used in ping
IGMP A protocol for group membership or group management to provide a multicast environment between routers and hosts over a local network.

Grading:
• DCF255_L3_packetcapture.docx – with completed tables
• LearnName_L3_packetcapture.pcap
Upload files using link on MySenecaGraded Work