Lab 5: Capturing a Packet Using Wireshark | Ian Neil’s Security+ Study Materials

Practical Exercise – Capturing a Packet Using Wireshark

In this practical exercise, you are going to install Wireshark on a Windows 10 computer, and then capture a packet.

Installing Wireshark

Go to https://www.wireshark.org/download.html to visit the Wireshark download page.
You must ensure that you use the full URL.
The output will look similar to the following:

You want to download the Windows Installer (64 bit).
Click on the link for your version of software, and you will see a pop-up box at the foot of your screen.
Choose run, and when the UAC prompt appears, choose Yes.
This will bring up the installation wizard.

Keep pressing ‘Next’ and accept the defaults.
The installation will commence, and the pop-up box below will appear.
Accept the license agreement and press I Agree.
Accept the default settings.

Accept the default settings by pressing Next.
The following wizard will appear (see below).
Press Finish.

The Wireshark installation will still be running in the background.
It should take roughly another 2-3 minutes.
The wizard will appear to say the installation is complete.
Select Next, then Finish.
You will now see a Wireshark shortcut on the desktop, the same as below:

Double-click it and choose your network interface.
When your Wireshark console appears, it should look similar to that shown below.
If you need to change the interface, go to Capture and select Options.

The view above shows The Main Window, which is broken into different sections:
The Menu: This is broken into the following 11 headings:
File, Edit, View, Go, Capture, Analyze, Statistics, Telephony, Wireless, Tools, Help.
The Filter Toolbar: This has a filter pane when you type in the protocol that you want to view.
The Packet List: This shows all packets that are captured and is shown in blue in the preceding image.
The Packet Details Pane: This is the gray area that shows the protocol fields of the packet.
The Packet Bytes Pane: This shows a canonical hex dump of the packet data.

Capturing Packets

Go to the Capture drop-down menu option.
Options lets you change the network interface.
Press the shark symbol with the word Start.
Once you are finished capturing the traffic, press the red square with the word Stop on it.
These menus are context-sensitive; for example, the Stop button does not become live until after the Start button appears.

Tip

Always have your web browser ready before you press ‘Start’.
Once you start up Wireshark, you will capture a vast amount of traffic.
After capturing it, you can filter the different types of traffic.

Preparation Before Capture

Go to Google and search for ‘Josh Dobbs Mike Glennon’.
The top of the search list should be similar to that shown below.
If that article is not available, go to the Amazon website instead and search for the Ian Neil Security+.
The following instructions will be the same.

Starting the Capture

Start Wireshark, go to Capture, then press Start.
Go to your Google and press the hyperlink for the preceding article.
You will then see a massive number of packets being captured.

Stop the Capture

Go to Wireshark, Capture menu, and Press Stop.
You should have captured quite a few packets.
On this occasion, you will have captured over 20,000 packets in about 3 minutes.

Saving the Capture File

On the Wireshark console, in the top left-hand corner, choose File.
Then select ‘Save as‘ and save it as a pcap file (a packet capture file).

Filtering the Capture File (cap)

In the packet that you captured, you have inserted the filter http.
You can now see only TCP and HTTP traffic.
The packet 16340 relates to your arrival at the articles on the nfl.com website.
The IP Address is 172.20.10.1, and the destination is 151.101.62.2.
The request to go to a website uses the HTTP verb GET.
Can you now search your trace for the packet when you arrived at this article?
Open the frame in the packet details pane.
You will see that it is using IPV4, and the traffic is TCP.
Expand the HTTP packet, and the referrer will show the page that you visited.

Complete the following exercises to investigate DNS traffic:

DNS traffic – Start a new capture and run the following commands:

Start a Wireshark capture.
Open a command prompt.
Type ipconfig /flushdns (clears the DNS cache).
Ping www.packtpub.com.
Type ipconfig /displaydns (displays the DNS cache).
Check the trace entries.
Start a new capture.
Type nslookup www.packtpub.com and press Enter.
Open a web browser and go to www.packtpub.com.
Check the trace entries.

TCP 3 Way handshake – Start a new capture and carry out the following task:

Go to a website of your choice and make a packet filter.
Look through the filter for TCP traffic.
Right-click one of the TCP packets. Scroll down to conversation filter and choose TCP.

This should then give you all the TCP 3-way handshake information.
Look for SYN – SYN\ACK and then ACK.
It will show a successful connection.

After this practical, you will have installed Wireshark, captured a packet, and filtered the trace.
Try and use this at least once a week.
Visit www.wireshark.org, obtain the documentation, and then watch some videos on YouTube until you become proficient.
This is a great skill for your CV/resume.

Check out the book CompTIA Security+: SY0-601 Certification Guide to help you pass on the first attempt.

Cookie	Duration	Description
_GRECAPTCHA	11 months	This cookie is used by Google Recaptcha
cookielawinfo-checkbox-advertisement	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	This cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	11 months	This cookie Records the default button state of the corresponding category along with the status of CCPA.
viewed_cookie_policy	11 months	This cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not the user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	11 months	This cookie is used by Google Analytics
_gat_gtag_UA_284627_22	11 months	This cookie is used by Google Analytics
_gid	11 months	This cookie is used by Google Analytics