Wireshark Network Analysis Tool: Capturing And Analyzing Network Packets Essay.

Question 1: Explain how you performed the packet capture and deciphered the data.
Question 2: Explain of the communication taking place between your machine and the web server.

Question 3: Write a report on the technology used to implement this https site giving an overview of how it works, history of the technology & advantages/disadvantages of the security methods adopted.
Question 4: Explain what can be learned from the HTTP response headers which you have captured from 4-realestateagent.com. Repeat the task with https://paypal.com and briefly contrast your findings from the HTTP response headers from both sites.

Capturing Network Packets with Wireshark

Wireshark is a network analysis tools where network packets are captured and analysis. Its help the network analysist to monitor the network problems and troubleshot the problems. Wireshark use over hundreds type of protocol for capturing the network packets. It’ s has a facility to capture the packets live and analysis in offline. Wireshark has a packet filter facility which will help to find the exact packets and helps to capture a particular type of packet. Wireshark detect all network cards automatically. First, in Wireshark network interface need to select. The after selecting the network interface, it will start capturing packets.

In this scenario, https://www.4-realestateagent.com/ this website is accessed via web browser and Wireshark captures its packet those are transmitted with in the client and server. The IP address of this website is 209.59.162.105.  Wireshark has three different horizontal frame which are providing the captured packet details. In first frame shows a list of all captured packets those are transmitted between the https://www.4-realestateagent.com/ and client (PC). This list contains the packet numbers, time taken, used protocol, packet length, source address, destination address, and packet data. In second horizontal frame shows the details information about the captured packet. This information contains frame details, network interface details, used internet protocol and its details, protocols details, and contain data details. In third horizontal frame shows the raw data and hexadecimal digits. After starting the packet capture, Wireshark capture all packets those are transmitted between the source and destination. 

The first connection is created between the client and server by TCP handshaking process. Frist client send a request to the server with a packet sequence number for accessing this website. Then server response this request and send a packet with acknowledgement number and sequence number. The first frame of the Wireshark shows this details. In info tab the packet short details are shown. Packet length is shown in the length tab. In this way all packets are captured. Before deciphers all captured packets, first need to know about all protocols and ports details. Different type of protocols uses different port. Two protocols cannot use same port at a same time. Without all these knowledge, it is not possible to read captured packet details.

In first captured packet details are shown in the second horizontal frame of the Wireshark. First information is shows the frame details. Its shows the length of captured packets and interface number. Its shows the interface ID, encapsulation type, packet arrival time, Epoch time, frame number. Second details shown network interface details. It will dependable on selected network interface. In here, its shows the Ethernet interface. Its contain source and destination details. Next details are shows about the IPv4 where all internet protocol related information are given. Fourth option is for used protocol. Its provide all protocol related information like protocol name, source port number, destination port number and many more. In this way the captured packets can be deciphered.

Filtering Packets with Wireshark

In first client send a packet with a sequence number to the server by using TCP protocol and port 5114 to the server with port number 443. Length of this first packet is 66. Header length of this packet is 32 bytes. This is the first packet, therefore, the sequence number of this packet is 0. Server did not response therefore, client send the same packet to the server again. In response to this request, server send an acknowledgement packet to the client with acknowledgement number 1. In packet number 69 client send ‘Hello’ to the server. This is the starting of the TCP handshaking process. Client send a packet to the server with the sequence number 1 and acknowledgement number 1.

The packet length is 517. Server use SSL (secure socket layer). Therefore, this packet sends via this protocol. In the process TSLv1.2 used. with this packet client shared a key to communication this the server via this SSL. In regards this request, server send hello to the client in packet number 82. The sequence number of this packet is 1 and the acknowledgement number is 518. After this, server send a packet to the server again using TLSv1.2 protocol which content a certificate and end of the handshaking process. The length of this certificate is 2536 bytes. This certificate will be used for accessing the server. By this Hello process is done. After that client acknowledge the server by sending a packet to the server. Next client exchanges the key which encrypted with RSA algorithm. The length of this key is 256. With this packet client sends also change chipper specification message. The encrypted handshaking message is also send with this packet. Length of the encrypted handshaking message is 40. This process is continuing until all information is shared with the server.  After completing this process server create a new session ticket. With this packets server send also the change chipper sepc to the client. After completing all this process client send application data to the server. Server acknowledge this packet by sending the application data packet to the client.

