J.N.T.U.H.

UNIVERSITY COLLEGE OF ENGINEERING, SCIENCE &

TECHNOLOGY HYDERABAD

KUKATPALLY, HYDERABAD – 500 085

Certificate
Certified that this is the bonafide record of the practical work done during

the academic year by

Name

Roll Number Class

in the Laboratory of__________________________________________________________________

of the Department of _________________________________________________________________

Signature of the Staff Member Signature of the Head of the Department

Date of Examination________________________

Signature of the Examiner/s

Internal Examiner External Examiner

 J.N.T.U.H. UNIVERSITY COLLEGE OF ENGINEERING, SCIENCE &
TECHNOLOGY HYDERABAD

KUKATPALLY, HYDERABAD – 500

085

Name Roll Number

Class Year _ Laboratory

List of
Experiments
S.No. Name of the Experiment Date of Page Marks Remarks
Experiment Number
1. Perform an Experiment for port scanning with nmap

Nmap :
Nmap (“Network Mapper”) is an open source tool for network
exploration and security auditing. It was designed to rapidly scan large
networks, although it works fine against single hosts. Nmap uses raw IP packets
in novel ways to determine what hosts are available on the network, what
services (application name and version) those hosts are offering, what operating
systems (and OS versions) they are running, what type of packet filters/firewalls
are in use, and dozens of other characteristics. While Nmap is commonly used
for security audits, many systems and network administrators find it useful for
routine tasks such as network inventory, managing service upgrade schedules,
and monitoring host or service uptime.

Zenmap :
Zenmap is the official Nmap Security Scanner GUI. It is a multi-platform
(Linux, Windows, Mac OS X, BSD, etc.) free and open source application
which aims to make Nmap easy for beginners to use while providing advanced
features for experienced Nmap users. Frequently used scans can be saved as
profiles to make them easy to run repeatedly. A command creator allows
interactive creation of Nmap command lines. Scan results can be saved and
viewed later. Saved scan results can be compared with one another to see how
they differ. The results of recent scans are stored in a searchable database.

Nmap Output:
The “Nmap Output” tab is displayed by default when a scan is run. It
shows the familiar Nmap terminal output. The display highlights parts of the
output according to their meaning; for example, open and closed ports are
displayed in different colors. Custom highlights can be configured in zenmap.
Ports/Hosts Tab :
The “Ports / Hosts” tab's display differs depending on whether a host or a
service is currently selected. When a host is selected, it shows all the interesting
ports on that host, along with version information when available.
Topology Tab :
Zenmap's “Topology” tab provides an interactive, animated visualization
of the connections between hosts on a network. Hosts are shown as nodes on a
graph that extends radially from the center. Click and drag to pan the display,
and use the controls provided to zoom in and out.

Host Details Tab :

The “Host Details” tab breaks all the information about a single host into
a hierarchical display. Shown are the host's names and addresses, its state (up or
down), and the number and status of scanned ports. The host's uptime, operating
system, OS icon and other associated details are shown when available. When
no exact OS match is found, the closest matches are displayed.
Scans Tab :

The “Scans” tab shows all the scans that are aggregated to make up the
network inventory. From this tab you can add scans (from a file or directory)
and remove scans.

While a scan is executing and not yet complete, its status is “Running”. You
may cancel a running scan by clicking the “Cancel Scan” button.
2.Setup a honepot and monitor the honipot on the network

