Protocol Analysis Using a Network Traffic Analyzer

1. Objective of the Work

To acquire practical skills in capturing, filtering, and analyzing network traffic using a packet analyzer. To study the structure and operation of key network protocols (ARP, ICMP, DNS, TCP, HTTP) by examining real-world packet captures and to identify the flow of information in a client-server interaction.

2. Learning Outcomes

Upon successful completion of this laboratory work, the student will be able to:

• Capture live network traffic from a computer’s network interface.
• Understand the three-pane layout (Packet List, Packet Details, Packet Bytes) of a typical traffic analyzer like Wireshark.
• Apply capture and display filters to isolate specific types of traffic.
• Analyze the structure of Ethernet frames and IP packets, identifying key header fields (MAC addresses, IP addresses, TTL, etc.).
• Deconstruct the ARP resolution process (request and reply).
• Analyze the TCP three-way handshake (SYN, SYN-ACK, ACK) and connection termination.
• Trace a complete HTTP GET request/response interaction and extract payload data.
• Examine the DNS query and response mechanism for name resolution.
• Appreciate the security implications of unencrypted protocols by viewing data in clear text.

3. Theoretical Background

Network traffic analyzers, also known as packet sniffers, are tools that intercept and log traffic passing over a digital network. They operate by placing the network interface card (NIC) into promiscuous mode, which allows it to capture all packets on the network segment, not just those addressed to it.

3.1. The OSI and TCP/IP Models

Network communication is layered. We will primarily focus on layers of the TCP/IP model:

• Layer 2 (Data Link): Encapsulates packets in frames. Governed by protocols like Ethernet, which uses MAC addresses for local delivery.
• Layer 3 (Network): Encapsulates data in packets. Governed by the Internet Protocol (IP), which uses IP addresses for logical, end-to-end delivery across networks.
• Layer 4 (Transport): Manages communication between processes. Key protocols are:
  • TCP (Transmission Control Protocol): Connection-oriented, reliable, and ordered delivery (e.g., for web browsing, file transfer).
  • UDP (User Datagram Protocol): Connectionless, “best-effort” delivery (e.g., for DNS, online gaming, streaming).
• Layer 7 (Application): Defines the rules for specific applications. Examples include HTTP (web), DNS (name resolution), FTP (file transfer), and SMTP (email).

3.2. Wireshark

Wireshark is the world’s foremost and widely-used network protocol analyzer. Its interface typically consists of three panes:

1. Packet List Pane: A summary of each captured packet (number, timestamp, source/destination, protocol, info).
2. Packet Details Pane: A detailed, expandable view of the selected packet, broken down by protocol layer (Frame, Ethernet, IP, TCP, etc.). This is where most analysis occurs.
3. Packet Bytes Pane: The raw data of the selected packet, displayed in hexadecimal and ASCII.

4. Required Equipment and Software

• Hardware: A personal computer with a network connection (Wi-Fi or Ethernet).
• Software:
  • Wireshark: The latest stable version, downloadable from wireshark.org. During installation, ensure the packet capture driver (Npcap on Windows) is also installed.
  • A modern web browser (e.g., Chrome, Firefox).
  • A command-line interface (Command Prompt or PowerShell on Windows, Terminal on macOS/Linux).

5. Laboratory Tasks and Procedure

Important Pre-Lab Step: Close all unnecessary applications, especially those that use the network (email clients, cloud sync services, music streaming), to minimize background “noise” in your capture.

Part 1: Capture and Initial Exploration

1. Start a Capture:

• Launch Wireshark. You will see a list of available network interfaces.
• Identify the active interface (the one with a sparkline showing traffic). This will likely be “Wi-Fi” or “Ethernet”.
• Double-click the interface name to start capturing packets. You should see the Packet List pane populate immediately.

2. Generate ICMP Traffic (Ping):

• Open your command-line interface.
• Ping a well-known server by typing ping 8.8.8.8 and pressing Enter. Let it run for 4-5 pings.
• Go back to Wireshark and stop the capture by clicking the red square “Stop” button.

3. Basic Filtering and Inspection:

• In the “Apply a display filter” bar at the top of Wireshark, type icmp and press Enter. The list will now only show the ICMP packets from your ping command.
• Select the first “Echo (ping) request” packet.
• In the Packet Details pane, expand the “Internet Protocol Version 4” and “Internet Control Message Protocol” sections.
• Record the following in your report:
  • Source IP Address (This should be your computer’s IP).
  • Destination IP Address (Should be 8.8.8.8).
  • Time to Live (TTL) value.
  • The ICMP “Type” and “Code” for a request.
• Now select the corresponding “Echo (ping) reply” packet and record the same information. Note how the source and destination IPs are reversed. Note the Type and Code for a reply.

Part 2: Analyzing the ARP Protocol

The Address Resolution Protocol (ARP) is used to find a device’s MAC address when its IP address is known.

