Practical-1 Modulel-Packet Analysis using Wire shark Basic Packet Inspection: Capture network traffic using Wire shark and analyze basic protocols like HTTP, DNS, and SMTP to understand how data is transmitted and received. Wireshark captures the data coming or going through the NICs on its device by using an underlying packet capture library. By default, ‘Wireshark captures on- device data only, but it can capture almost all the data on its LAN if run in promiscuous mode. Currently, Wireshark uses NMAP’s Packet Capture library(called npeap).. Packet sniffing means intercepting data packets as they pass through @ network, just like looking inside envelopes in the mail. Experts use tools like Wireshark ‘and tepdump to track, troubleshoot, or secure networks. ‘The packet analyzer Wireshark, or just Shark for short, functions as a magnifying glass; it captures and organizes the packets so you can gyrate over them looking for bugs in order to squash those wicked computer programs. topdump is even faster than sharks at grabbing data off of lines that rin into walls. It doesn’t have an interface but In general, packet sniffing tools offer close monitoring ‘of network data flow and protect networks. Primary Terminologies 1. Packet A packet is like a courier carrying data in two forms actual information being sent and very important delivery instructions, It contains the soul of its message and is something like a return address on an envelope. Just as @ postal service ensures that the content of a letter ‘and its address remain separate for better processing, and onward routing, dividing data from instructions guarantees efficient delivery across networks. 2. Packet sniffing Packet sniffing is a sort of digital investigator among computer networks. It can listen in on conversations flowing across the network like a surveillance camera. Tt catches and records data packets, giving 4 glimpse into what they contain to network managers and security experts. This tool makes it easier to detect anomalies, fix network problems, and configure security vulnerabilities. But it Should remain subject to legal and ethical constraints, so as not to violate the privacy rights of individuals or take data without authority. @ scanned with OKEN Scanner3. Wireshark Wireshark becomes the wizard’s crystal ball, a way to examine in depth how computer networks actually work. It decodes network protocols, capturing live data streams and translating them into human-readable formats for troubleshooting and analysis. It offers a closer look at network operations, like x- ray glasses for the digital world. But it should be used in a responsible, legal manner; otherwise, the result could be uncontrolled data interception which infringes on individuals ‘privacy rights. 4. Tepdump Tepdump is 2 digital detective inside computer systems, capturing and presenting real-time data traffic in text commands. It is similar to observing traffic at an intersection in the sense that it intercepts and displays data packets which are human-readable, making network problems easy to identify. Although it does not have a graphical interface like Wireshark, its efficiency and speed combined with the fact that is runs on Unix-based systems has made Tepdump popular among seasoned network professionals at least those who already know their way around transceivers. Step 1: Download and Install Wireshark Go to the Wireshark website (Ittps:/Awww.wireshark.org/) and download the latest version for your operating system. Follow the installation instructions to install Wireshark on your computer. Step 2: Capture Network Traffic Open Wireshark after installation. Select the network interface you want to capture traffic from (e.g., Ethernet, Wi- Fi). Click on the "Start" button to begin capturing traffic. Step 3: Analyze Basic Protocols HTTP: Open a web browser and visit any website. Go back to Wireshark and stop the capture. Lise the filter bar at the top and type "http" to filter HTTP traffic. You will see a list of HTTP packets exchanged during your browsing, session. Click on any packet to view its details in the middle pane. You can analyze headers, payloads, and other information here. DNS: While Wireshark is still capturing, perform a DNS query by entering a website URL in the browser's address bar. Stop the capture in Wireshark. Use the filter bar and type "dns" to filter DNS traffic. @ scanned with OKEN ScannerYou'll see DNS queri and the IP addresse: SMTP: {you have an email client configured, se Stop the capture in Wireshark. Use the filter bar and type "smtp" to filter SMTP traf. You'll see SMTP packets related to sending emails. Analyze sender, subject, and other relevant information, Step 4: Analysis and Conclusion Review the captured packets for each protocol, Look for any anomali Draw conclusions es and responses. You can analyze the domain S resolved, ames queried nd an email, . recipient, S oF suspicious activity, about how data is transmitte and received for each protocol. Document your findings and observations, 4 o x ance ery. Capture Loca! Area Connector Local Area Connector Local Area Comnection* & Local Area Connections 2 Local Area Comection® 1 Exeret Learn User's Guide — vidi - Questions and Answers * Maigag Lists ‘overt 4.0.20 (¥4.0.10-0-915¢7€250016b) You recene automatic updates Yeu ate rusang Yona Renae to bond or enture loaders Filter | se 7 The display filter in Wireshark, The display filter in Wireshark’ 's default configuration is a bar that sits right above the column display. Here is where we enter expressions to narrow down what we can see ina peap file, be it Ethernet frames, IP packets, or TCP segments. @ scanned with OKEN ScannerA Woe SIs Ne Capture toute Come, qo nt Anomers = wang rte ~ sharAtent ~ wiveshark Oucord Donate You re ring viemer 920. 