Honeypot :
Honey Pot is a device placed on Computer Network specifically
designed to capture malicious network traffic. KF Sensor is the tool to setup as
honeypot when KF Sensor is running it places a siren icon in the windows
system tray in the bottom right of the screen. If
there are no alerts then green icon is displayed.
A honeypot is a computer system that is set up to act as a decoy
to lure cyberattackers, and to detect, deflect or study attempts to gain
unauthorized access to informationsystems. Generally, it consists of a
computer, applications, and data that simulate thebehavior of a real system
that appears to be part of a network but is actually isolated andclosely
monitored. All communications with a honeypot are considered hostile, as
there's noreason for legitimate users to access a honeypot. Viewing and
logging this activity canprovide an insight into the level and types of
threat a network infrastructure faces whiledistracting attackers away from
assets of real value. Honeypots can be classified based ontheir deployment
(use/action) and based on their level of involvement.Based on deployment,
honeypots may be classified as:1. Production honeypots2. Research
honeypotsProduction honeypots are easy to use, capture only limited
information, and are usedprimarily by companies or corporations.
Production honeypots are placed inside theproduction network with other
production servers by an organization to improve their overallstate of security.
Normally, production honeypots are low-interaction honeypots, which
areeasier to deploy. They give less information about the attacks or
attackers than researchhoneypots.Research honeypots are run to gather
information about the motives and tactics of the Blackhat community targeting
different networks. These honeypots do not add direct value to aspecific
organization; instead, they are used to research the threats that organizations
face andto learn how to better protect against those threats.

KF SENSOR:
KFSensor is a Windows based honeypot Intrusion Detection System
(IDS). It acts asa honeypot to attract and detect hackers and worms by
simulating vulnerable system servicesand trojans. By acting as a decoy
server it can divert attacks from critical systems andprovide a higher level
of information than can be achieved by using firewalls and NIDSalone.
KFSensor is a system installed in a network in order to divert and study an
attacker’sbehavior. This is a new technique that is very effective in detecting
attacks.The main feature of KFSensor is that every connection it receives is a
suspect hence itresults in very few false alerts. At the heart of KFSensor sits a
powerful internet daemonservice that is built to handle multiple ports and IP
addresses. It is written to resist denial ofservice and buffer overflow attacks.
Building on this flexibility KFSensor can respond toconnections in a
variety of ways, from simple port listening and basic services (such
asecho), to complex simulations of standard system services. For the HTTP
protocol KFSensoraccurately simulates the way Microsoft’s web server (IIS)
responds to both valid and invalidrequests. As well as being able to host a
website it also handles complexities such as rangerequests and client side cache
negotiations. This makes it extremely difficult for an attackerto fingerprint, or
identify KFSensor as a honeypot.

PROCEDURE:

STEP-1: Download KF Sensor Evaluation Setup File from KF Sensor Website.

STEP-2: Install with License Agreement and appropriate directory path.

STEP-3: Reboot the Computer now. The KF Sensor automatically starts

during windows boot.

STEP-4: Click Next to setup wizard.

STEP-5: Select all port classes to include and Click Next.

STEP-6: “Send the email and Send from email”, enter the ID and Click Next.

STEP-7: Select the options such as Denial of Service[DOS], Port Activity,

Proxy Emulsion, Network Port Analyzer, Click Next.

STEP-8: Select Install as System service and Click Next.

STEP-9: Click finish.

3.Instal a jcrpt tool(or any other eqvivalent ) and demonstrate Asymmetric
,Symmetric crypto algorithm ,Hash and Digital/PKI signatures studied in
theory Network security and management

1. Installation of JCrypTool:

● JCrypTool can be downloaded and installed from the official website:

JCrypTool Download Page

2. Launch JCrypTool:

● After installation, launch JCrypTool from the installed location or desktop

shortcut.

3. Demonstrate Asymmetric Encryption and Decryption:

● In JCrypTool, navigate to the asymmetric cryptography module.

● Generate a key pair (public and private key).
● Encrypt a message using the public key.
● Decrypt the encrypted message using the corresponding private key.
4. Demonstrate Symmetric Encryption and Decryption:

● In JCrypTool, navigate to the symmetric cryptography module.

● Generate a symmetric key.
● Encrypt a message using the symmetric key.
● Decrypt the encrypted message using the same symmetric key.
5. Generate Hashes:

● In JCrypTool, navigate to the hash functions module.

