LAB0: GETTING UP TO SPEEDVERSION 1.8Introduction to Wireshark1ObjectiveIn this lab, the student shall work individually to:1. Learn about packet sniffers and see how they capture and analyze network traffic.2. Install Wireshark and start to learn how it works.Theory: Packet SniffersPacket sniffers are a basic tool for observing the messages on a network. As the namesuggests, a packet sniffer captures (“sniffs”) messages being sent/received from/by yourcomputer; it will also typically store and/or display the contents of the various protocolfields in these captured messages. A packet sniffer itself is passive. It observes messagesbeing sent and received by applications and protocols running on your computer, but neversends packets itself. Similarly, received packets are never explicitly addressed to the packetsniffer. Instead, a packet sniffer receives a copy of packets that are sent/received from/byapplication and protocols executing on your machine.packet snifferapplication (e.g., browser,ssh client, skype)packetanalyzerapplicationoperating systemTransport (TCP/UDP)packetcapture(pcap)Network (IP)copy of all Ethernetframes sent/recievedLink (Ethernet)Physical (CAT5, Radio)to/from networkThe figure above shows the structure of a packet sniffer. At the right are the protocols (inthis case, Internet protocols) and applications (such as a web browser or ftp client) thatnormally run on your computer. The packet sniffer, shown within the dashed rectangle, is anaddition to the usual software in your computer, and consists of two parts. The packet1Substantial amounts of this lab instruction manual are borrowed from “Wireshark Lab: Getting Started”by Kurose and RossPAGE 1 OF 10

LAB0: GETTING UP TO SPEEDVERSION 1.8capture library receives a copy of every link-layer frame that is sent from or received by yourcomputer. As you know, messages exchanged by higher layer protocols such as HTTP, FTP,TCP, UDP, DNS, or IP all are eventually encapsulated in link-layer frames that aretransmitted over physical media such as an Ethernet cable. In the figure, the assumedphysical media is an Ethernet, and so all upper layer protocols are eventually encapsulatedwithin an Ethernet frame. Capturing all link-layer frames thus gives you all messages sent/received from/by all protocols and applications executing in your computer.The existence of the packet capture box in this figure should give you cause to pause andthink, particularly down two trains of thought. Firstly, it shows that any packet in a sharedmedium (Ethernet, Wi-Fi, etc) can be captured and examined without notification of thesender or receiver. You cannot rely on common link-layer protocols to protect your secretsor your privacy online. At a minimum, you should be using encryption protocols (generallyburied in the application layer, though sometimes found elsewhere) to protect all networktraffic you generate or receive. Secondly, you have the ability to act as the “bad guy” andcapture the network traffic of other people, examine it and exploit what you find. You needto learn to use this tool in a responsible fashion. Remember the movie quote: “With greatpower comes great responsibility!” We will use a filter to ensure Wireshark doesn’t displaytraffic other than your own, but this is purely a voluntary measure. Please act ethically andresponsibly in your use of Wireshark.The second component of a packet sniffer is the packet analyzer, which displays thecontents of all fields within a protocol message. In order to do so, the packet analyzer must“understand” the structure of all messages exchanged by protocols. For example, suppose weare interested in displaying the various fields in messages exchanged by the HTTP protocol.The packet analyzer understands the format of Ethernet frames, and so can identify the IPdatagram within an Ethernet frame. It also understands the IP datagram format, so that itcan extract the TCP segment within the IP datagram. Finally, it understands the TCPsegment structure, so it can extract the HTTP message contained in the TCP segment.Finally, it understands the HTTP protocol and so, for example, knows that the first bytes ofan HTTP message will contain the string “GET,” “POST,” or “HEAD,” as shown in Figure2.8 in the text.We will be using the Wireshark packet sniffer [] for these labs, allowing us todisplay the contents of messages being sent/received from/by protocols at different levels ofthe protocol stack. (Technically speaking, Wireshark is a packet analyzer that uses a packetcapture library in your computer). Wireshark is a free network protocol analyzer that runson Macintosh, Windows, and Linux/Unix computers. It’s an ideal packet analyzer for ourlabs – it is stable, has a large user base and well-documented support that includes a userguide ( html chunked), man pages (,and a detailed FAQ (, rich functionality that includes the capabilityto analyze hundreds of protocols, and a well-designed user interface. It operates incomputers using Ethernet, Token-Ring, FDDI, serial (PPP and SLIP), 802.11 wireless LANs,and ATM connections (if the OS on which it's running allows Wireshark to do so).PAGE 2 OF 10