00-0fecTeaeate Yovrecon tamer een Interfaces There are several local interfaces available; please choose one. 4 capture sing tis ater: (> Local Area Connection” 10 Local Area Connection® 9 Adapter for loopback tate capture Ethernet Learn kia * Wl Questions and Answers * Maling Usts - Sharkfest ~ Wireshark Discord ‘You are running Whresherk 4.0.10 (o.0.10-0-9e7e2500160). ‘You recene automabe updates Start and Stop button. Press the Start button, @ scanned with OKEN Scanner| | Packets Captured In essence, you are recording and intercepting data packets as they pass through a network interface when you capture packets. 3. Analyze Packets: Wireshark will show packets as they come through the chosen interface in real time. To limit the packets that are shown based on parameters such as source, destination, protocol, etc., you can apply filters. Using tcpdump 1. Launch a Terminal or Command Prompt: On Unix-based systems, open a terminal window. As an administrator, run the Command Prompt on Windows. 2. Begin Packet Capturing: In the first case, run dumpcap -i -w, where is the network interface that you choose to start capturing from. 3. View Captured Packets: tcpdump will present captured packets in a readable format on the terminal window. Example: dumpcap -i Wi-Fi -w capture.peap Press Ctrl + C to stop capturing. =F on also launch capture.pcap from the same directory to view captured Ss. @ scanned with OKEN ScannerLANE Sh Beats) set eed = Be sauce t sy ct cay f fects t emt} Wi-Fi 2 ing aa capture. pcap Packets captured: gy beta eae tess Pe /dropped on interface 'Wi-Fi': 84/8 (pcay LSC sa) tomers ae 84 packets captured, A copes. 2 @.00000 152.168.0.248 38.164. 246.32 Tee 18.464.246-31 192.168-0.128 rep 192.168.0.379 22a10.0.252 ous 192.462_0.248 216.230 32.126 rep 216.239.3136 192.168.0.143, rep 392/168.0.348 52.32.293.248, rep 1505 56: 392 err 521321223 249 Tusvi.2 3298 Ap, 3 9.073455 192, 243 5213212231248, TUsva.2 “100 Apt 9 9.073487 192 as 52.32.223.248 Tesval2 223 Apr > Frame 1: 55 byt bits), 35 bytes cap 0000 08 Sa di 38 Ga G8 UT SSS 2 Ethernet IT, Sre: Azurctiav68e1:7F Cba.80 790,60 ge 28 <3 88 4000 800s 2 3 Internet Protocol Version @, Src: 192-1680 140° 6; gS 36 db 53 01 bb 07 92 © + Tansainsion ConteelPrstecea” Soe ge 268s 2.140" 8: ©2 60 72 fn 00 00 63 capture.peap With Wireshark: Say, for instance if you want to know why the site is slow. By using Wireshark to capture packets, you can tell that there are delays in the communication between your computer and the web server, With tepdump: It is possible that The network interface packets of t! will see if there is doubtful traffic. syed 63 (200.05) Profle: Boo your server has unexpected network activity. he server can be captured by tepdump tool-you DNS or Domain Name System abbreviated as DNS is a system used to resolve domain names, IP addresses, different servers for e.g., FTP servers, active directories, etc., and keep their records. Inve, Mockapetris in 1982, DNS has now bec: the modern-day web world. DNS actually gives a mapping of the hostname of a network and its address. It has proved to ease human life manifold when one looks at its w. it offers. It helps users by translating the domain names into game servers, nted by Jon Postel and Paul ‘ome one of the most significant players in corking and the service IP addresses, allowing @ scanned with OKEN Scanneree them to surf the web wi to Wireshark, which i since its inception in rk is 53, and the protocol hark, we can analyze DNS ‘ocol). Afier we start Wires queries easily, We shall be following the below steps: In the menu bar, Capture — Interfaces, Select a particular Ethernet adapter and click start, After this, browse to any web address and then return to Wireshark. Browsing would get packets captured and in Wireshark click the stop in the Capture menu to stop the capture. If you haven't got the packet list by now, you can access it using Edit > Find Packets. This will give you the packet list. Since we are going to analyze DNS we shall be studying only DNS packets and to get DNS DNS in the filters above, on a = DORSoneenOnorl Nou ean have access to the DNS details of any packet by clicking the Domain Name System label in the frame detail section of the Wireshark window. You nn have a look at different sections of the interface in the image above. A basic DNS response has: Transaction Id-for identification of the communication done, Flags-for verification of response whether it is valid or not, Questions-default is 1 for any request sent or received. It mainly denotes whether you have queried for something or not. @ scanned with OKEN ScannerAnswers-default is 0 if the response is sent, and it’s | if received. If the received packet is viewed then the Answers section has the IP address of the desired domain name along with Time to Live which is basically a counter which expires after its allotted time. ee pea cerns Soar Peres i sta teaia sass eran? ner erred aoe piticanere accom Besides, these, it has a Queries section which gives the subjective details of the communication, The queries section has the following: Name: Domain name of the destination or web address to be reached or reached by in case of the received packet. This section further has its length, character by character under[Name-Length], and the count of words separated by separators, ile., dot(.) under the name[Labels]. ‘Type: which is ‘A‘ for IPv4(32 bits) and is ‘AAAA‘ for IPv6(128 bits). Class: which is ‘IN‘ by default, which means an internet IP address has been asked for. Captured packets are also stored in the local machine, We can also view our received packets in command prompt by typing the following instruction: ipconfig /displaydns: ‘You can have a look at the below diagram for reference. Once you have visited a particular resource it will