Scribd
Upload
5 views10 pages

Lab Assignment - 1

The document details a network assignment involving IP addresses, TCP/UDP protocols, and packet analysis using Wireshark. It covers aspects such as header fields, sequence numbers, and the TCP handshake process, along with security considerations and useful filters for network troubleshooting. Additionally, it discusses network modes and the implications of traffic capture in different configurations.

Uploaded by

yadavasit24
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
5 views10 pages

Lab Assignment - 1

The document details a network assignment involving IP addresses, TCP/UDP protocols, and packet analysis using Wireshark. It covers aspects such as header fields, sequence numbers, and the TCP handshake process, along with security considerations and useful filters for network troubleshooting. Additionally, it discusses network modes and the implications of traffic capture in different configurations.

Uploaded by

yadavasit24
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Tab 1

Network Assignment

a.​
The the IP address of my computer is [Link]

b.​ The value of the upper layer protocol field is ICMP (0x0200)

c.​ The header is 20bytes long. The payload is 64 bytes as the total length of the message
being transmitted is 84 bytes.
d.​ The Fragment offset is set to 0 hence the packet is not fragmented.

e.​ The header checksum and The identification changes from one datagram to other.
f.​ The fields that stay constant are : Version(IPv4), Length of Header, Source IP(sending
from the same host), Destination IP(if sending requests to the same destination again
and again) and Upper Layer Protocol(always uses ICMP). The fields that must stay
constant are all the ones previously mentioned. The fields which change are the Header
checksum (header changes each time) and Identification (to identify the packets)
g.​ The pattern is that the IP header Identification fields increment with each ICMP
echo(ping) request.
h.​ The value in the identification is 0x2e8c (11916) and the TTL is 64

i.​ The identification field changes for each frame. As it has a unique value. If 2 or more
have the same value then the replies must be fragments of a bigger packet. The TTL
field does not change because the time to live to the first hop router is the same.
j.​ The IP address is [Link] and the TCP port number is 37404.
k.​ The sequence number of the segment used to initiate the TCP connection is 0. We can
see that the message contains a SYN flag indicating that it is a SYN segment.
l.​ The sequence number of the SYNACK segment is 0. The value of the acknowledgment
field is 1. This value is determined by the initial sequence number +1.

m.​ The sequence number of the TCP segment containing the POST command is 165073

n.​ Segment 1 sequence number: 165073 Sent : 8.436


Segment 2 sequence number: 29 Send: 8.455
Segment 3 sequence number: 25 Send: 8.463
Segment 4 sequence number: 1 Send: 8.6983
Segment 5 sequence number: 1 Send: 8.6987
Segment 6 sequence number: 1 Send: 8.6987

o.​ The length of the first TCP segment is 52.


p.​ -
q.​ -
r.​ -
s.​ -
t.​ The header contain 4 fields: The source, destination, length and checksum

u.​ Each header field size is 2 bytes.


v.​ The value in the length field is the sum of the 8 header bytes and the remaining bytes is
the data or the payload.
w.​ The maximum number of bytes that can be in the payload is 2^16, from this 8 bytes are
being used by the header fields. Hence the maximum size is 65527 bytes.
x.​ The largest port number possible is 2^16 = 65535
y.​ The protocol number for UDP is 17 in decimal and in hexadecimal it is 0x11
z.​ Sent by host

Received by my host

The relationship between the port numbers is that source port on the sent message is
the destination port for the received message and vice versa.

SECURITY ASSIGNMENT
a.​ Common areas where Wireshark is useful is when website loading times are long (DNS
failure, TCP re-transactions and HTTP errors), Network connectivity issues(ICMP
blocked or packet losses), Suspicious and Malicious traffic
b.​ Useful filter for the same are
dns, http(to capture http traffic), [Link] >= 400(finding HTTP errors),
[Link] == 8 (only ICMP Echo Requests), [Link]==0 (only ICMP Echo Replies),etc
c.​ [Link] == 67 || [Link] == 68 - This captures DHCP Requests(Discover) and DHCP
ACK(Offer)
d.​
e.​ 1. Here we see a SYN (Client -> Server)
SYN-ACK (Server -> Client)
ACK (Client -> Server)
This confirms the 3 way TCP handshake, which establishes a reliable connection
2. Setting the adapter to host-only networking creates a private LAN between the host and the
VM’s. Hence allowing for pinging between VM1 and VM2 and the host itself and vice versa.
3. Setting the adapter to internal mode isolates inside the VirtualBox only. Hence the host is not
part of the network. You can ping between the VM’s but not to the host machine.
f.​ 1. Non - promiscuous mode - All the traffic is from the your device IP and to your device
IP and there is no traffic between other devices

​ Promiscuous mode - Here we see packets that are not addressed to our own machines.
Network traffic gets captured between other devices. The filter being used to identify the mode
is [Link] !=<your mac address> which you can find in the ethernet II​

2. There is a way to exclude any localhost traffic - !([Link] == [Link]). This removes any and
all loopback traffic from the capture.
3. Here using the arp filter in the capture we can identify the packets. The packet details show
Who has X? Tell Y. The correct dissector is automatically applied by wireshark

4. This filter shows the DHCP Request and ACK. The filter is [Link] == 67 || [Link] == 68

5. Host- Only : VM<- - - > VM and VM <- - - ->Host


NAT : VM <- - - - >Internet​
Bridged : VM appears as a real device on LAN
6. Payloads are all encrypted. Only headers are visible. No readable application data. Without
decryption keys you arent able to read encrypted data.

You might also like