School of Computing and Information Systems
COMP30023: Computer Systems
Practical Week 11
Copyright By PowCoder代写 加微信 powcoder
Sniffing packets with Wireshark, and understanding IP addresses
1 Wireshark
You have come across Wireshark in a previous lab. Review that lab if you have forgotten how to use it. Here
we will use Wireshark to study some of the protocols you have come across in this course. It is easiest to run
this section on your local computer rather than the VM.
1.1 IP carrying TCP
1. Start a capture using the shark fin at the top left
2. Select any packet with protocol TCP or something that runs over TCP, like TLS or HTTP
3. Expand the “Internet Protocol” line in the bottom frame, using the triangle on the left of the line
4. Expand the lines “Differentiated Services” and “Flags”
5. Match each field to the location in the IP header shown in the lecture slides
6. Try to understand what each value means.
• Does this packet support Explicit congestion notification (ECN)?
• What does “Header length 20 (5)” mean? Why are there two numbers?
• Look at the identification number. Compare that with another packet you capture. Are they the
7. Repeat this for a few other packets that you capture.
• Which IP header fields seem to have the same value in most packets, and which seem to vary?
1.2 IP carrying UDP
1. Repeat the above for packets with protocol UDP or something that runs over UDP, like DNS.
2. Which IP header fields have the same values as for the TCP case, and which are different?
In particular, are there any fields that are the same for all TCP packets, and the same for all UDP packets,
but differ between TCP and UDP packets? Which ones?
1.3 Monitoring HTTP requests
1. Start a new capture (using the shark fin at the top left).
2. Visit http://example.com and stop the capture.
3. Enter into the filter: http.host matches “example.com”.
Q: What packet(s) do you see?
4. Now right click on the first packet and Follow the HTTP Stream.
http://example.com
1.4 Address Resolution Protocol (ARP)
The internet protocol runs on top of other network protocols. Each of these network protocols has its own
addressing scheme. IP hosts find the names of hosts on the underlying network (called the “link layer” by most
TCP/IP people) such as ethernet or WiFi using the Address Resolution Protocol (ARP).
Whenever an IP host wants to send to another IP node on the same network, such as the router, it must have
that node’s address. This is typically called a MAC address, and sometimes erroneously called a hardware
address. This is usually cached, but if the host is contacting a new node or if the cache has been cleared it will
issue an ARP request. We will now watch as we force your computer to issue an ARP request.
1. Open a command window.
2. You will now clear the ARP cache. The instructions below will tell you to type some commands. Before
you press 〈enter〉 on the final command, start a new capture in Wireshark by clicking on the blue fin icon
at the far left of the toolbar.
Windows Open the command window as administrator.
8 Ways To Open Command Prompt As Administrator In Windows 10
netsh interface ip delete arpcache
Mac or FreeBSD Enter the command
Linux First find the default gateway using arp by itself. This will probably list a single address and a
single interface. If so, the interface should match the one you are sniffing and the address will be
your gateway address. Then type the command
sudo arp -i interface_you_are_sniffing -d gateway_address
Wait a few seconds and then stop the Wireshark capture. (If you forgot to start it, just repeat the above
steps, remembering to start Wireshark before pressing enter)
3. Type arp into the filter text box below the toolbar. This should bring up two ARP packets. If not, repeat
the above steps and access the web between clearing the cache and stopping the capture.
4. Click on the line of the first ARP packet, and observe the destination Ethernet address. This will be a
“special” addresses: ff:ff:ff:ff:ff:ff. What does that mean, and why is this mode used?
5. Click on the line of the second ARP packet. What is its source address? Can you relate that to the
contents of the first ARP packet?
1.5 Monitoring your project code
Now use Wireshark to capture the packets to and from your DNS server.
Do the packets contain what you expected them to contain?
2 Understanding IP addresses
Look at the routing table on your computer – either your VM or your local computer. In Linux, this is done by
the command route with no arguments. On Windows, it is done by opening a command window (Windowskey-
R then type cmd), and typing the command route print. On MacOS, type the command netstat -rn. If
your computer doesn’t have many routes, you can use the sample output below.
For each network address (or as many as you have time for)
1. Work out how many bits of the address make the network address, and how many bits make the host
2. Work out how many addresses are in that network.
This will be very repetitive if you go through each address below. Only do the ones that will give you different
Notice that some have a destination netmask of 255.255.255.255. In those cases, that isn’t the network mask
of the network the destination is on. That is saying that this is the actual (network|host) address, and that
routing decisions need to be based on matching the entire 32 bits.
Can you identify the “default routes”, used when no other network address matches?