● Select a hash algorithm (e.g., SHA-256).
● Input the data (e.g., a text message or file) to generate its hash.

6. Generate Digital Signatures:

● In JCrypTool, navigate to the digital signatures module.

● Generate a key pair (public and private key).
● Sign a message or file using the private key.
● Verify the signature using the corresponding public key.
7. Write a program to perform encryption and decryption using the
following substitution ciphers.

8. Caeser cipher

#include<stdio.h>
#include<string.h>
#define SIZE 100
void main(){
char plain[SIZE],cipher[SIZE],final[SIZE];
int key;
int i,k=0;
printf("Enter the plain text :");
gets(plain);
printf("Enter the key :");
scanf("%d",&key);
key = key%26;

for(i=0;i<strlen(plain);i++){
if(plain[i]>='a'&&plain[i]<='z'){
if(plain[i]+key>'z')
cipher[i] = 'a'+(plain[i]+key-'z')-1;
else
cipher[i] =plain[i]+key;
}
else if(plain[i]>='A'&&plain[i]<='Z'){
if(plain[i]+key>'Z')
cipher[i] = 'A'+(plain[i]+key-'Z')-1;
else
cipher[i] =plain[i]+key;
}
else
cipher[i] = plain[i];
}
cipher[i] = '\0';
printf("The encrypted text is :%s ",cipher);

for(i=0;i<strlen(cipher);i++){
if(cipher[i]>='a'&&cipher[i]<='z'){
if(cipher[i]-key<'a')
final[i] = 'z'-('a'-(cipher[i]-key))+1;
else
final[i] =cipher[i]-key;
}
else if(cipher[i]>='A'&&cipher[i]<='Z'){
if(cipher[i]-key<'A')
final[i] = 'Z'-('A'-(cipher[i]-key))+1;
else
final[i] =cipher[i]-key;
}

else
final[i] = cipher[i];
}
final[i] ='\0';
printf("\n The decrypted text is :%s ",final);
}
OUTPUT:
9. Play Fair
#include<stdio.h>
#include<string.h>
#define SIZE 100
void removeSpaces(char plain[]){
int i;
int ptr=0;
for(i=0;i<strlen(plain);i++){
if(plain[i]!=' ')
plain[ptr++]=plain[i];
}
plain[ptr]='\0';

