ITECH1003/ITECH5003 Networking Assignment: Wireshark Traffic Analysis

Verified

Added on 2024/05/31

AI Summary

This networking assignment solution delves into the fundamentals of network traffic capturing using Wireshark, covering both basic and advanced techniques. It begins with an explanation of active and promiscuous mode capturing, followed by essential Wireshark settings like Name Resolution. The solution contrasts the functionalities of network hubs and switches, highlighting the security implications of using hubs due to their broadcast nature. It identifies well-known port numbers for various protocols such as FTP, HTTP, NTP, SSH, HTTPS, SMTP, TELNET, TFTP, DNS, and SNMP, explaining their roles in network communication. Furthermore, the assignment explores capture filters using BPF qualifiers (Type, Dir, Proto) and logical operators (AND, OR, NOT) for refining traffic capture. Practical examples include capturing traffic between machines using IP and MAC addresses, filtering ICMP traffic, and using port numbers to isolate DNS and DHCP traffic. The solution also touches upon advanced BPF syntax for detecting specific content within network packets. Desklib offers more resources like this to help students excel.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

ITECH1003/ITECH5003 Networking Assignment

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

Contents
Part 1 – Wireshark and traffic capture basics..................................................................................3
Part 2: Capture filters.......................................................................................................................7
Documenting the 3: Logical operators for combining primitives...................................................9

Part 1 – Wireshark and traffic capture basics
1.1:
Solution: The network traffic capturing is used to analyze and study the behaviour of the entire
network infrastructure. There are two ways the network traffic capturing is done one is active
capturing and other is promiscuous mode capturing.
In promiscuous mode, the NIC interface is instructed to listen to each and every packet and
report it to the Wireshark or similar tool. The NIC interface silently listens every packet which is
intended to this machine or not.
1.2:
Solution: In Wireshark, there is various option available but most important setting is available
in the Capture> Options dialogue box. In this, we can use the Name Resolution of the Network
Layer names. Which resolve IP address in the network name which is assigned to the DNS
server. Given below is the snapshot of it.
1.3:
Solution: The network technologies have been evolved a lot in the last two decades. But the
basic networking starts in the LAN environment. So in order to provide the LAN communication
among different computer and server, we need to have a network device. Initially, there is only
HUB available after that the network switch is developed using the bridge technology.
The network switch limits the broadcast of the packet by using a specialized algorithm for
processing the network traffic based on MAC address of the Ethernet frames. While the Hub

receives the copy of the packet and retransmits it on all the connected port even from the
receiving devices.
Figure 1: Network switch working
That’s why most of the time network engineer termed the Hub as the dumb device. But the
network work initially similarly like the hub but it will learn some network information and then
smartly processes the network traffic in the switched network.
Figure 2: Working of HUB
Now we know that the hub network will retransmit each and every packet in the network to
every connected device. The network engineer understands this so if he put the Wireshark in the

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

promiscuous listening mode. The computer device can capture each and every frame transmitted
in that network. Which is very dangerous and can lead to leakage of sensitive data.
Now when the malicious user puts the Wireshark device in the switched network. The device can
only hear about the network traffic which is intended for that device only and some broadcast
packets and multicast packets in the LAN.
1.4:
Solution. The well-known port number of the above-given protocols are given below
- FTP Data: TCP 20
- FTP Control: TCP 21
- HTTP: TCP 80
- NTP: UDP 123
- SSH: TCP 22
And also some of the other 6 network protocols port number are also given below with its
purpose in the network technology.
- HTTPS: TCP 443
The HTTPS protocol work just like the HTTP which provide the web-based
communication using the server-client communication. The HTTPS simply encrypt the
entire HTTP packet inside the SSL/TLS layer of security. So that the data confidentiality
will be provided during the data transmission.
- SMTP: TCP 25
The SMTP (Simple Mail Transmission Protocol) is used to send the emails from client to
server and server to server. SMTP is most widely used for the main email
communication.
- TELNET: TCP 23
The TELNET is the terminal emulation protocol which provides the emulation OS
interface using network technology over the remote location. The whole communication
is text-based so that the communication will be faster. In this way, anyone can easily
connect to the servers. But the communication happens in the plain text.

- TFTP: UDP 69
The TFTP (Trivial File Transfer Protocol) is used to share the file resources using the
shared folder on the LAN network. The TFTP mostly used on the LAN network because
of the UDP unreliability.
- DNS: UDP 53
The DNS is one of the most important protocols which provides the resolution of
hostname to IP and vice versa. And used worldwide for the internet communication.
- SNMP: 161
The SNMP (Simple Network Management Protocol) is used to manage the network
devices using the client-server technology. In which one server receives the SNMP
messages from different devices and analyzes it according to its priority and report to the
network administrator.