Client send a HTTP request for accessing the website to the server in packet number 649. In regards this GET request server send an acknowledge message to the client and send the access right to the client. Then client can access this page of the website. Then client request again to the server for visiting the website page. In regards this request, server send OK to the client and provide the requested webpage. All this HTTP process is going like this. First client makes a request and then server provide the requested page. The HTTP protocol shows the access pages of the website. 

Automatic Network Card Detection in Wireshark

The possibility of using the web for commerce was apparent to early users, but there was no way to confidentially share credit card information with a web site. Further, there was no way to tell the legitimacy of the website collecting the credit card data, nor could you detect if if there were a man in the middle stealing the information. These were especially urgent problems for Netscape, the leader in early commercial web browsers and servers.   Taher Elgamal developed the algorithms that powered Secure Sockets Layer (SSL) while at Netscape in 1994. HTTPS (HTTP Secure) is just HTTP encapsulated inside SSL. In 1999, The TLS Protocol Version 1.0 developed to replace SSL as the underlying transport for HTTPS, and it has undergone several revisions since.  It continues to evolve.

Hyper Text Transfer Protocol Secure (HTTPS) is the protected rendition of HTTP, the convention over which information is sent between your program and the site that you are associated with. The 'S' toward the finish of HTTPS remains for 'Secure'. It implies all interchanges between your program and the site are encoded. HTTPS is regularly used to ensure profoundly secret online exchanges like internet saving money and web based shopping request shapes.

Web programs, for example, Internet Explorer, Firefox and Chrome additionally show a lock symbol in the deliver bar to outwardly demonstrate that a HTTPS association is as a result. HTTPS pages normally utilize one of two secure conventions to scramble correspondences - SSL (Secure Sockets Layer) or TLS (Transport Layer Security). Both the TLS and SSL conventions utilize what is known as an 'uneven' Public Key Infrastructure (PKI) framework. An uneven framework utilizes two 'keys' to encode interchanges, an 'open' key and a 'private' key. Anything encoded with people in general key must be decoded by the private key and the other way around. As the names propose, the 'private' key ought to be kept entirely secured and should just be available the proprietor of the private key. On account of a site, the private key remains securely tucked away on the web server. Then again, the general population key is proposed to be disseminated to anyone and everyone that should have the capacity to decode data that was scrambled with the private key.

Using HTTPS for a web request will always be slower than using HTTP.  In particular, it will have significantly greater latency, because of the number of extra "handshake" packets that are necessary before the first byte of payload data is encoded and sent to the server.  This latency is particularly noticeable on the first request to an HTTPS domain; after that first request, browsers will reuse the connection and cache the SSL session to allow quick resumption of the communication.

There is also, as Erik Fair notes, additional computational overhead on a per-byte basis, due to the work of encrypting and decrypting the request and response.  In usual practice, this overhead is not nearly as noticeable as the extra latency from connection setup. 

client send a HTTP ask for getting to the site to the server in parcel number 649. In respects this GET ask for server send a recognize message to the customer and send the entrance appropriate to the customer. At that point customer can get to this page of the site. At that point customer ask for again to the server for going by the site page. In respects this demand, server send OK to the customer and give the asked for site page. This HTTP procedure is going this way. To begin with customer influences a demand and afterward server to give the asked for page. The HTTP convention demonstrates the entrance pages of the site. HTTP header details are follows:  

In the above case this website use Apache server version 2.2.24. server used OpenSSL. The server is last modified at 24 June 2015. Server use a HTTP proxy for allow the user to access this site. This website is not secure for HTTPS.

HTTP header information of https://paypal.com

After analyzing the paypal.com its observe that paypal use direct server. In previous website use proxy server but paypal does not use. Also in the time of visiting the first website web browser show a warning that this website is not secure because its use proxy site but in the time of visiting the paypal the browser smoothly run the website.