}
void toLowerCase(char plain[]){
int i;
for(i=0;i<strlen(plain);i++){
if(plain[i]>64&&plain[i]<91)
plain[i]+=32;
}
}
int mod5(int a){
if(a<0)
a+=5;
return (a%5);
}
void generateTable(char keyTable[5][5],char key[],int ks){
int occur[26];
int k;
int i=0,j=0;
for(k=0;k<26;k++)
occur[k] = 0;
for(k=0;k<ks;k++)
occur[key[k] -97] = 2;
occur['j'-97]=1;
for(k=0;k<ks;k++){
if(occur[key[k]-97]==2){
occur[key[k]-97]=1;
keyTable[i][j] = key[k];
j++;
if(j==5){
j=0;i++;
}
}
}
for(k=0;k<26;k++){
if(occur[k]==0){
keyTable[i][j] = (char)(k+97);
j++;
if(j==5){
j=0;i++;
}
}
}
}
void prepare(char str[]){
char ptr[SIZE];
int k=0;
int i=0;
int l;
while(i<strlen(str)){
ptr[k++] = str[i];
if(str[i] == str[i+1] && i+1 < strlen(str)){
if(str[i] == 'x')
ptr[k++] = 'z';
else
ptr[k++] = 'x';
i =i+1;
continue;
}
ptr[k++] = str[i+1];
i+=2;
}
ptr[k]='\0';
strcpy(str,ptr);
l = strlen(str);
if(l%2!=0){
str[l] = 'z';
str[l+1]='\0';
}
}
void find(int arr[],char keyTable[][5],char a,char b){
int i,j;
if(a=='j')
a='i';
if(b=='j')
b = 'i';
for(i=0;i<5;i++){
for(j=0;j<5;j++){
if(keyTable[i][j] == a){
arr[0] = i;
arr[1] = j;
}
else if(keyTable[i][j]==b){
arr[2]=i;
arr[3] =j;
}
}
}
}
void encrypt(char plain[],char keyTable[][5],char en[]){
int i;
int arr[4];
for(i=0;i<strlen(plain);i+=2){
find(arr,keyTable,plain[i],plain[i+1]);
if(arr[0]==arr[2]){
en[i] = keyTable[arr[0]][mod5(arr[1]+1)];
en[i+1] = keyTable[arr[0]][mod5(arr[3]+1)];
}
else if(arr[1] == arr[3]) {
en[i] = keyTable[mod5(arr[0]+1)][arr[1]];
en[i+1] = keyTable[mod5(arr[2]+1)][arr[3]];
}
else{
en[i] = keyTable[arr[0]][arr[3]];
en[i+1] = keyTable[arr[2]][arr[1]];
}
}
en[i] ='\0';
}
void decrypt(char plain[],char keyTable[][5],char den[]){
int i;
int arr[4];
for(i=0;i<strlen(plain);i+=2){
find(arr,keyTable,plain[i],plain[i+1]);
if(arr[0]==arr[2]){
den[i] = keyTable[arr[0]][mod5(arr[1]+4)];
den[i+1] = keyTable[arr[0]][mod5(arr[3]+4)];
}
else if(arr[1] == arr[3]) {
den[i] = keyTable[mod5(arr[0]+4)][arr[1]];
den[i+1] = keyTable[mod5(arr[2]+4)][arr[3]];
}
else{
den[i] = keyTable[arr[0]][arr[3]];
den[i+1] = keyTable[arr[2]][arr[1]];
}
}
den[i] ='\0';
}
void main(){
char key[SIZE],plain[SIZE],cipher[SIZE],decipher[SIZE];
char keyTable[5][5];
int ks,ps;
printf("Enter the plain text :");
gets(plain);
printf("Enter the key:");
gets(key);
removeSpaces(plain);
removeSpaces(key);
toLowerCase(plain);
toLowerCase(key);
prepare(plain);
ks = strlen(key);
generateTable(keyTable,key, ks);
encrypt(plain,keyTable,cipher);
printf("\nThe cipher text is : %s ",cipher);
decrypt(cipher,keyTable,decipher);
printf("\nThe text after decryption is %s",decipher);
}

Output:
10. Hill Cipher

#include<stdio.h>
#include<string.h>
#include<conio.h>
#include<stdlib.h>
#define SIZE 100
int modInv(int a, int m){
int x;
a = a%m;
for(x=1;x<m;x++){
if((a*x)%m==1)
return x;
}
return -1;
}
void encrypt(char plain[],int a,int b, int keyT[2][2],char en[]){
int p[2],c[2];
int i,j,k;
int sum;
p[0] = plain[a]-97;
p[1] = plain[b]-97;
for(i=0;i<2;i++){
c[i]=0;
for(k=0;k<2;k++){
c[i] += keyT[i][k] * p[k];
}
}
en[a] = (c[0]%26)+'a';
en[b] = (c[1]%26)+'a';
}
int main(){
char plain[100],cipher[100],final[100],key[4];
int i,j,k;
char c;
int d[2];
int q=0;
int keyT[2][2],keyInv[2][2];
int detInv,det;
int temp,sum;
printf("Enter the plain text :");
gets(plain);
printf("Enter the key :");
gets(key);
k=0;
for(i=0;i<2;i++){
for(j=0;j<2;j++){
keyT[i][j]=key[k++]-97;
}
}
i=strlen(plain);
if(strlen(plain)%2!=0){
plain[strlen(plain)]='x';
plain[i+1]='\0';
}
for(i=0;i<strlen(plain);i+=2){
encrypt(plain,i,i+1,keyT,cipher);
}
cipher[i]='\0';