Part 2: Capture filters
Solution. The network capturing is used in both the platform Windows and Linux. The tcpdump
is used in the Linux and WinDump is used in the windows machine. The traffic capturing creates
a lot of data which need to be stored and most of the data are useless. So in order to reduce that
packet capture data we need to use network filters. In this BPF qualifier helps the network
administrator. It is of three types and each of them is as follows.
- Type (3)
The type qualifier is used to filter the traffic based on the host IP/name, network and
network port which is used in the IP Packets. It basically checks the type of the packet
which is defined in the filter. So whenever the Wireshark matches the filter it will capture
it and displays on the capture windows. Some of the common examples of the Type
qualifier are as follows
o Host 192.168.5.3
o Host user-pc
o Net 192.168.125
o Port 25
- Dir (2)
This qualifier is the mostly used in the traffic capturing. It defines the direction of the
network traffic either from source to destination or vice versa. Possible direction
examples is src, dust, src or dust and src and dest. If there is no qualifier is defined in the
filter then the Wireshark simply assumes src or dst. Some of the common examples are
o src user-pc
o dst net 155.3
o src or dst port ftp-data
- Proto (8)
This is the last type of qualifier which dives into deeper in the IP network packet. It will
simply restrict and match the type of protocol used in the IP packet. Some of the
examples of the protocols are ether, FDDI, IP, ip6, arp and etc. If no protocol qualifier is

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

defined in the filter it will simply assume all the network protocol and displays in the
filtering windows. Examples of the practical use are
o ether src user-pc
o arp net 128.3
o tcp port 21
So, some of the commonly used qualifier examples are as follows:
- dst host 192.168.5.3
- src host 8.8.8.8
- either dst dd:44:dd:44:dd:44
- ip protocol tcp
- ether multicast
- dst port 25
- dst net 192.3.4
- net 192.68.5
- net 10.0.0.0 mask 255.255.255.0
- tcp src port 53

Documenting the 3: Logical operators for combining primitives
Solution. In the network traffic capturing various qualifiers are used to filter the traffic. But still,
a lot of packets will be captured after apply the particular qualifiers. Now when we need to create
a complex filter then we need to combine the qualifiers. So in order to do that there are three
types of logical operators are available. This process is also called combining primitives.
- AND Operator or Concatenation (‘&&’ or ‘and’)
This operator will check both the qualifier which is applied on the network traffic
capturing filter. If both the qualifier passes, then only the network packet is displayed on
the capturing windows else it will be dropped. One example are given below
o Src 192.168.4.1 && src port 53
- OR Operator or Alternation (‘||’ or ‘or’)
This operator will check both the qualifier in the network packet if any or both the
qualifier matches then it will display it on the capturing window. If none match then the
packet will be dropped. One example are given below
o Src 192.168.4.1 || dst 193.45.32.3
- Not or Negation (‘!’ or ‘not’)
The name itself tells the full definition of the qualifier used by the logical operator. If any
qualifier matches the network packet it will display that result. But when the negation
operator is used it will just do opposite of it. One example are given below
o Src != 193.53.53.93
Implementing BPF capture filters
Now the traffic filtering capture between the computer and the Google web server according to
the instruction is given below.

Capturing traffic from/to another machine (2 marks)
In this task, we need to capture the network traffic on the different filter and they are as follows
one by one.
1. Capturing of traffic between two machine Wireshark and another machine in the same
network using its IP. Given below is the snapshot of it.
The above traffic is captured using the IP address of both machines and in the
concatenation of the two qualifiers. i.e. host 192.168.1.8 && host 192.168.1.12. In this
filter, it will filter out all the packet whose both IP belongs to either given source and
destination address or vice versa
2. Again capturing the traffic between the devices and this time using MAC address to
identify it

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

This time the packet capturing is done using the filtering using the same rule as above but
using the mac address. i.e. ether host a4:70:d6:3c:d8:bf && ether host 4c:0f:53:d3:54:cd.
In the configured filter the traffic will be filtered out based on the mac address of both the
machine. If the match is found then only it will display the network traffic.
3. Now capturing all the traffic of other machine using IP address only and given below is
the snapshot of it.
This type we have simply used the IP address of the other machine to filter the network
traffic. i.e. host 192.168.1.12. It will filter all the packet which has the given host address
in it.
4. Capturing only ICMP traffic between the two machines and given below is the snapshot

For this network traffic filter we have used the complex network filter i.e. host
192.168.1.8 && host 192.168.1.12 && icmp. It will check both the address and also the
given ICMP protocol and then displays it on the traffic capture.
Using port numbers in capture filters (1 mark)
Now the set of capture filters than can capture the given filter are given below
- Capture broadcast traffic only
The broadcast is the filter will be used
- Excluded broadcast traffic
! broadcast is the filter will be used
- Capture all traffic from a range of network addresses but exclude broadcast traffic.
The filter will be “! Broadcast and net 192.168.1”
Now the first traffic capture filter only checks the broadcast address in all the packet it
receives. Once it found that address it will display it. The second filter will just do
opposite of it. If it finds the broadcast address in the IP packet it will simply discard it.
The last one simply discards all the broadcast packet and only allow the packet which
belongs to the given network.
Using port numbers in capture filters (1 mark)

The traffic filter for the given types of network is given below
- DNS Traffic
A packet filter is ‘IP proto 53’
- DNS Traffic being send from the your machine
Packet filer is ‘IP proto 53 && host 192.168.1.8’
- DHCP traffic in either direction
A packet filter is ‘port 67 || port 68’
Challenge exercise (zero marks)
The network traffic capturing is the time-consuming task. It takes a lot of time to capture the
traffic which we need every time. The BPF syntax can easily detect the specific content at a
specific offset from the start of the network packets.
Example tcp[13] & 4 == 4
In this case the trcp [13] is the offset value flat. The 4 detect the reset flat in the option menu of
the TCP protocols. Or in simple word the syntax can be understood in the given below syntax
tcp[tcpflags] & (tcp-syn | tcp-fin | tcp-rst) != 0)