1. Clear your ARP Cache:

• Open a command prompt with administrative privileges.
• Type arp -d to clear the ARP table. This forces your computer to rediscover devices on the local network.

2. Capture ARP Traffic:

• Start a new capture in Wireshark (don’t save the previous one).
• In the command prompt, ping the IP address of your default gateway (router). You can find this by typing ipconfig (Windows) or ifconfig / ip route (Linux/macOS).
• Stop the capture after the ping completes.

3. Analyze the Packets:

• Apply the display filter arp.
• You should see at least two packets: an ARP request and an ARP reply.
• Select the ARP request packet.
• In the Packet Details pane, expand the “Ethernet II” and “Address Resolution Protocol (request)” sections.
• Answer these questions in your report:
  • What is the Destination MAC address in the Ethernet frame? Why is it this value (ff:ff:ff:ff:ff:ff)?
  • In the ARP section, who is the “Sender MAC address” and who is the “Target MAC address”? Note that the target MAC is 00:00:00:00:00:00. Why?
• Select the ARP reply packet and inspect the same fields. Note how the sender and target fields are now populated, and the Ethernet destination is no longer a broadcast.

Part 3: Analyzing TCP and HTTP

This part examines how a reliable connection is established and how web data is transferred. We will use an unencrypted website to ensure we can see the payload.

1. Prepare and Capture:

• Start a new capture in Wireshark.
• Open your web browser and navigate to a simple, unencrypted HTTP website, for example, http://neverssl.com or http://info.cern.ch.
• Once the page loads, stop the capture.

2. Isolate the Conversation:

• Apply the display filter http. Find the packet with “GET / HTTP/1.1” in the Info column.
• Right-click on this packet and select Follow -> TCP Stream.

3. Analyze the TCP Stream Window:

• A new window will appear showing the entire conversation, stripped of its headers. The red text is the request sent from your client, and the blue text is the response from the server.
• In your report:
  • Take a screenshot of this window.
  • Identify the Host: and User-Agent: headers in the client request. What information do they provide?
  • Identify the HTTP status code in the server’s response (e.g., 200 OK).
  • Identify the Content-Type: header in the response. What does it tell the browser?

4. Analyze the TCP Handshake:

• Close the TCP Stream window. Wireshark will have automatically created a filter for you (e.g., tcp.stream eq 0).
• Examine the first three packets of this filtered conversation.
• Packet 1 (SYN): Select it. In the “Transmission Control Protocol” details, expand the “Flags” section. Note that the SYN bit is set to 1. Record the sequence number.
• Packet 2 (SYN, ACK): Select it. Note that the SYN and ACK bits are set. Look at the Acknowledgment number. How does it relate to the sequence number from Packet 1?
• Packet 3 (ACK): Select it. Note that only the ACK bit is set.
• In your report: Describe how these three packets constitute the “TCP three-way handshake.”

Part 4: Analyzing DNS

The Domain Name System (DNS) translates human-readable domain names into machine-readable IP addresses.

1. Clear your DNS Cache:

• Open a command prompt with administrative privileges.
• Type ipconfig /flushdns (Windows) or the equivalent for your OS.

2. Capture and Analyze:

• Start a new capture.
• In your command prompt, ping a domain name you have not visited recently, e.g., ping www.mit.edu.
• Stop the capture.
• Apply the display filter dns.
• You will see a “Standard query” and a “Standard query response”.
• Select the query packet. In the “Domain Name System (query)” section, what name is being queried for?
• Select the response packet. In the “Domain Name System (response)” section, expand the “Answers” field. What IP address was returned for the domain name?

6. Lab Report Structure

1. Title Page: Course name, lab number, topic, student name, instructor name, date.
2. Objective: A brief statement of the lab’s purpose.
3. Procedure Summary: Briefly describe the steps taken for each part of the lab.
4. Results and Analysis:

• Part 1 (ICMP): Present the recorded data and a brief explanation of the request/reply process.
• Part 2 (ARP): Answer the questions about the broadcast destination and target MAC addresses. Explain the purpose of ARP based on your capture.
• Part 3 (TCP/HTTP): Include the TCP Stream screenshot. Answer the questions about the HTTP headers. Describe the TCP three-way handshake, referencing the flags and sequence/acknowledgment numbers you observed.
• Part 4 (DNS): Present the results of the DNS query and response, showing the name that was resolved and the IP address that was returned.

5. Security Implications Discussion: Based on your analysis of the HTTP traffic, explain why using unencrypted HTTP is a security risk for searching, transferring, and protecting information. What specific information could an attacker on the same network easily see?
6. Conclusion: Summarize the key functions of the protocols you analyzed. Reflect on how a traffic analyzer is an essential tool for network administration, troubleshooting, and security analysis.