EXPERIMENT N0.

AIM: Use Wire shark to understand the operation of TCP/IP layers:

• Ethernet Layer: Frame header, Frame size etc.
• Data Link Layer: MAC address, ARP (IP and MAC address binding)
• Network Layer: IP Packet (header, fragmentation), ICMP (Query and Echo)
• Transport Layer: TCP Ports, TCP handshake segments etc.
Application Layer: DHCP, FTP, HTTP header formats

THEORY:

Wireshark-

Wireshark is a network protocol analyzer, or an application that captures packets from a network
connection, such as from your computer to your home office or the internet. Packet is the name
given to a discrete unit of data in a typical Ethernet network.
Wireshark is the most often-used packet sniffer in the world. Like any other packet sniffer,
Wireshark does three things:

1. Packet Capture: Wireshark listens to a network connection in real time and then grabs
entire streams of traffic - quite possibly tens of thousands of packets at a time.
2. Filtering: Wireshark is capable of slicing and dicing all of this random live data using
filters. By applying a filter, you can obtain just the information you need to see.
3. Visualization: Wireshark, like any good packet sniffer, allows you to dive right into the
very middle of a network packet. It also allows you to visualize entire conversations and
network streams.

Uses of wireshark-

Wireshark has many uses, including troubleshooting networks that have performance issues.
Cybersecurity professionals often use Wireshark to trace connections, view the contents of suspect
network transactions and identify bursts of network traffic. It's a major part of any IT pro's toolkit
- and hopefully, the IT pro has the knowledge to use it. Wireshark is a network protocol analyzer,
or an application that captures packets from a network connection, such as from your computer
to your home office or the internet. Packet is the name given to a discrete unit of data in a typical
Ethernet network. Wireshark is the most often-used packet sniffer in the world.
Wireshark has a rich feature set which includes the following-

1
 • Deep inspection of hundreds of protocols, with more being added all the time
• Live capture and offline analysis
• Standard three-pane packet browser
• Multi-platform: Runs on Windows, Linux, OS X, FreeBSD, NetBSD, and many others
• Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility
• The most powerful display filters in the industry
• Rich VoIP analysis

Capturing your traffic with Wireshark

1. Select Capture I Interfaces.

2. Select the interface on which packets need to be captured.

3. Click the Start button to start the capture.

4. Recreate the problem....

5. Once the problem which is to be analyzed has been reproduced, click on Stop.

6. Save the packet trace in the default format.

• eno1 - □ x
file fdit Yiew .Qo !;_apture nalyze tatistics Telephony ireless roots .t1elp