LAB0: GETTING UP TO SPEEDVERSION 1.8Procedures1. Get Wireshark1. In order to run Wireshark, you will need to have access to a computer that supportsboth Wireshark and the libpcap or WinPCap packet capture library. The libpcapsoftware will be installed for you, if it is not installed within your operating system,when you install Wireshark. See for a list of supportedoperating systems and download sites2. Download the Wireshark binary from and install it.Make sure to also download the Wireshark user guide.3. The Wireshark FAQ has a number of helpful hints and interesting tidbits ofinformation, particularly if you have trouble installing or running Wireshark.4. You may need to disable anti-virus protection software (McAffee, I'm looking atyou!) before your own IP address will show up in captured data.5. You should be connected to an Ethernet connection. If you only have WiFi, you'llneed to figure out how to set your WiFi physical layer into monitor mode, which maybe difficult or impossible, depending on your operating system. Failure to follow thisinstruction will mean you only see traffic originating or being sent to your owncomputer, which is sub-optimal for these labs.2. Run Wiresharkcommanddisplay filterspecificationmenus1. When you runthe Wiresharkprogram, thelisting ofWiresharkcapturedgraphical userpacketsinterface willbe displayed.details ofInitially, noselecteddata will bepacketheaderdisplayed inthe variouspacket ASCII andhexadecimalBy the way, thepictures I show inthis lab guide maydiffer, perhaps substantially, from the interface you see on your computer, depending onyour installed version and operating system. Be flexible.PAGE 3 OF 10

LAB0: GETTING UP TO SPEEDVERSION 1.82. The Wireshark interface has five major components:1. The command menus are standard pulldown menus located at the top of thewindow or in your menu-bar (not shown in the figure on the previous page). Alsoincluded is a toolbar (shown in the figure). Of interest to us now are the File andCapture menus. The File menu allows you to save captured packet data or open afile containing previously captured packet data, and exit the Wiresharkapplication. The Capture menu allows you to begin packet capture.2. The packet-listing window displays a one-line summary for each packetcaptured, including the packet number (assigned by Wireshark; this is not apacket number contained in any protocol’s header), the time at which the packetwas captured, the packet’s source and destination addresses, the protocol type,and protocol-specific information contained in the packet. The packet listing canbe sorted according to any of these categories by clicking on a column name. Theprotocol type field lists the highest level protocol that sent or received thispacket, i.e., the protocol that is the source or ultimate sink for this packet.3. The packet-header details window provides details about the packet selected(highlighted) in the packet listing window. (To select a packet in the packet listingwindow, place the cursor over the packet’s one-line summary in the packet listingwindow and click with the left mouse button.). These details include informationabout the Ethernet frame (assuming the packet was sent/receiverd over anEthernet interface) and IP datagram that contains this packet. The amount ofEthernet and IP-layer detail displayed can be expanded or minimized by clickingon the plus-or-minus boxes to the left of the Ethernet frame or IP datagram linein the packet details window. If the packet has been carried over TCP or UDP,TCP or UDP details will also be displayed, which can similarly be expanded orminimized. Finally, details about the highest level protocol that sent or receivedthis packet are also provided.4. The packet-contents window displays the entire contents of the capturedframe, in both ASCII and hexadecimal format.5. Towards the top of the Wireshark graphical user interface, is the packet displayfilter field, into which a protocol name or other information can be entered inorder to filter the information displayed in the packet-listing window (and hencethe packet-header and packet-contents windows). In the example below, we’ll usethe packet-display filter field to have Wireshark hide (not display) packets exceptthose that correspond to HTTP messages.3. Take Wireshark for a “Test Run.” The best way to learn about any new piece ofsoftware is to try it out! Do the following:1. Start up your favorite web browser, which will display your selected homepage.2. If you are using a proxy (especially a host-based one), disable it if possible. You wantto examine uncached network traffic.3. Start up the Wireshark software. You will initially see a window similar to that shownabove, except that no packet data will be displayed in the packet-listing, packetPAGE 4 OF 10