printf("The encrypted text is : %s",cipher);

for(i=0;i<2;i++){
for(j=0;j<2;j++){
keyInv[i][j] = keyT[i][j];
}
}
det=keyInv[0][0]*keyInv[1][1] - keyInv[1][0]*keyInv[0][1];
detInv = modInv(det,26);
if(detInv==-1){
printf("\nNOT POSSIBLE");
getch();
return-1;
}
temp = keyInv[0][0];
keyInv[0][0] = keyInv[1][1];
keyInv[1][1] = temp;
keyInv[0][1] = -(keyInv[0][1]);
keyInv[1][0] = -(keyInv[1][0]);
keyInv[0][0] = (keyInv[0][0]%26 + 26)%26;
keyInv[1][1] = (keyInv[1][1]%26 + 26)%26;
keyInv[1][0] = (keyInv[1][0]%26 + 26)%26;
keyInv[0][1] = (keyInv[0][1]%26 + 26)%26;
for(i=0;i<strlen(cipher);i+=2){
d[0] = cipher[i]-97;
d[1] = cipher[i+1]-97;
for(j=0;j<2;j++){
sum=0;
for(k=0;k<2;k++){
sum+=keyInv[j][k]*d[k];
}
final[q++]=(char)(((sum*detInv)%26+26)%26 + 'a');
}
}
final[q]='\0';
printf("\nThe text obtained after decryption is :%s ",final);

getch();
return 0;

}
Output:
11. Write a program to implement the DES algorithm.
#include<stdio.h>
#include<conio.h>
int S0[4][4]={{1,0,3,2},{3,2,1,0},{0,2,1,3},{3,1,3,2}};
int S1[4][4]={{0,1,2,3},{2,0,1,3},{3,0,1,0},{2,1,0,3}};
int p8[8] = {5,2,6,3,7,4,9,8};
int p10[10] ={2,4,1,6,3,9,0,8,7,5};
int ip[8]={1,5,2,0,3,7,4,6};
int iip[8] = {3,0,2,4,6,1,7,5};
int ep[8]={7,4,5,6,5,6,7,4};
int p4[4] = {1,3,2,0};
void LS(int perm10[],int l){
int i,x,k;
for(x=0;x<l;x++)
{ k = perm10[0];
for(i=0;i<4;i++)
perm10[i] = perm10[i+1];
perm10[4] = k;
k = perm10[5];
for(i=5;i<9;i++)
perm10[i] = perm10[i+1];
perm10[9] = k;
}
}
void swap(int arr[]){
int i,temp;
for(i=0;i<4;i++)
{ temp = arr[i] ;
arr[i] = arr[i+4];
arr[i+4] = temp;

}
}
void encrypt(int arr[], int key[]){
int i,exp[8],valS0,valS1,perm4[4],val[4];
for(i=0;i<8;i++){
 exp[i] = arr[ep[i]];
exp[i] ^= key[i];
}
valS0 = S0[exp[0]*2 + exp[3]][exp[1]*2+exp[2]];
valS1 = S1[exp[4]*2 + exp[7]][exp[5]*2+exp[6]];
val[0] = valS0/2;
val[1] = valS0%2;
val[2] = valS1/2;
val[3] = valS1%2;
for(i=0;i<4;i++){
perm4[i] = val[p4[i]];
arr[i] ^= perm4[i];
}

}
void main(){
int plain[8],cipher[8],final[8],arr[8],key[10],perm10[10],key1[8],key2[8],i;
printf("Enter 8 bit plain text :");
for(i=0;i<8;i++)
scanf("%d",&plain[i]);
printf("Enter a 10 bit key :");
for(i=0;i<10;i++)
scanf("%d",&key[i]);
for(i=0;i<10;i++)
perm10[i] = key[p10[i]];
LS(perm10,1);
for(i=0;i<8;i++)
key1[i] = perm10[p8[i]];

