Name-Ashish Anubhav Maharana

Roll No-121CS0184

Q1: Answer the following questions for captured file http.pcap (HTTP
Protocol)

1. List 3 different protocols that appear in the protocol column in the

unfiltered packet-listing window in step 7 above.

Ans).
ARP (Address Resolution Protocol):
Purpose: ARP is used to map an IP address to a physical MAC (Media
Access Control) address on a local network. When a device wants to
communicate with another device on the same network, it needs to know
the MAC address associated with the IP address of the target device.
Operation: The device sends an ARP request broadcast asking, "Who has
this IP address?" The device with the corresponding IP address responds
with its MAC address, and the mapping is stored in an ARP table.

DNS (Domain Name System):

Purpose: DNS is a hierarchical and distributed naming system that
translates human-readable domain names (like www.example.com) into IP
addresses that computers use to identify each other on the internet. It
serves as a directory for the internet, allowing users to access websites
using easily memorable names.
Operation: When you type a domain name into a web browser, the DNS
system is queried to obtain the corresponding IP address. DNS operates in
a hierarchical manner, with various levels of servers (such as root servers,
top-level domain servers, and authoritative servers) working together to
resolve domain names.

HTTP (Hypertext Transfer Protocol): Purpose: HTTP is a protocol used

for transferring hypertext (text with links, images, videos, etc.) between a
web server and a web browser. It is the foundation of data communication
on the World Wide Web.
Operation: When you enter a URL into your browser, the browser uses DNS
to obtain the IP address of the corresponding web server. Once the IP
address is obtained, an HTTP request is sent to the server to retrieve the
web page. The server responds with the requested data, and the browser
renders it for the user.
2. How long did it take from when the HTTP GET message was sent until the
HTTP OK reply was received?(By default, the value of the Time column in
the packet-listing window is the amount of time, in seconds, since
Wireshark tracing began. To display the Time field in time-of-day format,
select the Wireshark View pull down menu, then selectTime
DisplayFormat, then select Time-of-day.)

GET---Jul 29, 2017 12:49:07.666222000 IST

OK---Jul 29, 2017 12:49:08.025201000 IST
Time taken =Time(OK)-Time(GET)
=12:49:08.025201000 -12:49:07.666222000
=0.358979 seconds

3.What is the Internet address of iitd.ac.in?

What is the Internet address of your computer?

Ans)
Source (Computer): 192.168.43.153,
Destination (iitd.ac.in): 192.168.43.1

4. Print the two HTTP messages (GETand OK) referred to in question 2

above. To do so, select Print from the Wireshark File command menu, and
select the “Selected Packet Only”and “Print asdisplayed”radial buttons, and
then click OK.