be stored and the next time you want to locate a particular resource, the host will try to find it in the local storage. So this is how we can analyze DNS queries in Wireshark and get a detailed knowledge of DNS packet functionalities. Checking DNS queries in Wireshark is one of the major tools for studying network behaviors, and Wireshark is by far the leading forum for protocol analysis because of its beginner-friendly and detailed nature, @ scanned with OKEN ScannerEtcrt Cores Diener ores Coonan rere Ferre CRESS: ites Conclusion Such packet sniffing and network examination tools as tcpdump and Wireshark are indispensable in computer networking. They stand and look at digital packets, as they travel across networks a cladding for us to have glimpse in. The intuitive graphical user interface creates an excellent open-source network protocol analyzer in the form of Wireshak, which can also capture and evaluate data on a real-time basis. It is a common tool among network administrators and security experts because it can convert complex network protocols into human- readable format. In addition, because it can also analyze data from stored files on disk in addition to live networks, Wireshark provides much more flexibility than previous packet analyzers for both troubleshooting and review. Nonetheless, tepdump is a well-known command-line packet analyzer designed primarily for Unix-based systems. Because of its effectiveness and speed in capturing packets in real time, coated network professionals prefer it. Because it gan capture and display data packets quickly and accurately, tepdump is an invaluable tool for network diagnostics and troubleshooting even in the absence of a graphical user interface, Both Wireshark and tepdump, despite having different interfaces, are intended to enable network experts to monitor, analyze, and diagnose network traffic. Like digital sentinels, they shield data flow inside networks and give significant informati ks. While ut , questionable necessity, in any case, tread carefully ‘and regard all legal and ethical prerequisites. Unapproved dats interference might abuse individuals’ right to privacy and might be prosecuted, @ scanned with OKEN ScannerPractical-2 Detecting Suspicious Activi patterns, such as repeated between hosts. ty: Analyze network traffic to identify suspicious connection attempts or unusual communication Step 1: Capture Network Traffic Open Wireshark and start capturing traffic on monitor, Step 2: Filter Traffic Apply filters to focus on relevant traffic. For example: nie by IP address: ip.addr = {target IP] to focus on traffic to/from a specific ost. Filter by port: tep.port == [port number] or udp.port == [port number] to focus on traffic on a specific port. Filter by protocol: protocol (e.g,, http, dns, smtp) to focus on specific protocols, Step 3: Look for Suspicious Patterns Repeated Connection Attempts: Look for multiple connection attempts from the same source IP to the same destination IP or port within a short time frame. Analyze SYN packets (TCP handshake) without corresponding ACK packets, indicating incomplete connections or potential scanning activity. Unusual Communication: Identify communication between hosts that typically don't interact, Look for large amounts of data transferred between hosts that have no legitimate reason for communication. Analyze DNS traffic for unusual domain queries or responses, Abnormal Traffic Volume: Look for sucden spikes or drops in traffic volume. Analyze traffic patterns during off-peak hours. Protocol Anomalies: Identify unexpected protocol usage or deviations from standard behavior, Look for malformed packets or unexpected protocol responses. Step 4: Investigate Further Once you identify suspicious patterns, investigate further: Analyze packet payloads for malicious content, Look up 1P addresses, domain names, or port numbers on threat intelligence platforms. the network interface you want to @ scanned with OKEN ScannerCheck firewall logs or other security Step 5: Take Action If you confirm malicio Block suspicious IP a Update firewall rules Notify relevant stakel Steps: Setup: Download and install Wireshark from the official website. US activity, take appropriate action: dresses or domains, to prevent further communication, holders or security teams. Capture Packets: Open Wireshark and select the network interface you want to capture packets from. Click on the “Start” button to begin capturing packets. Identify Repeated Connection Attempts: If you see multiple SYN packets from the same source IP address, this could indicate a SYN flood attack. In Wireshark, you can use the filter tep.flags.syn —= | && tepflags.ack —= Oto display only SYN packets. . Identify Unusual Communication Between Hosts: If you notice communication between hosts that don’t usually interact, this could be a sign of a compromised host. Look for trafiic between hosts in different subnets or VLANs. Identify Large Amounts of Data Transfer: Large data transfers, especially during off-peak hours, could indicate data exfiltration. You can use the “Statistios = Conversations” feature in Wireshark to view data transfer between hosts. Identify ARP Spoofing: Tf you see multiple ARP responses from the same IP address with different MAC addresses, this could indicate ARP spoofing, You can use the filter arp.opcode = 2 to display only ARP responses, Identify DNS Tunneling: If you see unusually could indicate DNS tunneling. You can use display DNS queries. large DNS queries or responses, this the filter dns.qry.name contains . to Report Findings: Document your finding s, including any suspicious IP addresses, protocols, or patterns of behavior, Includ le screenshots where appropriate. Clean Up: Stop the packet capture and close Wireshark. @ scanned with OKEN Scanner