8 Ways To Open Command Prompt As Administrator In Windows 10
===========================================================================
Interface List
20…00 05 9a 3c 7a 00 ……Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64
17…b0 5c da e5 e6 e7 ……Intel(R) Ethernet Connection (4) I219-V
13…0a 00 27 00 00 0d ……VirtualBox Host-Only Ethernet Adapter
11…02 00 4c 4f 4f 50 …… Adapter
26…f4 d1 08 4d 6c 74 ……Microsoft Wi-Fi Direct Virtual Adapter #3
3…f6 d1 08 4d 6c 73 ……Microsoft Wi-Fi Direct Virtual Adapter #4
14…f4 d1 08 4d 6c 73 ……Intel(R) Dual Band Wireless-AC 8265 #2
18…f4 d1 08 4d 6c 77 ……Bluetooth Device (Personal Area Network)
1………………………Software Loopback Interface 1
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.13 50
0.0.0.0 0.0.0.0 10.1.16.1 10.1.20.177 2
10.1.16.0 255.255.248.0 On-link 10.1.20.177 257
10.1.20.177 255.255.255.255 On-link 10.1.20.177 257
10.1.23.255 255.255.255.255 On-link 10.1.20.177 257
113.197.7.0 255.255.255.0 192.168.0.1 192.168.0.13 50
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
138.44.4.0 255.255.255.224 192.168.0.1 192.168.0.13 50
138.44.4.128 255.255.255.224 192.168.0.1 192.168.0.13 50
138.44.66.144 255.255.255.240 192.168.0.1 192.168.0.13 50
138.44.71.0 255.255.255.192 192.168.0.1 192.168.0.13 50
138.44.72.0 255.255.252.0 192.168.0.1 192.168.0.13 50
138.44.128.96 255.255.255.224 192.168.0.1 192.168.0.13 50
138.44.132.0 255.255.254.0 192.168.0.1 192.168.0.13 50
138.44.160.0 255.255.255.224 192.168.0.1 192.168.0.13 50
138.44.162.96 255.255.255.224 192.168.0.1 192.168.0.13 50
138.44.162.144 255.255.255.240 192.168.0.1 192.168.0.13 50
138.44.163.199 255.255.255.255 192.168.0.1 192.168.0.13 50
138.44.163.202 255.255.255.255 192.168.0.1 192.168.0.13 50
138.44.163.203 255.255.255.255 192.168.0.1 192.168.0.13 50
138.44.164.0 255.255.255.192 192.168.0.1 192.168.0.13 50
138.44.166.0 255.255.254.0 192.168.0.1 192.168.0.13 50
138.44.177.64 255.255.255.224 192.168.0.1 192.168.0.13 50
169.254.0.0 255.255.0.0 On-link 169.254.250.142 281
169.254.0.0 255.255.0.0 10.1.16.1 10.1.20.177 2
169.254.250.142 255.255.255.255 On-link 169.254.250.142 281
169.254.255.255 255.255.255.255 On-link 169.254.250.142 281
182.255.102.208 255.255.255.240 192.168.0.1 192.168.0.13 50
182.255.102.240 255.255.255.240 192.168.0.1 192.168.0.13 50
182.255.112.8 255.255.255.255 192.168.0.1 192.168.0.13 50
182.255.112.11 255.255.255.255 192.168.0.1 192.168.0.13 50
182.255.112.21 255.255.255.255 192.168.0.1 192.168.0.13 50
192.168.0.0 255.255.255.0 On-link 192.168.0.13 306
192.168.0.0 255.255.255.0 10.1.16.1 10.1.20.177 2
192.168.0.1 255.255.255.255 On-link 192.168.0.13 51
192.168.0.13 255.255.255.255 On-link 192.168.0.13 306
192.168.0.255 255.255.255.255 On-link 192.168.0.13 306
192.168.56.0 255.255.255.0 On-link 192.168.56.1 281
192.168.56.0 255.255.255.0 10.1.16.1 10.1.20.177 2
192.168.56.1 255.255.255.255 On-link 192.168.56.1 281
192.168.56.255 255.255.255.255 On-link 192.168.56.1 281
202.158.223.128 255.255.255.224 192.168.0.1 192.168.0.13 50
203.21.130.30 255.255.255.255 192.168.0.1 192.168.0.13 51
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.56.1 281
224.0.0.0 240.0.0.0 On-link 192.168.0.13 306
224.0.0.0 240.0.0.0 On-link 169.254.250.142 281
224.0.0.0 240.0.0.0 On-link 10.1.20.177 257
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.56.1 281
255.255.255.255 255.255.255.255 On-link 192.168.0.13 306
255.255.255.255 255.255.255.255 On-link 169.254.250.142 281
255.255.255.255 255.255.255.255 On-link 10.1.20.177 257
===========================================================================
Persistent Routes:
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
14 306 ::/0 fe80::be30:d9ff:fece:1de2
20 36 ::/0 On-link
1 331 ::1/128 On-link
14 51 2001:8004:11d0:4e2a::cb15:821e/128 fe80::be30:d9ff:fece:1de2
14 306 2001:8004:1d62:4439::/64 On-link
20 36 2001:8004:1d62:4439::/64 On-link
14 306 2001:8004:1d62:4439:1f0:b68f:96da:d51a/128 On-link
14 306 2001:8004:1d62:4439:25c1:6438:7d45:2984/128 On-link
20 291 fe80::/64 On-link
14 306 fe80::1f0:b68f:96da:d51a/128 On-link
20 291 fe80::300a:2945:9ff8:5cb7/128 On-link
20 291 fe80::5e9f:c20c:51b4:5e34/126 On-link
20 291 fe80::5e9f:c20c:51b4:5e36/128 On-link
13 281 fe80::a02e:bac4:b4e0:60ea/128 On-link
11 281 fe80::b4c0:3f1c:a775:fa8e/128 On-link
1 331 ff00::/8 On-link
13 281 ff00::/8 On-link
14 306 ff00::/8 On-link
11 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
IP carrying TCP
IP carrying UDP
Monitoring HTTP requests
Address Resolution Protocol (ARP)
Monitoring your project code
Understanding IP addresses
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com