Packet Sniffing

Click here to view exercise as a PDF instead.

The purpose of this exercise is to introduce students to use of a packet sniffer and teach rudiments of Transmission Control Protocol/Internet Protocol (TCP/IP) traffic analysis by examining samples of real Internet traffic.

Overview

This exercise will provide a brief introduction to the use of a packet sniffer. For this exercise, you will not actually capture any live traffic but, instead, read and interpret pre-captured TCP/IP packet traffic files. This exercise can be completed using either the Windows or Kali VM.
Be sure to answer all of questions in Blue.

Learning Objectives

In this exercise, you will:

  1. Start the Wireshark packet sniffer
  2. Open a captured packet file in Wireshark
  3. Interpret simple examples of TCP/IP network traffic.

Locate the packet files to be used in this exercise:

i.e. F:\235 - Computers and Networks\Packet Sniffing\Files\tcpip

Now, Start the Wireshark program.

In the Windows VM, find the following desktop icon:

To open a packet capture file, use the File, Open... option in Wireshark and navigate to the TCPIP folder.

HINT: If you use Analyze, Follow TCP Stream, the user input is in red and server information is in blue.

Open the http_NEW.pcap packet capture file.

QUESTIONS

  1. What is the name of the destination Web server and where did you find that information?
  2. What URL do you suppose was used to access this Web page?
  3. Why does it appear that no new content was downloaded?

     

Open the POP.pcap packet capture file.

  1. What version of POP is being used -- and how do you know?
  2. What is the name of the POP mail server? NOTE: You'll have to work a bit for this one. The packet trace gives the IP address of the server but we're looking for the name.
  3. What is the username and password?
  4. Who sent the first message, to whom was it addressed, and what is the general topic?

(OPTIONAL) And now this for SIGNIFICANT bragging rights -- message number three has a file attachment titled atm_dogs.gif in UUENCODE format. Decode and display the file!

Open the two ping packet capture files (ping_Linux.pcap and ping_win.pcap).

This command is used to determine if another host is up and responding and these packet captures represent the Unix/Linux and Windows versions, respectively.

  1. What are the names and addresses of the system issuing the ping and the system being pinged?
  2. What commands are issued by the *nix version compared to the commands issued by the Windows version?

Open the traceroute.pcap and tracert.pcap packet capture files.

These commands are used to trace the route of packets through the network and these packet captures represent the Unix/Linux and Windows versions, respectively.

Question: What commands are issued by the *nix version compared to the commands issued by the Windows version?.

Open the telnet.pcap packet capture file.

  1. What is the name of the remote telnet server?
  2. What is the username and password? ... and Why do you see user input in both colors?
  3. What commands does the user issue?.

Webpages.

  1. Tutorial
  2. Wireshark User's Guide
  3. Wireshark Filter Expresions (from the User's Guide)

Videos

  1. Wireshark Tutorial
  2. Wireshark Filters

Creative Commons License
CyberExplorations Exercises by Glenn S. Dardick is licensed under a Creative Commons Attribution 4.0 International License.
back to top