I am just trying to learn wireshark and have an assignment that I hope someone can point me in the right direction. I am suppose to analyze network traffic from google.ca. Q#1 is the query and response to determine th ip address of google.ca---done Q2 is three stages of three way handshake.---done Q3 is the first http packet sent to google.ca after handshake. Don't know what to look for here? Q4 is how many tcp packets were reassembled to display the google.ca page?---I have no idea what to look for?? Q5 is what transport layer was used to determine the ip address of google.ca.---I think its is DNS but not sure? Q5 is what transport layer is being used in sending html and associated files from google.ca.---I have no idea? I just dont know what to look for on wireshark, there are so many lines in the capture from google.... I hope someone can point me in the right direction. Thanks. Rog asked 07 Oct '12, 06:39  Rog3221 |
2 Answers:
Rog, I've got some youtube vids and ppts going over some of this. http://thetechfirm.com/networking/networking.htm and http://thetechfirm.com/wireshark/wireshark.html hope that helps answered 07 Oct '12, 07:33  thetechfirm |
Let's see what we can help you with here - this is a refreshing case of someone not asking for all answers without looking by himself first, so I'll be happy to help. Q3 - Usually the client wants something from the server. For that you need to establish a connection first, so that was what you answered in Q2. Next thing to look for is the actual request sent by the client. If you investigate how HTTP works you'll find that it uses GET/POST and some minor important request types, so you should look for those right after the handshake is complete. It will tell you the URL that is requested, too. Q4 - Wireshark uses packet reassembly to find all packets that are part of a response, because in most cases the server response (in your case a web page) will not fit into the 1460 bytes a single TCP/IPv4 packet can hold. Once again, if you research how HTTP works you'll see it will use return codes to tell you if the request was answered successfully (Code 2xx/3xx) or not (4xx/5xx). So look into all packets coming from the server after the client has requested the content, and you'll find the return code at some point. Look into the packet and you'll see a section in square brackets where Wireshark will tell you what packets are part of the reassembled answer. BTW this only works in default configuration, because if someone turns of TCP Stream Reassembly it won't do that. Q5 - DNS is correct, yes - DNS resolves fully qualified domain names (FQDNs) to IP addresses, and google.ca was the FQDN in your case. Q6 (I guess, because you said Q5 twice) - HTML is transported via HTTP, but that is an application protocol, not a transport protocol. If you find a packet containing HTTP and look at layer 4 (which, if you look at the OSI modell, is the transport layer) - there should be ethernet (Layer 2), IP (Layer 3) and... your answer in Layer 4. So, good luck in your quest for answers, and let us know if there's anything unclear you need help with. answered 07 Oct '12, 09:27  Jasper ♦♦ Ah, I think its starting to make sense. That's a much better description than the classroom lesson I was given. Thank you very much (07 Oct '12, 14:09) Rog3221 |
Thank you very much, I will check them out.
Rog