Homework 2: Understanding Network Traffic using Wireshark

This assignment is due at 11:59 pm on Friday, January 31.
You can find the homework here.
Make sure to read the homework before starting.

In this homework, we’ll learn basic usage of wireshark and how to debug network traffic with wireshark. Wireshark is a free and open-source packet analyzer. Wireshark consists of two parts: one is a packet capture engine powered by tcpdump, and the other is a powerful and expressive packet parsing capability that understands hundreds of different network protocols.

Preparing

Needed Tools

You will need several tools to complete this assignment, all of which are available on all major platforms. Some of these tools may already be available on your machine. You are responsible for getting these tools installed.

Get Trace Files

Wireshark can analyze trace files recorded by others. There are several trace files saved in the public class git repository. We will use them as example to learn basic usage of wireshark and understand what happened when these files were recorded. The files you will need are located in your homework repository, in the pcaps directory.

Homework Questions

Basic HTTP

01_http.pcap contains several HTTP conversations. After opening this file, answer the questions below. You don’t need to know what these fields mean (yet!), however you should be able to find them by browsing through the different protocols being “dissected” at different layers of each packet.

Q1: List every IPv4 address involved in an HTTP conversation in this file. For your answer, put the every IP addresses on a single line, comma separated, without any spaces. For example a.a.a.a,b.b.b.b,c.c.c.c, etc.

Q2: There are three domains that HTTP requests are made to in this file. Name any one of them.

hints:

  • examples of domains are example.org or www.domain.net. IP addresses are not domains.
  • practice using filters in wireshark to better forcus in on the traffic you are interested in.

Buffered Telnet

02_telnet-cooked.pcap is a recording of a client connecting to a remote server with telnet.

Q3: What are the client’s and server’s IP addresses? Enter them on the same line, comma separated, with no spaces. (E.x client ip,server ip)

Q4: What is the password input by the client to login?

Q5: What was the date of the last login? hint enter this using the exact same format as it appears in the telnet conversation.

Q6: List all commands run by the client after login successfully (separate them with commas, all on one line, and in the order they were made).

hints:

  • there are 4 commands
  • usernames and passwords are not commands
  • do not include the paths or arguments to commands here (ie if you see the user enter /bin/cat some_file.txt in the telnet conversation, the correct answer for this question is cat, not cat some_file.txt or /bin/cat).
  • if the same command was entered more than once, enter the command each time it was called during the conversation, in the order it was called.

If you are interested, several funny places you can telnet to can be found here. The Star Wars asciimation is particularly impressive.

Unbuffered Telnet

The telnet conversation in 03_telnet-raw.pcap is character buffered instead of line buffered. This means that the client sends every keypress to the server, including characters that eventually get deleted by backspace, so there might be incorrect keypresses in the conversation. Please answer the following questions:

Q7: What is the user name used by the client to login?

Q8: What is the host name pinged by the client?

Q9: List all commands run by the client, in the order they were run. Enter them all on the same line, comma separated.

hints:

  • usernames and passwords are not commands
  • do not include the paths or arguments to commands here (ie if you see the user enter /bin/cat some_file.txt in the telnet conversation, the correct answer for this question is cat, not cat some_file.txt or /bin/cat).
  • if the same command was entered more than once, enter the command each time it was called during the conversation, in the order it was called.

Hidden Servers

In file 04_http-garbage-connection.pcap, there are several http and https conversations in this file running on the usual ports (80, 8080 for http, 443 for https). There is also an http server running on a nonstandard port (ie not 80, 8080 or 443).

Q10: Find the http conversation happening on the nonstandard port and give its IP address and port, and the HTTP path requested to that server. Give your answer in the format IP,PORT,PATH. (hint, the path starts with the / character).

Trace Local Network Traffic

Q11: Wireshark isn’t only for reading previously captured network traffic. You can also it to save capture traffic on your own network.

For this question, use wireshark to capture the network traffic on your own network when requesting the URL http://wttr.in/chicago. You should fetch this from the commandline, using a tool like curl. Do not fetch the URL in your web browser, as the site will serve different content to web browsers than other, simpler HTTP clients.

Only include the relevant HTTP traffic in the saved file. Once you save the resulting network traffic in a pcap file, you will need to encode the file into Base64. The name of your encoded file for submission should be hw2.pcap.b64.

Here are useful references for Linux and OSX on encoding files into Base64 format.

Submission

Similar to Homework 1, you will be making the submission for this homework through github classroom.

For this homework, you are not provided with any scoring based test cases.

The files which will be submitted by the ok client:

  • hw2.txt: your answers to questions 1-10. Each answer should appear on its own line. Only the first 10 lines of your file will be considered.

  • hw2.pcap.b64: the Base64 encoded version of the pcap for Q11.

To submit your work, run git commit -a and git push. Like previously, you are allowed to make multiple submissions.

Grading

There are a total of 15 possible points for this assignment.

  • 1 point for each of the first 10 questions.
  • 3 points for correctly capturing the HTTP traffic described in question 11.
  • 2 point for only capturing the HTTP traffic described in question 11 (ie not including any other traffic in this file).

Due Date and Logistics

  • This assignment is due at the at 11:59 pm on Friday, January 31.

  • If you have any questions please use the Piazza discussion forum.

GPL Notice

Trace files 1 and 2 are covered by the GNU GPL and were downloaded from The Wireshark Wiki.