Cybersecurity Lab Report – 04
Network Analysis with Wireshark
step1)
wireshark -i lo
CONVERSATIONS( forwarding devices involved)
Ethernet address of the devices involved
Flow graph
IO GRAPH
FILTERING BASED ON THE RESPONSE CODES
HTTPSTREAM
Wireshark is a powerful packet-sniffing tool used to capture, analyze, and filter network packets. It
allows us to view details such as the protocols in use, packet contents, payloads, and even user
credentials if transmitted.
Step 1: Initial Setup and Observing Packet Color Coding
1. Launching Wireshark on the Loopback Interface:
o The command wireshark -i lo was used to start Wireshark on the loopback interface.
o Nmap commands such as -sU and -sT were executed to generate UDP and TCP
packets. Additionally, ICMP traffic was created using ping commands.
o Observations:
▪ UDP packets appeared in gray.
▪ ICMP packets were green.
▪ Red packets indicated RST (reset) or violations.
o The captured data also illustrated the three-way handshake process.
2. Launching Wireshark on the Ethernet Interface:
o Wireshark was started on the Ethernet interface using wireshark -i eth0.
o During a browser search for bmsce.ac.in, DNS queries were sent.
o Observations:
▪ DNS packets were represented in blue.
This experiment provided insight into the color-coding system used by Wireshark to represent
different protocols.
Packet Filtering
Wireshark’s filtering capabilities allow us to isolate specific packets based on criteria such as IP
addresses, ports, and protocols.
1. Filters Applied:
o To isolate packets related to IP 192.168.1.107:
▪ ip.addr==192.168.1.107
o To view TCP packets involving port 80:
▪ tcp.port==80
o To filter packets where 192.168.1.107 was the source:
▪ ip.src==192.168.1.107
o To filter packets where 192.168.1.107 was the destination:
▪ ip.dst==192.168.1.107
o To filter UDP packets with a length of less than 100:
▪ udp.length<100
o To isolate UDP packets for a specific port:
▪ udp.port==<port>
o To find packets with the ACK flag set:
▪ tcp.flags.ack
o To filter HTTP packets:
▪ http
This demonstrated Wireshark's ability to narrow down packet analysis efficiently.
Protocol Hierarchy and Advanced Analysis
1. Protocol Hierarchy:
o Navigated to Statistics > Protocol Hierarchy to view the distribution of protocols
used in the captured traffic.
2. Conversations:
o Used the Conversations feature to identify forwarding devices involved, their
Ethernet addresses, and the traffic between them.
3. Flow Graph and I/O Graph:
o Generated flow graphs and input/output graphs to visualize data exchanges and
traffic patterns.
Packet Analysis: HTTP POST Request
1. Identified a packet containing a POST request (4th packet from the end).
2. Delved into the application layer and discovered the user was attempting to add information
to the /userinfo.php page.
o The captured packet revealed login parameters:
▪ uname="test"
▪ pass="test"
3. Used the Follow option to analyze streams:
o Follow TCP Stream and Follow HTTP Stream were used to examine the complete
transaction.
Packet Analysis: FTP Traffic
1. Setup and Traffic Generation:
o Installed the VSFTPD server using:
▪ sudo apt-get install vsftpd
▪ sudo service vsftpd start
o Created a user with a password and logged in to the FTP server.
o Generated traffic by sending a file via FTP.
2. Analysis:
o Captured traffic on the loopback interface using Wireshark.
o Observations:
▪ Since FTP transmits data in plaintext, username, password, file names, and
data were visible.
▪ Files being transferred could be downloaded using Export Objects >
FTP-Data.
o Commands for further analysis:
▪ To view successful logins: ftp.response.code==230
▪ To view failed login attempts: ftp.response.code==530