For GET:-
773 total packets, 773 shown
No.
Time
Source
Destination
Protocol Length Info
239 12:49:07.666222
192.168.43.153
103.27.9.167
HTTP
473
GET /vacancies
HTTP/1.1
Frame 239: 473 bytes on wire (3784 bits), 473 bytes captured (3784 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Jul 29, 2017 12:49:07.666222000 IST
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1501312747.666222000 seconds
[Time delta from previous captured frame: 0.000130000 seconds]
[Time delta from previous displayed frame: 0.000130000 seconds]
[Time since reference or first frame: 76.328605000 seconds]
Frame Number: 239
Frame Length: 473 bytes (3784 bits)
Capture Length: 473 bytes (3784 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:tcp:http]
[Coloring Rule Name: HTTP]
[Coloring Rule String: http || tcp.port == 80 || http2]
Ethernet II, Src: HonHaiPr_8c:90:55 (e0:06:e6:8c:90:55), Dst:
XiaomiCo_9e:9c:c3 (ac:c1:ee:9e:9c:c3)
Destination: XiaomiCo_9e:9c:c3 (ac:c1:ee:9e:9c:c3)
Source: HonHaiPr_8c:90:55 (e0:06:e6:8c:90:55)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.43.153, Dst: 103.27.9.167
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
Total Length: 459
Identification: 0x6ba3 (27555)
Flags: 0x40, Don't fragment
...0 0000 0000 0000 = Fragment Offset: 0
Time to Live: 64
Protocol: TCP (6)
Header Checksum: 0x7086 [validation disabled]
[Header checksum status: Unverified]
Source Address: 192.168.43.153
Destination Address: 103.27.9.167
Transmission Control Protocol, Src Port: 33425, Dst Port: 80, Seq: 1, Ack: 1,
Len: 407
Source Port: 33425
Destination Port: 80
[Stream index: 11]
[Conversation completeness: Complete, WITH_DATA (31)]
[TCP Segment Len: 407]
Sequence Number: 1
(relative sequence number)
Sequence Number (raw): 2898992397
[Next Sequence Number: 408
(relative sequence number)]
Acknowledgment Number: 1
(relative ack number)
Acknowledgment number (raw): 1247631054
1000 .... = Header Length: 32 bytes (8)
Flags: 0x018 (PSH, ACK)
Window: 115
[Calculated window size: 14720]
[Window size scaling factor: 128]
Checksum: 0x9ff5 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
[Timestamps]
[Time since first frame in this TCP stream: 0.087703000 seconds]
[Time since previous frame in this TCP stream: 0.000130000 seconds]
[SEQ/ACK analysis]
TCP payload (407 bytes)
Hypertext Transfer Protocol
GET /vacancies HTTP/1.1\r\n
Host: ird.iitd.ac.in\r\n
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0)
Gecko/20100101 Firefox/18.0\r\n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n
Accept-Language: en-US,en;q=0.5\r\n
Accept-Encoding: gzip, deflate\r\n
Referer: http://www.iitd.ac.in/\r\n
Cookie:
SESS1f002926bf876664ed5383994cb4c1de=tunjfm6na70hvls5sh989n7cl2\r\
n
Connection: keep-alive\r\n
\r\n
[Full request URI: http://ird.iitd.ac.in/vacancies]
[HTTP request 1/8]
[Response in frame: 249]/home/nitr/Downloads/http.pcap 773 total packets,
773 shown
[Next request in frame: 251]