<>
"
■
t.t � C'l Q. II-◄::::: EJ l!I IT
1•lliel a disela filter ... <Ctrl-£> CJ·I+
No. Time Source Destination Protocol Length Info
3789 10.480471763 192 .168. 0.112 142. 258.199 .134 TCP 66 41200 - 443 [ACK] Seq=518 Ack=1349 Win=64128 Len=8 TSval=4859...
3798 18. 481176274 142. 258.199 .134 192 .168. 0 .112 TCP 1414 443 - 41288 (ACK] Seq=1349 Ack=518 Win=66816 Len=1348 TSval=2.,.
3791 18. 481198862 192 .168. 0.112 142. 258.199 .134 TCP 66 41200 - 443 [ACK] Seq=518 Ack=2697 Win=63360 Len=B TSval=4859...
_3792 184.82482331 142. 258.199 .134 192.168.8.112 TCP 1414 443 - 41288 (ACK] Seq=2697 Ack=518 Win=66816 Len=1348 TSval=2...
3793 10. 402409645 192 .168. 0.112 142. 250.199 .134 TCP 66 41200 - 443 (ACK] Seq=518 Ack=4045 Win=64128 Len=e TSval=4059...
3794 10. 403587936 142. 250.199 .134 192 .168. 0 .112 TLSvl.3 555 Application Data
3795 10. 403606436 192 .168. 0.112 142. 250.199 .134 TCP 66 41200 - 443 [ACK] Seq=518 Ack=4534 Win=64128 Len=0 TSval=4859...
3796 10. 410653280 142. 250.199 .134 192 .168. 0 .112 UDP 70 443 - 47581 Len=28
3797 10. 410973223 192 .168. 0.112 142. 250.199 .134 TLSvl .3 138 Change Cipher Spec, Application Data
3798 10. 411629641 192 .168. 0.112 142. 250.199 .134 TLSvl.3 236 Application Data
3799 10. 414350543 142. 250.199. 134 192.168. 0 .112 TCP 66 443 - 41200 (ACK] Seq=4534 Ack=582 Win=66816 Len=0 TSval=2204...
3800 10. 415045996 142. 250.199.134 192.168.0.112 TLSvl.3 680 Application Data, Application Data
3801 10. 415059216 192 .168. 0.112 142. 250.199 .134 TCP 66 41200 - 443 [ACK] Seq=752 Ack=5148 Win=64128 Len=0 TSval=4059...
3802 10. 415414134 192 .168. 0.112 142. 250.199 .134 TLSv1. 3 97 Application Data
3803 10. 415817894 142. 250.199 .134 192 .168. 0.112 TLSvl.3 97 Application Data
3804 10. 415855643 192 .168. 0.112 142. 250.199 .134 TCP 66 41200 - 443 [ACK] Seq=783 Ack=5179 Win=64128 Len=0 TSval=4859...
3805 10. 423061820 142. 250.199 .134 192 .168. 0 .112 TCP 66 443 - 41200 (ACK] Seq=5179 Ack=783 Win=67840 Len=0 TSval=2204...
3806 10. 427769121 192 .168. 0.112 34.120.237. 76 TLSvl.3 297 Application Data
3807 10. 429835036 34.120.237.76 192.168. 0 .112 TCP 66 443 - 58332 [ACK] Seq=14958 Ack=2319 Win=76288 Len=0 TSval=41...
3808 10. 432234308 34.120.237. 76 192.168.0.112 TLSvl.3 181 Application Data
3809 10. 432250609 192 .168. 0.112 34.120.237. 76 TCP 66 58332 - 443 (ACK] Seq=2319 Ack=15873 Win=64128 Len=e TSval=25...
3818 18. 432634171
3811 10. 440066344
3812 10. 445483388
192 .168. 0.112
34.120.237.76
142. 250.183. 202
34.128.237. 76
192.168. 0 .112
192.168.0.112
TLSvl.3
TCP
UDP
185 Application Data
66 443 - 58332 (ACK] Seq=15073 Ack=2358 Win=76288 Len=0 TSval=41...
1395 443 35987 Len=1353
-
3813 10. 445486089 142. 258.183. 202 192.168.0.112 UDP 1399 443 - 35987 Len=1357
3814 18. 445598813 142. 250.183. 202 192.168. 0 .112 UDP 1399 443 - 35987 Len=1357
3815 10. 445712229 142. 250.183. 202 192.168.0.112 UDP 1399 443 - 35987 Len=1357
Frame 1: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface eno1, id 0

e7 wireshark eno1_202Z091308271Z_lRj1I2.pcapng Packets: 4091 • Displayed: 4091 (100.0%) Profile:Default

Filter using ip address-

2
 • eno1 - □ x
file !;dit l[iew go i;apture [lnalyze tatistics Telephon l,l1ireless roots l:!elp

No. Time source Destination Protocol Length Info

2 8.049444949 142.258.192 46 192.168.0.112 UDP 81443 - 48462 Len=39
3 0. 849497692 142. 258 .192. 192.168.8.112 UDP 102 443 - 48462 Len=68
46 142.258.192.46 UDP 75 48462 - 443 Len=33
4 8.858881484 192.168.8.112 142. 258 .192. UDP 1399 48462 - 443 Len=1357
5 0. 862479669 192 .168. 0.112 46 UDP 567 48462 - 443 Len=525 -,
6 0. 862636431 192 .168. 8.112 142. 258 .192. UDP 71 443 - 48462 Len=29
1 0. 865254584 142. 258 .192. 46 UDP 71 443 - 48462 Len=29
46 192 .168. 0.112 UDP 76 48462 - 443 Len=34
8 0. 865254661 142. 258 .192. 192 .168. 0.112 UDP 578 443 - 48462 Len=528
46 142. 258 .192 .46 UDP 163 443 - 48462 Len=61
9 8. 886156889 192 .168. 8.112 192 .168. 0.112 UDP 74 48462 - 443 Len=32
18 0. 452279588 142. 258 .192. 192 .168. 0.112 UDP 75 48462 - 443 Len=33
46 142. 258 .192. UDP 71 443 - 48462 Len=29
11 0. 453861042 142. 258 .192. 46 TCP 66 48437 - 88 [ACK) Seq=l Ack=l Win=581 Len=8 TSval=1968835191 T...
46 142.258.192.46