LS(perm10,2);
for(i=0;i<8;i++)
key2[i] = perm10[p8[i]];
printf("The key 1 is :");
for(i=0;i<8;i++)
printf("%d ",key1[i]);

printf("\nThe key 2 is :");

 for(i=0;i<8;i++)
printf("%d ",key2[i]);
for(i=0;i<8;i++)
arr[i] = plain[ip[i]];
encrypt(arr,key1);
swap(arr);
encrypt(arr,key2);
for(i=0;i<8;i++)
cipher[i] = arr[iip[i]];
printf("\nThe cipher text is :");
for(i=0;i<8;i++)
printf("%d ",cipher[i]);
for(i=0;i<8;i++)
arr[i] = cipher[ip[i]];
encrypt(arr,key2);
swap(arr);
encrypt(arr,key1);
for(i=0;i<8;i++)
final[i] = arr[iip[i]];
printf("\nThe plain text is :");
for(i=0;i<8;i++)
printf("%d ",final[i]);

getch();
}

OUTPUT:
12. Write a program to implement RSA algorithm.

#include <stdio.h>
int gcd(int a, int b){
if(b==0)
return a;
else
return gcd(b,a%b);
}
int powr(int M, int e, int n){
int i;
int res =1;
for(i=0;i<e;i++)
res = ((res%n)*(M%n))%n;
return res;

}
int main()
{ int M,e,d,n,phin,p,q,c,m;
printf("Enter two large primes :");
scanf("%d%d",&p,&q);
n=p*q;
e=2;d=1;
phin=(p-1)*(q-1);
while(e<phin){
if(gcd(e,phin)==1)
break;
e++;
}
while(d<phin){
if((e*d)%phin==1)
break;
d++;

}
printf("The values of e and d are : %d and %d ",e,d);
printf("\nEnter the plain text :");
 scanf("%d",&M);
c=powr(M,e,n) ;
printf("\nThe encryted text is %d ",c);
m = powr(c,d,n);
printf("\nThe decryted text is %d ",m);

return 0;
}

OUTPUT:
13. Calculate the message digest of a text using the SHA-1 algorithm.

#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>

#define LEFTROTATE(x, c) (((x) << (c)) | ((x) >> (32 - (c))))

void sha1(const uint8_t *message, uint32_t len, uint8_t *digest);

int main() {
char message[100];
int i;

printf("Enter the message: ");

scanf("%[^\n]", message);

uint8_t digest[20]; // SHA-1 produces a 160-bit (20-byte) digest

sha1((uint8_t *)message, strlen(message), digest);

printf("SHA-1 digest: ");

for (i = 0; i < 20; ++i) {
printf("%02x", digest[i]);
}
printf("\n");

return 0;
}
void sha1(const uint8_t *message, uint32_t len, uint8_t *digest) {
uint32_t h0, h1, h2, h3, h4;
uint32_t a, b, c, d, e, f, k, temp;
uint32_t *w = (uint32_t *)malloc(80 * sizeof(uint32_t));
int i, j;

h0 = 0x67452301;
h1 = 0xEFCDAB89;
h2 = 0x98BADCFE;
h3 = 0x10325476;
h4 = 0xC3D2E1F0;

uint8_t *padded_message = (uint8_t *)malloc((len + 64) * sizeof(uint8_t));

memcpy(padded_message, message, len);

uint64_t bit_len = len * 8;

padded_message[len++] = 0x80;

while (len % 64 != 56) {

padded_message[len++] = 0;
}

for (i = 0; i < 8; ++i) {

padded_message[len++] = (bit_len >> ((7 - i) * 8)) & 0xFF;
}

for (i = 0; i < len; i += 64) {

for (j = 0; j < 16; ++j) {

w[j] = (padded_message[i + j * 4] << 24) |
(padded_message[i + j * 4 + 1] << 16) |
(padded_message[i + j * 4 + 2] << 8) |
(padded_message[i + j * 4 + 3]);
}

