You are on page 1of 3

One Week ISTE Workshop for Coordinators on CYBER

SECURITY: Wireshark Lab


National Mission on Education through ICT
May 17, 2014

Exercise-1:
INSTRUCTIONS:
Solve atleast the first 8 questions.
Try solving them without looking at the Hint provided after each question. If you face
difficulty, follow the instructions provided in the hint.
Go to File > Open, then open sb.pcap file. To remove distractions due to black coloring
of the packets, go to View > Coloring Rules, find checksum errors and disable it (dont
delete it).
QUESTIONS:
1. Identify the first 2 packets (i.e. their packet numbers) containing HTTP GET request.
Hint: Apply a filter to view only those packets which correspond to HTTP GET requests.
The syntax is: http.request.method == ?. Type the method name in place of ?. The
method name is case-sensitive.
2. What webpage was visited in the above 2 packets?
Hint: Look at the HyperText Transfer Protocol > Host field in the Packet Details
section of the GUI corresponding to these packets.
3. What version of HTTP was used?
Hint: Look at the Info column in the Packet List section to find the HTTP version.
4. What is the destination IP address in the above packets?
Hint: Look at the Destination column in the Packet List section. You can also look at
the Internet Protocol > Destination field in the Packet Details section of the GUI
corresponding to these packets.
5. List the source and destination ports of the packets travelling from the client to the server
in the above packets?
Hint: Look at the Transmission Control Protocol details in the Packet Details section of the
GUI corresponding to these packets.
1

6. In the HTTP servers response, look at the information sent about the server. What server
software was used?
Hint: Apply the filter: http.response to view only the packets corresponding to HTTP
response (OK) messages. Look at the HyperText Transfer Protocol > Server field in
the Packet Details section of the GUI corresponding to any packet to identify the server
software.
7. What are the IP addresses of the server?
Hint: Go to Statistics menu > Conversations. Under the IPv4 tab, the Address A column
shows the server IP addresses and the Address B column shows the client IP address.
8. What are the MAC addresses of the client and server?
Hint: Apply the filter: ip.src == ? where ? represents the client IP address. For a packet
with client as source and one of the IP addresses of the server as destination, look at the
Ethernet II details in the Packet Details section of the GUI to identify the MAC addresses
of client and server.
9. How many webpages (not websites) have been opened?
Hint: Go to Statistics menu > HTTP > Load Distribution. Apply http filter.
Now count the number of webpages under the HTTP Requests By HTTP Host section.
10. What is the time difference between first HTTP GET and the first HTTP response (OK)?
Hint: Apply the http filter. Set the packet corresponding to the first HTTP GET as the
Time Reference (right-click on that packet and click on the Set Time Reference option).
Find the packet corresponding to the first HTTP response (OK). Look at the Time column
in the Packet List section of the GUI.
11. Count the total number of HTTP GET requests.
Hint: Apply a filter to view only the packets corresponding to HTTP GET requests. The
number of packets displayed will tell you the count. Look at the Status bar.
12. What is the time difference between the first and last HTTP GET requests?
Hint: Follow a similar procedure as mentioned previously.
13. How may packets were exchanged between the server (corresponding to the both IP addresses) and the client? (Note: Their sum must be equal to the total no. of packets)
Hint: Go to Statistics menu > Conversations. Under the IPv4 tab, the Packets column
shows the number of packets exchanged by both IP addresses of the server with the client.
14. Find the total no. of HTTP requests sent by the host spongebob.wikia.com.
Hint: Follow a procedure similar to the one used to find the number of webpages visited.
The Count column will display the no. of HTTP requests sent by the above host.

Exercise-2:

Try answering the same questions based on a live capture of the packets. For this, start the
live capture, and then browse through a few webpages (on say, www.iitb.ac.in) before you start
answering the questions.

You might also like