25 5. 294949520 192 .168. 0.112 182. 48. 288. 5 DNS 161 Standard query 6x3181 A incoming. telemetry. mozilla. org OPT
25 5. 294993483 192 .168. 0.112 182.48.288.5 DNS 161 Standard query 6x4348 AAAA incoming. telemetry .mozilla. org
27 5. 298337298 182. 48. 288. 5 192.168. 0.112 DNS OPT 233 Standard query response 8x3181 A incoming. telemetry
28 5. 299198186 182. 48. 286. 5 192.168. 0.112 DNS .mozilla. o... 387 Standard query response 8x4348 AAAA incoming.
telemetry .mozill...
38 5.299478696 192.168.8.112 182.48.286.5 DNS 114 Standard query 8xb685 AAAA prod.ingestion-edge.prod.dataops.m...
• Frame 2: 81 bytes on wire (648 bits), 81bytes captured (648 bits) on interface enol, id 8

e .,, wireshark_eno1_20220913082712_1Rj112.pcapng Packets: 4091 • Displayed: 4044 (98.9%) Dropped: O (0.0%) Profile: Default

Filter using tcp-

Source Destination Protocol Length Info

52.11.213.12 192.168. 8.112 TCP 1414 443 - 35824 [ACK] Seq=1349 Ack=518 Win=28160 Len=1348 TSval=2...
98 2. 342885576 192 .168. 8.112 52 .11.213 .12 TCP 66 35824 - 443 [ACK) Seq=518 Ack=2697 Win=64128 Len=0 TSval=3716...
91 2. 344215453 52 .11. 213 .12 192 .168. 0.112 TLSvl.2 814 Certificate, Server Key Exchange, Server Hello Done
92 2. 344219266 192 .168. 8.112 52 .11. 213 .12 TCP 66 35824 - 443 [ACK] Seq=518 Ack=3445 Win=64128 Len=0 TSval=3716...
93 2. 346132475 192 .168. 0.112 52.11.213.12 TLSvl.2 192 Client Key Exchange, Change Cipher Spec, Encrypted Handshake .
94 2. 346268827 192.168.8.112 52.11.213.12 TCP 66 35824 - 443 {FIN, AC J Seq=644 Ack=3445 in=64128 en=& TSvaL
95 2. 347494863 52.11.213.12 192.168.8.112 TLSvl.2 117 Change Cipher Spec, Encrypted Handshake Message
96 2. 347502694 192 .168. 8.112 52.11.213.12 TCP 66 35822 - 443 (ACK] Seq=1908 Ack=3496 Win=64128 Len=0 TSval=371...
102 2. 365098940 52.11.213.12 192.168. 0.112 TLSvl. 2 301 Application Data
103 2. 365103688 192 .168. 8.112 52.11.213.12 TCP 66 35822 - 443 (ACK] Seq=1908 Ack=3731 Win=64128 Len=0 TSval=371...
184 2. 365232318 192 .168. 8.112 52 .11. 213 .12 TLSvl. 2 97 Encrypted Alert
18 2. 365238785 192.168.8.112 52.11.213.12 CP 66 3582 - 443 FI AC Se =1939 Ac =3731 Win=64128 Len=& va._
186 2. 365878608 52.11.213.12 192.168.8.112 TLSvl. 2 97 Encrypted Alert
107 2 365889070 192 168 0 112 52 11 213 12 TCP 54 35822 443 [RST) Seq=1908 Win=0 Len=0
1882.615987196 52 .11. 213 .12 192 .168. 0.112 TLSvl.2 117 Change Cipher Spec, Encrypted Handshake Message
• '
110 2. 617885181 52 .11. 213 .12 192.168.0.112 TLSvl. 2
97 Encrypted Alert
: 111 2 617888055 192 168 0 112 52 11 213 12 TCP
112 2.618526748 52.11.213.12 192.168. 8.112 TCP
: 113 2 618527870 192 168 0 112 52 11 213 12 TC
114 2. 627858585 52 .11. 213.12 192.168.8.112 P