LAB0: GETTING UP TO SPEEDVERSION 1.8header, or packet-contents window, since Wireshark has not yet begun capturingpackets.4. To begin packet capture, select the Capture pull down menu and select Options.This will cause the “Wireshark: Capture Interfaces” window to be displayed. Thereare three sections to this window: Input, Output and Options, as shown below.The Input window allowsyou to select whichinterface you will use forcapture. You can see thatthe computer where I tookthis screenshot has Wi-Fiand a bunch of Ethernetinterfaces, as well as theloopback interface. Onlyone of them is in use, so I'llpick that one.The Output window letsyou choose to dump all thecollected packets in to afile. This is handy forscripting (wouldn't you loveto grab a 1MB capture fileat midnight every night?Who wouldn't?) Note thatyou can limit the file sizes.I generally don't touchanything in this window.The Options window letsyou specify when thecapture should quit (inpackets, files, size or time),controls the listing sectionof the main window duringthe capture (update or not?Scroll or not?) as well aschoose to resolve names ornot.5. You can use most of the default values in the Options window, but check “Show extracapture information dialog.” The network interfaces (i.e., the physical connections)that your computer has to the network will be shown in the Interface pull downmenu at the top of the Capture Options window. In case your computer has morethan one active network interface (e.g., if you have both a wireless and a wiredPAGE 5 OF 10

LAB0: GETTING UP TO SPEEDVERSION 1.8Ethernet connection), you will need to select an interface that is being used to sendand receive packets. After selecting the network interface (or using the defaultinterface chosen by Wireshark), click Start. Packet capture will now begin - allpackets visible to your network interface (including those being sent/received from/by your computer) are now being captured by Wireshark!6. {Note: I can't get this window to appear on new versions of WireShark. You might,on your version and your operating system} Once you begin packet capture, a packetcapture summary window will appear. This is the window that you decided not tohide in the previous step. This window summarizes the number of packets of varioustypes that are being captured, and (importantly!) contains the Stop button that willallow you to stop packet capture. Don’t stop packet capture yet.7. While Wireshark is running, enter the URL ini740/Lab0/lab0.html (Those are three zeros, not the letter o) and have that page displayed inyour browser. Make sure to clear your browser cache if you have previously displayedthis webpage -- you want to get it across the internet, not from your cache. In orderto display this page, your browser will contact the HTTP server at www.ece.cmu.eduand exchange HTTP messages with the server in order to download this page, asdiscussed in section 2.2 of the text. The Ethernet frames containing these HTTPmessages will be captured by Wireshark.8. After your browser has displayed the lab0.html page, stop Wireshark packet captureby selecting stop in the Wireshark capture window. This will cause the Wiresharkcapture window to disappear and the main Wireshark window to display all packetscaptured since you began packet capture. The main Wireshark window should nowlook similar to the figure on page 3. You now have live packet data that contains allprotocol messages exchanged between your computer and other network entities!The HTTP message exchanges with the web server should appearsomewhere in the listing of packets captured. But there will be many other types ofPAGE 6 OF 10

LAB0: GETTING UP TO SPEEDVERSION 1.8packets displayed as well (see, e.g., the many different protocol types shown in theProtocol column in Figure 2). Even though t