for (j = 16; j < 80; ++j) {

w[j] = LEFTROTATE((w[j - 3] ^ w[j - 8] ^ w[j - 14] ^ w[j - 16]), 1);
}
a = h0;
b = h1;
c = h2;
d = h3;
e = h4;

for (j = 0; j < 80; ++j) {

if (j < 20) {
f = (b & c) | ((~b) & d);
k = 0x5A827999;
} else if (j < 40) {
f = b ^ c ^ d;
k = 0x6ED9EBA1;
} else if (j < 60) {
f = (b & c) | (b & d) | (c & d);
k = 0x8F1BBCDC;
} else {
f = b ^ c ^ d;
k = 0xCA62C1D6;
}

temp = LEFTROTATE(a, 5) + f + e + k + w[j];

e = d;
d = c;
c = LEFTROTATE(b, 30);
b = a;
a = temp;
}

h0 += a;
h1 += b;
h2 += c;
h3 += d;
h4 += e;
 }

digest[0] = (h0 >> 24) & 0xFF;

digest[1] = (h0 >> 16) & 0xFF;
digest[2] = (h0 >> 8) & 0xFF;
digest[3] = h0 & 0xFF;
digest[4] = (h1 >> 24) & 0xFF;
digest[5] = (h1 >> 16) & 0xFF;
digest[6] = (h1 >> 8) & 0xFF;
digest[7] = h1 & 0xFF;
digest[8] = (h2 >> 24) & 0xFF;
digest[9] = (h2 >> 16) & 0xFF;
digest[10] = (h2 >> 8) & 0xFF;
digest[11] = h2 & 0xFF;
digest[12] = (h3 >> 24) & 0xFF;
digest[13] = (h3 >> 16) & 0xFF;
digest[14] = (h3 >> 8) & 0xFF;
digest[15] = h3 & 0xFF;
digest[16] = (h4 >> 24) & 0xFF;
digest[17] = (h4 >> 16) & 0xFF;
digest[18] = (h4 >> 8) & 0xFF;
digest[19] = h4 & 0xFF;

free(w);
free(padded_message);
}
14. Working with sniffers for monitoring network communication
(Wireshark).
Introduction
Wireshark is a free open source network protocol analyzer. It is used for
network troubleshooting and communication protocol analysis. Wireshark
captures network packets in real time and display them in human-readable
format. It provides many advanced features including live capture and offline
analysis, three-pane packet browser, coloring rules for analysis. This document
uses Wireshark for the experiments, and it covers Wireshark installation, packet
capturing, and protocol analysis

Getting Wireshark
The Kai Linux has Wireshark installed. You can just launch the Kali Linux VM
and open Wireshark there. Wireshark can also be downloaded from here:
https://www.wireshark.org/download.html

Starting Wireshark
When you run the Wireshark program, the Wireshark graphic user interface will
be shown. Currently, the program is not capturing the packets.Then, you need to
choose an interface. If you are running the Wireshark on your laptop, you need
to select WiFi interface. If you are at a desktop, you need to select the Ethernet
interface being used. Note that there could be multiple interfaces. In general,
you can select any interface but that does not mean that traffic will flow through
that interface. The network interfaces (i.e., the physical connections) that your
computer has to the network are shown. The attached Figure 6 was taken from
my computer. After you select the interface, you can click start to capture the
packets
The command menus are standard pulldown menus located at the top of the
window. Of interest to us now is the File and Capture menus. The File menu
allows you to save captured packet data or open a file containing previously
captured packet data, and exit the Wireshark application. The Capture menu
allows you to begin packet capture.
The packet-listing window displays a one-line summary for each packet
captured, including the packet number (assigned by Wireshark; this is not a
packet number contained in any protocol’s header), the time at which the packet
was captured, the packet’s source and destination addresses, the protocol type,
and protocol-specific information contained in the packet. The packet listing can
be sorted according to any of these categories by clicking on a column name.
The protocol type field lists the highestlevel protocol that sent or received this
packet, i.e., the protocol that is the source or ultimate sink for this packet.