-
54 35824 443 [RST) Seq=645 Win=0 Len=0
115 2 627860132 192 168 0 112 52 11 213 12 TC 66 443 - 35824 [FIN, ACK) Seq=3527 Ack=645 Win=28168 Len=8 TSval...
116 2. 628356441 52 .11. 213 .12 192 .168. 0.112 P 54 35824 443 [RST) Seq=645 Wrn=0 Len=0
117 2 628357528 192 168 0 112 52 11 213 12 TC 66 443 - 35822 [FIN, ACK) Seq=3762 Ack=1939 Win=29696 Len=e TSVL
118 2. 629497053 52 .11. 213 .12 192.168. 0.112 P 54 35822 443 [RST) Seq=1939 Wrn=0 Len=0
TC
66 443 - 35822 (ACK) Seq=3763 Ack=1940 Win=29696 Len=8 TSval=247...

I
P 54 35822 443 [RST) Seq=1940 Wrn=O Len=O
TC
P . . . .
66 443 - 35822 (ACK] S e q = 3 7 6 3 Ack=1939 Win=29696 Len=8 TSval=247...

TCP
.; 0

1332.885877742 192 .168. 8.112 31.13. 79.53 TLSvl. 2 140 Application Data
, Frame 119: 54 bytes on wire ( 432 bits), 54 bytes captured ( bits) on interface enol, id 8
432
0 .,, Transmission Control Protocol: Protocol Packets: 1574 Displayed: 92 (5.8%). Dropped: o (0.0%) Profile:
Default

Different Layer's Screenshot-

3
 Wlreshark • Packet 122 • eno1 - □ x

! Frame 122: 106

► bytes on wire (848 bits), 106 bytes captured (848 bits) on interface enol, id 0

I I, Ethernet II, Src: Micro-St_82:3a:c8(2c:f0:5d:82:3a:c8), Ost: D-Linkin_c5:f9:d4(18:0f:76:c5:f9:d4)

, Internet Protocol Version 4, Src: 192.168.0.112, Ost: 182.48.200.5
, User Datagram Protocol, Src Port: 33765, Ost Port: 53
, Domain Name System (query)

0000 18 0f 76 c5 f9 d4 2c f0 5d 82 3a ca 08 45 00 • ·V I l : ·E
0010 00 5c 51 f0 40 00 40 11 a9 00 b6 30 @·@··R
\Q · •·p·0
0020 cs 05 83 e5 00 35 00 48 3f 52 c0 as 00 00 01 5 H .? .
....
I 1030
0040
00 00 00 00 00 01 17 73
65 72 69 65 73 2d 63 6c
75 70
69 aB dl ac 01
71 75
07 79
s uggestqu
outube-c om•
eries-cl ients6-y
■···
0050 6f 75 74 75 62 65 03 63 6f 00 01 00
0( 00 29 02 00 00 00 00 00 00 67 67 65 73 . )"
74
65 6e 74 73
36
6d 00 ml
00
00

