Computer Network Laboratory

Report

Network Programming
and
Wireshark Packet Analyzer
By
SABHA NAAZ
4SN19CS108
BACHELOR OF ENGINEERING
IN

COMPUTER SCIENCE & ENGINEERING

(Visvesvaraya Technological University)

Department of Computer Science & Engineering

SRINIVAS INSTITUTE OF TECHNOLOGY

MANGALORE-574143, KARNATAKA

(NAAC Accredited)

(Affiliated to Visvesvaraya Technological University, Belgaum)

2021
HTTP: HTTP traffic shows up as a light green in Wireshark and can be filtered using http.
However, since HTTP runs over TCP and http only shows packets using the HTTP protocol,
this can miss many of the packets associated with the session because they are TCP packets
(SYN, ACK and so on). Wireshark reassembles all of the actual data packets containing a
particular webpage and displays it within the packet labeled as the HTTP response.

The image above shows the structure of an HTTP request in Wireshark. This includes the
requested URL and a variety of different HTTP headers, including the host, user-agent and
several others. These headers are under the control of the user and are intended for use by the
server, so they can be modified by an attacker who controls both ends of the connection,
making them ideal for passing data during an attack. It is very similar to that of an HTTP
request, except that it substitutes an HTTP response message for the URL and uses a different
collection of headers. The actual data being carried by the HTTP protocol (the requested web
page) is encapsulated within the data section of the HTTP packet.
TCP: In TCP, the data intended for the final recipient is never sent in the first packet. Instead,
the TCP users first go through the TCP handshake protocol to establish a channel before
sending actual.

The steps in the TCP handshake are fairly straightforward, as shown in the screenshot from
Wireshark above. First, the sender initiates the communication by sending a SYN packet,
expressing their interest in connecting. The recipient responds with a SYN/ACK packet that
expresses their interest as well and acknowledges receipt of the sender’s SYN packet. Finally,
the sender sends an ACK packet to acknowledge the recipient’s SYN/ACK.Now the TCP
channel between the sender and recipient is initiated. At this point, the primary purpose of the
TCP packets switches over from achieving TCP goals (i.e., establishing a connection) to
being a carrier for another protocol. For example, the next packet after the TCP handshake
may be a packet from the sender requesting an HTTP webpage.The TCP protocol is primarily
intended to provide certain guarantees to the higher-level protocol using it. These guarantees
include packet ordering, reliability and error correction.Another advantage that TCP has over
other protocols is that it provides built-in support for packet ordering. While different packets
may be sent in a certain sequence, they can travel over different paths in the network and
reach the recipient out of order.
UDP : UDP, on the other hand, is intended for applications that prioritize latency over reliability. It
is a “fire and forget” protocol, which does not retain state. After a UDP packet is sent, there is no
acknowledgement of receipt from the destination and lost packets are not transmitted. As a result,
UDP is commonly used in applications where all the data can be contained within a single packet and
either packet loss is not a major problem (like in DNS) or high-speed transmissions are necessary
(like gaming).
).UDP in Wireshark: An extremely common use of the UDP protocol is for DNS traffic. DNS requests
and responses are relatively small, and, if something goes wrong and a packet is dropped, it is easy
to make another request. As a result, DNS often does not require the reliability guarantees that TCP
provides, and the overhead of the TCP handshake is superfluous. The screenshot above shows the
details of a standard UDP packet header. As shown, UDP uses the same port model as TCP, and
applications that use both TCP and UDP will often use the same ports in each. The UDP packet
header also includes a length value and a checksum for verifying the accuracy of the data that it
contains.

ARP: ARP packets can easily be found in a Wireshark capture. As shown in the image below,
packets that are not actively highlighted have a unique yellow-brown color in a capture. ARP packets
can also be filtered from traffic using the arp filter.The structure of an ARP session is quite simple.
The computer wishing to initiate a session with another computer sends out an ARP request asking
for the owner of a certain IP address. The system with that IP address then sends out an ARP reply
claiming their IP address and providing their MAC address.

As shown in the images above, the structure of an ARP request and reply is simple and identical. An
ARP packet runs directly on top of the Ethernet protocol (or other base-level protocols) and includes
information about its hardware type, protocol type and so on. ARP opcodes are 1 for a request and 2
for a reply. The meat of the ARP packet states the IP and MAC address of the sender (populated in
both packets) and the IP and MAC address of the recipient (where the recipient’s MAC is set to all
zeros in the request packet).

ICMP: an error messaging protocol, the structure of an ICMP packet is designed to provide
the necessary information to the recipient. Error data in ICMP is carried in two values: the
type and the code. this type of an ICMP packet contains the overall message that the
message is intended to convey. For example, a type value of 3 means that the intended
destination is unreachable.For some types, there are multiple code values intended to
provide additional information. For example, a type 3 ICMP message with a 0 code points to
issues with the destination network, while a 1 code means that the issue is that the
particular host is unreachable. While many ICMP messages are designed to be sent as error
messages in response to packets of other protocols, some are designed to implement
standalone functionality. The purpose of ping is to determine if the system at a certain IP
address exists and is currently functional, and that a route to that system can be found.
Typing ping into the Windows or Linux terminal will send a series of ping packets and
provide a percentage value for the reachability of the destination based upon the number of
ping requests that received a response.

The ICMP protocol is designed to provide error information and perform simple diagnostic
actions (like ping) i.e incident response. As such, even passive monitoring of ICMP traffic on
a network can provide a wealth of data to an adversary. Eavesdropping on ICMP packet can
help to identify the hosts on a network and if certain systems are up, down or
malfunctioning.However, an attacker can also actively use ICMP in a number of different
ways. Two of the most common are using the protocol for network scanning/mapping and
for data exfiltration and command-and-control.