For OK:-

/home/nitr/Downloads/http.pcap 773 total packets, 773 shown

No.
Time
Source
Destination
Protocol Length Info
249 12:49:08.025201
103.27.9.167
192.168.43.153
HTTP
1296
HTTP/1.1 200 OK
(text/html)
Frame 249: 1296 bytes on wire (10368 bits), 1296 bytes captured (10368 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Jul 29, 2017 12:49:08.025201000 IST
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1501312748.025201000 seconds
[Time delta from previous captured frame: 0.003367000 seconds]
[Time delta from previous displayed frame: 0.003367000 seconds]
[Time since reference or first frame: 76.687584000 seconds]
Frame Number: 249
Frame Length: 1296 bytes (10368 bits)
Capture Length: 1296 bytes (10368 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:tcp:http:data-text-lines]
[Coloring Rule Name: HTTP]
[Coloring Rule String: http || tcp.port == 80 || http2]
Ethernet II, Src: XiaomiCo_9e:9c:c3 (ac:c1:ee:9e:9c:c3), Dst:
HonHaiPr_8c:90:55 (e0:06:e6:8c:90:55)
Destination: HonHaiPr_8c:90:55 (e0:06:e6:8c:90:55)
Source: XiaomiCo_9e:9c:c3 (ac:c1:ee:9e:9c:c3)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 103.27.9.167, Dst: 192.168.43.153
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x28 (DSCP: AF11, ECN: Not-ECT)
Total Length: 1282
Identification: 0x2eec (12012)
Flags: 0x40, Don't fragment
...0 0000 0000 0000 = Fragment Offset: 0
Time to Live: 50
Protocol: TCP (6)
Header Checksum: 0xb7de [validation disabled]
[Header checksum status: Unverified]
Source Address: 103.27.9.167
Destination Address: 192.168.43.153
Transmission Control Protocol, Src Port: 80, Dst Port: 33425, Seq: 4993, Ack:
408, Len: 1230
Source Port: 80
Destination Port: 33425
[Stream index: 11]
[Conversation completeness: Complete, WITH_DATA (31)]
[TCP Segment Len: 1230]
Sequence Number: 4993
(relative sequence number)
Sequence Number (raw): 1247636046
[Next Sequence Number: 6223
(relative sequence number)]
Acknowledgment Number: 408
(relative ack number)
Acknowledgment number (raw): 2898992804
1000 .... = Header Length: 32 bytes (8)
Flags: 0x018 (PSH, ACK)
Window: 235
[Calculated window size: 30080]
[Window size scaling factor: 128]
Checksum: 0xc7b0 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
[Timestamps]
[Time since first frame in this TCP stream: 0.446682000 seconds]
[Time since previous frame in this TCP stream: 0.003367000 seconds]
[SEQ/ACK analysis]
TCP payload (1230 bytes)
TCP segment data (1230 bytes)
[5 Reassembled TCP Segments (6222 bytes): #241(1248), #243(1248),
#245(1248), #247(1248), #249(1230)]
Hypertext Transfer Protocol
HTTP/1.1 200 OK\r\n
Date: Sat, 29 Jul 2017 07:19:07 GMT\r\n
Server: Apache/2.4.7 (Ubuntu)\r\n
X-Powered-By: PHP/5.5.9-1ubuntu4.21\r\n
Set-Cookie:
SESS67ae76de3f79d5184113175027f6a687=u1vhqcc85l94aitde2tifirnj1;
expires=Mon, 21-Aug-2017
10:52:27 GMT; Max-Age=2000000; path=/; domain=.ird.iitd.ac.in\r\n
Expires: Sun, 19 Nov 1978 05:00:00 GMT\r\n
Last-Modified: Sat, 29 Jul 2017 07:19:07 GMT\r\n
Cache-Control: store, no-cache, must-revalidate\r\n
Cache-Control: post-check=0, pre-check=0\r\n
Vary: Accept-Encoding\r\n/home/nitr/Downloads/http.pcap 773 total packets,
773 shown
Content-Encoding: gzip\r\n
Content-Length: 5591\r\n
Keep-Alive: timeout=5, max=100\r\n
Connection: Keep-Alive\r\n
Content-Type: text/html; charset=utf-8\r\n
\r\n
[HTTP response 1/8]
[Time since request: 0.358979000 seconds]
[Request in frame: 239]
[Next request in frame: 251]
[Next response in frame: 273]
[Request URI: http://ird.iitd.ac.in/vacancies]
Content-encoded entity body (gzip): 5591 bytes -> 34609 bytes
File Data: 34609 bytes
Line-based text data: text/html (491 lines)

5. Find the packet number that includes HTTP GET message for a file IITD-
IRD-122-2017.pdf. Also find the length of the file in bytes and time when
file is downloaded successfully.
Ans.)
Packet Number that includes HTTP GET message for a file IITD-IRD-122-
2017.pdf =478
length of the file in bytes=18533 bytes
time when file is downloaded successfully=Jul 29, 2017 12:49:13.700007000
IST

Q2: Open the http.pcap file given in study material in Wireshark. Use File-
>Export Packet Dissections to save the data in csv file format. Write a
C/C++/Java/Python code to read the data in csv file and print

!pip install panda

import pandas as pd

csv_file_path = 'http.csv'
df = pd.read_csv(csv_file_path)

# a. Source IP addresses and destination IP addresses

source_dest_ips = df[['Source', 'Destination']]
print("Source and Destination IP addresses:")
print(source_dest_ips)

# b. Source port numbers and destination port numbers

source_dest_ports = df[['Source Port', 'Destination
Port']]
print("\nSource and Destination Port numbers:")
print(source_dest_ports)

# c. HTTP request and response messages

http_data = df[df['Info'].str.startswith('HTTP')]
http_requests_responses = http_data[['Source',
'Destination', 'Source Port', 'Destination Port',
'Info']]
print("\nHTTP Request and Response Messages:")
print(http_requests_responses)
a.source IP addresses and destination IP addresses

b.source port numbers and destination port numbers.

c.http request and response messages.