I 8Help I 05;tose

r:-'Frame 122:106 bytes on wire (848 bits), 106 on interface enol, id 0

I ·, Interface id: 0
Encapsulation type: Ethernet (1)
(enol)
Arrival Time: Sep 13, 2022 08:36:21.583665019 IST
[Time shift for this packet: 0.000000000 seconds]
Epoch Time:1663038381.583665019 seconds
Time eta ram P.rev1ous capture rame: 8.888288792 secon s
[Time delta from previous displayed frame: 0.000288792 seconds]
[Time since reference or first frame: 2.808228502 seconds]
Frame Number:122
Frame Length:106 bytes (848 bits)
Capture Length: 106 bytes (848 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:udp:dns]
[Coloring Rule Name:
I [Coloring
UDP] Rule String: udp]
Ethernet II, Src: Micro-St_82:3a:c8(2c:f0:5d:82:3a:c8), Ost: D-Linkln_c5:f9:d4
(18:0f:76:c5:f9:d4)
0001 18 0f 76 c5 f9 d4 2c f0 5d 82 3a c8 08 00 45 00 • •V·•·,• ]•:• ••E·
0010 00 5c 51 f0 40 00 40 11 a9 52 $o¥J;Nojoijoj n6 30 • \Q •@·@· • - •0
0020 c8 05 83 e5 00 35 00 48 3f a8 d1 ac 01 00 00 01 •• • 5·H? ••· ••·
0030 00 00 00 00 00 01 17 73 75 67 67 65 73 74 71 75 • • • • • s uggestqu
I 0040 65 72 69 65 73 2d 63 6c 69 65 6e 74 73 36 07 79 eries-cl ients6 y
L50 6f 75 74 75 62 65 03 63 6f 6d 00 00 01 00 01 00 outube•com•,••_·_·---------------

I 0Help

4
 Wlreshark • Packet 122 • eno1 - □ x

I r►Frame 122: 106 bytes on wire (848 bits), 106 bytes captured (848 bits) on interface eno1, id

0 I. Ethernet II, Src: Micro-St_82:3a:c8(2c:f0:5d:82:3a:c8), Dst: D-Linkin_c5:f9:d4

{18:0f:76:c5:f9:d4)
Address: D-Linkin_c5:f9:d4 (18:0f:76:c5:f9:d4)
......0................. = LG bit: Globally unique address (factory
1.......8...............
default) = IG 61t: Ind1v1duar adaress·run1cast1
• Source: Micro-St_82:3a:c8 (2c:f0:5d:82:3a:c8)
Address: Micro-St_82:3a:c8 (2c:f0:5d:82:3a:c8)
......0. .... .... .... = LG bit: Globally unique address (factory
default) ................ = IG bit: Individual address
.......0
(unicast) Type: IPv4 (0x0800)
, Internet Protocol Version 4, Src: 192.168.0.112, Dst: 182.48.200.5
, User Datagram Protocol, Src Port: 33765, Dst Port: 53
, Domain Name System (query)

L')0(10 18 0f 76 c5 f9 d4 2c f0 5d 82 3a ca 08 00 45 • ·V • I. ] ·: • ·E

00 • \
1 00 5c 51 f0 40 00 40 11 a9 52 c0 as 00 70 b6 Q·@·@··R···P·0

l
30 ••• 5IEI?••···
0020 ca 05 83 e5 00 35 riiiJIIll 3f as d1 ac 01 00 00 • s uggestqu
005, 6f 75 74 75 62 65 03 63 6f 6d 00 00 01 00 eries-cl ients6-y
01 00

I Oclose

Wireshark • Packet 122 • eno1 - □ x

r lFrame122:
► 106 bytes on wire (848 bits), 106 bytes captured (848 bits) on interface eno1, id 0
I, Ethernet II, Src: Micro-St_82:3a:c8(2c:f0:5d:82:3a:c8), Ost:D-Linkin_c5:f9:d4(18:0f:76:c5:f9:d4)
• Internet Protocol Version 4, Src: 192.168.0.112, Ost: 182.48.200.5
0100. . .= Version:4
....8181 = Header Len th: 28 6ytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN:Not-ECT)
►

Total Length:92
Identification: 0x51f0 (20976)
Flags: 0x4000, Don't fragment
►

Fragment offset: 0
Time to live:
64 Protocol:UDP
(17)
Header checksum:0xa952 [validation disabled]
[Header checksum status: Unverified]
Source: 192.168.0.112
Destination: 182.48.200.5
User Datagram
, Domain Protocol,
Name System Src Port: 33765, Ost Port:53
(query)
0000 18 0f 76 c5 f9 d4 2c f0 5d 82 3a c8 08 00
Im • V· ·, • ] ·: • ·E·
45 00
m
0010 00 5c 51 f0 40 00 40 11 a9 52 c0 a8 00 70 \Q·@·@· R···Plil
I· 5 H ?··••••
0020 83 e5 00 35 00 48 3f a8 d1 ac 01 00 00 •••• -• s
01 uggestqu eries-cl
0030 00 00 00 00 00 0117 73 75 67 67 65 73 74
I 71 75
ients6-y outube-
c om••••·
:: 0 65 72 69 65 73 2d 63 6c 69 65 6e 74 73 36
07 79
L51 6f 75 74 75 62 65 03 63 6f 6d 00 00 01 00
01 00

