BASV/CYBV 326: Introductory Methods of Network Analysis
Wireshark labs
CYBV/BASV 326 provides students a methodology for analyzing networks by examining the network at its infrastructure, network and applications layers; exploring how they transfer data; investigating how network protocols work to enable communication; and probing and analyzing how the lower-level network layers support the upper ones.
Wireshark download
In order to run Wireshark, you will need to have access to a computer that supports both Wireshark and the libpcap or WinPCap packet capture library. The libpcap software will be installed for you, if it is not installed within your operating system, when you install Wireshark. See http://www.wireshark.org/download.html for a list of supported operating systems and download sites
Information and Terms
- Packet Sniffer – basic tool for observing the messages exchanged between executing protocol entities. The Sniffer receives a copy of packets that are sent/received from/by applications and protocols executing on your machine.
- Packet Analyzer – displays the contents of all fields within a protocol message
- HyperText Transfer Protocol (HTTP) the Web’s application layer protocol.
- Domain Name System (DNS) – is a distributed database implemented in a hierarchy which enables the translation of hostnames to IP addresses.
- Transport Control Protocol (TCP) – the Internet’s transport-layer, connection-oriented, reliable transport protocol.
- User Datagram Protocol (UDP) – a connectionless, unreliable protocol. Typically used for DNS, SNMP, Internet Telephone, and Streaming Media
- Internet Protocol (IP) – the principle communications protocol in the Internet protocol suite for relaying packets across network boundaries
- Internet Control Message Protocol (ICMP) – a supporting protocol for IP that is used by network devices to send error message and operational information
- Traceroute – a diagnostic tool for displaying the route and measuring transit delays of packets across an IP network
- Ping – software utility that is used to test the reachability of a host on an IP network
- Windows Tracert – the tracert program (used for our ICMP Wireshark lab) provided with Windows does not allow one to change the size of the ICMP echo request (ping) message sent by the tracert program. A nicer Windows traceroute program is pingplotter, available both in free version and shareware versions at http://www.pingplotter.com. Download and install pingplotter, and test it out by performing a few traceroutes to your favorite sites. The size of the ICMP echo request message can be explicitly set in pingplotter by selecting the menu item Edit-> Options->Packet Options and then filling in the Packet Size field. The default packet size is 56 bytes. Once pingplotter has sent a series of packets with the increasing TTL values, it restarts the sending process again with a TTL of 1, after waiting Trace Interval amount of time. The value of Trace Interval and the number of intervals can be explicitly set in pingplotter.
- Linux/Unix/MacOS – with the Unix/MacOS traceroute command, the size of the UDP datagram sent towards the destination can be explicitly set by indicating the number of bytes in the datagram; this value is entered in the traceroute command line immediately after the name or address of the destination.
- Address Resolution Protocol (ARP) – protocol used to resolve MAC addresses to IP addresses
- Network Mapper (Nmap) – open source utility for network discovery and security auditing
- 802.11 – protocol used to resolve MAC addresses to IP addresses
- Beacon Frames – used by an 802.11 AP to advertise its existence
- Secure Sockets Layer (SSL) – security protocol for establishing encrypted links between a web server and a browser
- Transport Layer Security (TLS) – successor to SSL providing the same services