The packet-header details window provides details about the packet selected
(highlighted) in the packet-listing window. (To select a packet in the
packet-listing window, place the cursor over the packet’s one-line summary in
the packet-listing window and click with the left mouse button.). These details
include information about the Ethernet frame and IP datagram that contains this
packet. The amount of Ethernet and IP-layer detail displayed can be expanded
or minimized by clicking on the rightpointing or down-pointing arrowhead to
the left of the Ethernet frame or IP datagram line in the packet details window.
If the packet has been carried over TCP or UDP, TCP or UDP details will also
be displayed, which can similarly be expanded or minimized. Finally, details
about the highest-level protocol that sent or received this packet are also
provided. The packet-contents window displays the entire contents of the
captured frame, in both ASCII and hexadecimal format.
Towards the top of the Wireshark graphical user interface, is the packet display
filter field, into which a protocol name or other information can be entered in
order to filter the information displayed in the packet-listing window (and hence
the packet-header and packet-contents windows). In the example below, we’ll
use the packet-display filter field to have Wireshark hide (not display) packets
except those that correspond to HTTP messages

Capturing Packets
After downloading and installing Wireshark, you can launch it and click the
name of an interface under Interface List to start capturing packets on that
interface. For example, if you want to capture traffic on the wireless network,
click your wireless interface. Test Run Do the following steps: 1. Start up the
Wireshark program (select an interface and press start to capture packets). 2.
Start up your favorite browser (ceweasel in Kali Linux). 3. In your browser, go
to Wayne State homepage by typing www.wayne.edu. 4. After your browser has
displayed the http://www.wayne.edu page, stop Wireshark packet capture by
selecting stop in the Wireshark capture window. This will cause the Wireshark
capture window to disappear and the main Wireshark window to display all
packets captured since you began packet capture see image below

5. Color Coding: You’ll probably see packets highlighted in green, blue, and
black. Wireshark uses colors to help you identify the types of traffic at a glance.
By default, green is TCP traffic, dark blue is DNS traffic, light blue is UDP
traffic, and black identifies TCP packets with problems — for example, they
could have been delivered out-of-order. 6. You now have live packet data that
contains all protocol messages exchanged between your computer and other
network entities! However, as you will notice the HTTP messages are not
clearly shown because there are many other packets included in the packet
capture. Even though the only action you took was to open your browser, there
are many other programs in your computer that communicate via the network in
the background. To filter the connections to the ones we want to focus on, we
have to use the filtering functionality of Wireshark by typing “http” in the
filtering field as shown below
Notice that we now view only the packets that are of protocol HTTP. However,
we also still do not have the exact communication we want to focus on because
using HTTP as a filter is not descriptive enough to allow us to find our
connection to http://www.wayne.edu. We need to be more precise if we want to
capture the correct set of packets. Fengwei Zhang- CSC 5991 Cyber Security
Practice 12 7. To further filter packets in Wireshark, we need to use a
more precise filter. By setting the http.host==www.wayne.edu, we are
restricting the view to packets that have as an http host the www.wayne.edu
website. Notice that we need two equal signs to perform the match “==” not just
one. See the screenshot below:
8. Now, we can try another protocol. Let’s use Domain Name System (DNS)
protocol as an example here

9. Let’s try now to find out what are those packets contain by following one of
the conversations (also called network flows), select one of the packets and
press the right mouse button (if you are on a Mac use the command button and
click
10. If we close this window and change the filter back to
“http.host==www.wayne.edu” and then follow a packet from the list of packets
that match that filter, we should get the something similar to the following
screens. Note that we click on Follow TCP Stream this time.