IT
ABDULL92Homework #3 Name ___________________________
Note: To install Wireshark, make sure that you have administrator rights or you have administrative privileges.
· A few important notes:
· The logical operator and can be replaced by &&. In addition, the logical operator or can be replaced by ||.
· <protocol> port <xx>: filter for a particular protocol.
· Example (filter for telnet): tcp port 23 (or you can use tcp.port= =23)
· host <ip address>
· Example: host 10.10.10.1 (or you can use ip.addr= =10.10.10.1)
0. Read the following Wireshark web sites and study the display filter expressions:
a. http://www.wireshark.org/docs/wsug_html_chunked/ChWorkBuildDisplayFilterSection.html
b. http://wiki.wireshark.org/DisplayFilters
c. If you want to learn more, google search “wireshark display filter expression”.
1. Briefly describe the following Wireshark display filter: [30 points]
Example:
· tcp.port == 6669 and ip.src == 69.60.116.245
· Answer: Display all the packets which were sent from 69.60.116.245 (i.e., the source ip address is 69.60.116.245) and use 6669 as a port #.
a. (ip.src == 24.6.125.19)) && (ip.dst == 216.49.88.118)) && (http)
Answer: Show only traffic in the LAN(24.6.125.19) , between workstations and servers—no internet.
b. (ip.src != 10.13.45.48 && ip.dst != 10.12.76.69) && (tcp.dstport== 25)
Answer:
c. (tcp.port= =25) and (ip.dst= =192.168.0.1)
Answer:
d. tcp and tcp.dstport = =8080 && frame.time >= "Feb 19, 2012 14:30:29" && frame.time <= "Feb 19, 2012 15:30:29" and ip.src= =192.168.1.1
Answer:
e. !(ip.addr == 192.168.0.10)
Answer:
f. (ip.src eq 10.1.42.1 and ip.dst eq 239.255.255.250) and udp.port eq 1900
Answer:
g. http
Answer:
h. icmp
Answer:
i. eth.addr == 00:01:02:68:59:ea
Answer: show only packets for the MAC address of 00:01:02:68:59:ea (answer is given for you . ^.^).
j. tcp.flags.syn = =1
Answer:
k. http.request.uri == http://www.csusb.edu
Answer:
· Using Wireshark, download and open the file "google-bookfinder.pcap
· Google-bookfinder.pcap file captures the packets for the following scenario:
A host with ip address 192.168.1.87 makes the first connection to a Google web site whose ip address is 74.125.227.20.Then, the same host makes the second connection to bookfinder.com whose ip address is 75.101.131.23.
· Capture the frames/packets/segments associated with a TCP 3-way handshake for the second connection
.
· To do:
· Complete the TCP 3-Way Handshake Protocol Chart for the second connection.
· Fill-in the blanks below for the three segments associated with the 3-way handshake.
Part A) Answer the following questions [maximum 20 points; -1 point for each wrong answer ]:
First TCP segment: _59188___ Source port: ____ Destination port ____ Sequence Number ____ ACK Number Which flags were set (check all that apply): ____ Acknowledgment ____ Push ____ Syn ____ Fin
|
Second TCP segment: ____ Source port: ____ Destination port ____ Sequence Number ____ ACK Number Which flags were set (check all that apply): ____ Acknowledgment ____ Push ____ Syn ____ Fin
|
Third TCP segment: ____ Source port: ____ Destination port ____ Sequence Number ____ ACK Number Which flags were set (check all that apply): ____ Acknowledgment ____ Push ____ Syn ____ Fin |
TCP 3-Way Handshake Protocol Chart
CLIENT SERVER
IP Source Address: Destination Address: Protocol:
TCP Source Port: Destination Port: Sequence Number: Flags set (1): Window Size:
IP Source Address: Destination Address: Protocol: TCP Source Port: Destination Port: Sequence Number: Acknowledgement Number: Flags set (1): Window Size:
|
|
IP Source Address: Destination Address: Protocol: TCP Source Port: Destination Port: Sequence Number: Acknowledgement Number: Flags set (1): Window Size:
|
Part B) [ TCP Connection Termination] Find out when the connection between 192.168.1.87 and 75.101.131.23 is first terminated (this means you have to find the first TCP packet with FIN flag enabled.) and fill out the following blanks: [max 15 points; -1 for each wrong answer]
First TCP FIN segment: ____ Source port: ____ Destination port ____ Sequence Number ____ ACK Number Which flags were set (check all that apply): ____ Acknowledgment ____ Push ____ Syn ____ Fin
|
Second TCP ACK segment: ____ Source port: ____ Destination port ____ Sequence Number ____ ACK Number Which flags were set (check all that apply): ____ Acknowledgment ____ Push ____ Syn ____ Fin
|
3rd TCP FIN segment: ____ Source port: ____ Destination port ____ Sequence Number ____ ACK Number Which flags were set (check all that apply): ____ Acknowledgment ____ Push ____ Syn ____ Fin |
4th TCP ACK ____ Source port: ____ Destination port ____ Sequence Number ____ ACK Number Which flags were set (check all that apply): ____ Acknowledgment ____ Push ____ Syn ____ Fin |
Part C) [Let’s study HTTP protocol!, 10 points]
Examine the packet # 62 (time stamp for this packet is 2010-08-18 00:26:42.242642). Expand the Hypertext Transfer Protocol by clicking “+”. What do you see in the http protocol header? List the fields in the http protocol header (it starts with “Accept:”, Accept-Language, etc.).
l. Explain the major difference between a hub and a switch. [ 5 points]
The major difference is that Hubs have layer 1 device, Does NOT examine Layer 2 (data Link Layer) or above information, floods frames out all ports except for the port the framecame in, regenerates the signal, similar to Repeater. In the other hand Layer 2 Divice, Examines Layer 2 (Data Link Layer) information to learn and to forward, also Every frame that enters the switch: Learns and forwards.
b.Explain how a switch learns MAC addresses and where a switch stores the address. [10 points]
By Examines the Ethernet Source MAC Address of the frame
Problem 4. Explain how ARP table is constructoed. Please review the video on ARP [10 points]
Problem 5. Explain why DNS zones and delegations are important concepts to learn in order to properly implement a DNS domain. Please watch 3 video tutorails posted [10 points]