Help I Oclose I

5
 Wireshark• Packet 122 • eno1 - □ x

I1 Frame 122:106 bytes on wire (848 bits), 106 bytes captured (848 bits) on interface eno1, id 0
►

I, Ethernet II, Src: Micro-St_82:3a:c8(2c:f0:5d:82:3a:c8), Ost: D-Linkin_c5:f9:d4(18:0f:76:c5:f9:d4)

, Internet Protocol Version 4, Src: 192.168.0.112, Ost: 182.48.200.5
TUser Datagram Protocol, Src Port: 33765, Ost Port: 53
Source Port: 33765
Destination Port: 53
Length: 72
Checksum: 0x3fa8 [unverified]
[Checksum Status: Unverified]
[Stream index:13]
, [Timestamps]
, Domain Name System (query)

0000 18 0f 76 c5 f9 d4 2c f0 5d 82 3a cs 08 00 45 00
0010 00 5c 51 f0 40 00 40 11 a9 52 f:!cfj:iojoi401n6 30 • V l : .. ·E·
0021 cs 05 83 e5 00 35 00 48 3f as d1 ac 01 00 00 01 ·\Q·@·@· ·Rlllil·0
.... 5-H? · ....
I
0030 00 00 00 00 00 01 17 73 75 67 67 65 73 74 71
65 72 69 65 73 2d 63 6c 69 65 6e 74 73 36 07
75
79 • s uggestqu
eries-cl ients6-y
L50 6f 75 74 75 62 65 03 63 6f 6d 00 00 01 00 01 00
outube com•
• ••

I 8Help I Octose

Wlreshark • Packet 122 • eno1 - □ X

, Frame 122:106 bytes on wire (848 bits), 106 bytes captured (848 bits) on interface eno1, id 0
, Ethernet II, Src: Micro-St_82:3a:c8(2c:f0:5d:82:3a:c8), Ost: D-Linkin_c5:f9:d4 (18:0f:76:c5:f9:d4)
, Internet Protocol Version 4, Src: 192.168.0.112, Ost: 182.48.200.5
, User Datagram Protocol, Src Port: 33765, Ost Port: _53 ---1
T Domain Name System (guery
Transaction ID:0xd1ac
, Flags: 0x0100 Standard query
Questions: 1
Answer RRs:0
Authority RRs:0
Additional RRs: 1
, Queries
, Additional records
[Response In: 127]

n')01 18 0f 76 c5 f9 d4 2c f0 5d 82 3a cs 08 00 • ·V •• '. l.: ·E

0010 45 00 • \Q @·@ ·R ·P·0
0020 00 5c 51 f0 40 00 40 11 a9 52 c0 as 00 70 ·51111?
1030 b6 30 aiil • • • • s uggestqu
0040 cs 05 83 e5 00 35 3f as d1 ac 01 00 00 eries-cl ients6 y
0050 01 outube com••·••·
00 00 00 00 00 01 17 73 75 67 67 65 73 74
71 75
65 72 69 65 73 2d 63 6c 69 65 6e 74 73 36
07 79
6f 75 74 75 62 65 03 63 6f 6d 00 00 01 00
01 00

Help I I 0ftose

1/o graph:

6
 Wireshark 1/0 Graphs: ens2

2.5

u 2
:l(

1.5
QI
-
u
1
""
"
1 . '
0.5

0
0 5 10 15 20 25
Time (s)

DNS

Wireshark 1/0 Graphs: ens2

1.5
u
QI

.".
.'
-
QI

"
u1 ""

1. ' 0.5

0
10 20 30 40 so
Time (s)

ICMP

7
 Wireshark1/0 Graphs: ens2 (tcp)

60

50

."..40
41
'
41
-u""
"'
C l.
30

20

10

0 10 15 20 25 30 35
nme (s)

TCP

CONCLUSION: Thus, we have studied the working ofWireShark.