Practical Exercise – Capturing a Packet Using Wireshark
In this practical exercise, you are going to install Wireshark on a Windows 10 computer, and then capture a packet.
Go to https://www.wireshark.org/download.html to visit the Wireshark download page.
You must ensure that you use the full URL.
The output will look similar to the following:
You want to download the Windows Installer (64 bit).
Click on the link for your version of software, and you will see a pop-up box at the foot of your screen.
Choose run, and when the UAC prompt appears, choose Yes.
This will bring up the installation wizard.
Keep pressing ‘Next’ and accept the defaults.
The installation will commence, and the pop-up box below will appear.
Accept the license agreement and press I Agree.
Accept the default settings.
Accept the default settings by pressing Next.
The following wizard will appear (see below).
The Wireshark installation will still be running in the background.
It should take roughly another 2-3 minutes.
The wizard will appear to say the installation is complete.
Select Next, then Finish.
You will now see a Wireshark shortcut on the desktop, the same as below:
Double-click it and choose your network interface.
When your Wireshark console appears, it should look similar to that shown below.
If you need to change the interface, go to Capture and select Options.
The view above shows The Main Window, which is broken into different sections:
The Menu: This is broken into the following 11 headings:
File, Edit, View, Go, Capture, Analyze, Statistics, Telephony, Wireless, Tools, Help.
The Filter Toolbar: This has a filter pane when you type in the protocol that you want to view.
The Packet List: This shows all packets that are captured and is shown in blue in the preceding image.
The Packet Details Pane: This is the gray area that shows the protocol fields of the packet.
The Packet Bytes Pane: This shows a canonical hex dump of the packet data.
Go to the Capture drop-down menu option.
Options lets you change the network interface.
Press the shark symbol with the word Start.
Once you are finished capturing the traffic, press the red square with the word Stop on it.
These menus are context-sensitive; for example, the Stop button does not become live until after the Start button appears.
Always have your web browser ready before you press ‘Start’.
Once you start up Wireshark, you will capture a vast amount of traffic.
After capturing it, you can filter the different types of traffic.
Preparation Before Capture
Go to Google and search for ‘Josh Dobbs Mike Glennon’.
The top of the search list should be similar to that shown below.
If that article is not available, go to the Amazon website instead and search for the Ian Neil Security+.
The following instructions will be the same.
Starting the Capture
Start Wireshark, go to Capture, then press Start.
Go to your Google and press the hyperlink for the preceding article.
You will then see a massive number of packets being captured.
Stop the Capture
Go to Wireshark, Capture menu, and Press Stop.
You should have captured quite a few packets.
On this occasion, you will have captured over 20,000 packets in about 3 minutes.
Saving the Capture File
On the Wireshark console, in the top left-hand corner, choose File.
Then select ‘Save as‘ and save it as a pcap file (a packet capture file).
Filtering the Capture File (cap)
In the packet that you captured, you have inserted the filter http.
You can now see only TCP and HTTP traffic.
The packet 16340 relates to your arrival at the articles on the nfl.com website.
The IP Address is 172.20.10.1, and the destination is 220.127.116.11.
The request to go to a website uses the HTTP verb GET.
Can you now search your trace for the packet when you arrived at this article?
Open the frame in the packet details pane.
You will see that it is using IPV4, and the traffic is TCP.
Expand the HTTP packet, and the referrer will show the page that you visited.
Complete the following exercises to investigate DNS traffic:
DNS traffic – Start a new capture and run the following commands:
- Start a Wireshark capture.
- Open a command prompt.
- Type ipconfig /flushdns (clears the DNS cache).
- Ping www.packtpub.com.
- Type ipconfig /displaydns (displays the DNS cache).
- Check the trace entries.
- Start a new capture.
- Type nslookup www.packtpub.com and press Enter.
- Open a web browser and go to www.packtpub.com.
- Check the trace entries.
TCP 3 Way handshake – Start a new capture and carry out the following task:
- Go to a website of your choice and make a packet filter.
- Look through the filter for TCP traffic.
- Right-click one of the TCP packets. Scroll down to conversation filter and choose TCP.
This should then give you all the TCP 3-way handshake information.
Look for SYN – SYN\ACK and then ACK.
It will show a successful connection.
After this practical, you will have installed Wireshark, captured a packet, and filtered the trace.
Try and use this at least once a week.
Visit www.wireshark.org, obtain the documentation, and then watch some videos on YouTube until you become proficient.
This is a great skill for your CV/resume.
Check out the book CompTIA Security+: SY0-601 Certification Guide to help you pass on the first attempt.