Using Wireshark to Study TCP/IP Layers

ENGD3103 Communication Networks

Task

Aim:

In this assignment, you will use Wireshark to study TCP/IP layers by capturing and examining packet traces.

What to submit:

Your coursework must be submitted as a report. Snapshots of the Wireshark interface showing the details of the captured traces should be included in the report. You must submit the report electronically in Word or PDF format to Turnitin. All references must be in IEEE format.

Presentation:

Please note that [4 marks] will be allocated to the presentation and organisation of your report.

Introduction: Capturing a Trace

The following steps show how to capture a packet trace using Wireshark.

1. Launch Wireshark and start a capture to record standard web traffic

2. Set the display filter to “http”

3. Return to Wireshark and stop the trace

You should now have a short trace similar to the one shown in Fig. 1. If you have visited https websites, then your trace may not be presented under “http” but under “tls” instead where TLS stands for Transport Layer Security.

4. Save the output as you will need it for later steps

Note: you can either use wget method introduced in the first lab session or simply generate traffic through browsing. When using wget, your traffic will be captured under “http”.

If you cannot capture a trace yourself, use the provided traces available in the Lab folder under Learning Materials in BB shell.

1: Frame Structure [6 marks]

Find the get HTTP packet in the trace similar to the snapshot presented in Fig. 1. Examine the details of the Frame presented in the middle panel of the Wireshark graphical interface.

1. To demonstrate your understanding of hierarchy protocols, present the packet you examined showing the size in bytes of the TCP, IP, and Ethernet protocol header fields, their payloads, and their relative position to each other in the Frame as observed using Wireshark. [4 marks]

2. By examining the details of the Ethernet and IP headers in your trace, answer the following questions:

a. Which Ethernet header field is the demultiplexing key that indicates the next higher layer is IP? What value is used in this field to indicate “IP”? [1 mark]

b. Which IP header field is the demultiplexing key that indicates the next higher layer is TCP? What value is used in this field to indicate “TCP”? [1 mark]

Fig. 1: Trace of a traffic showing the details of the captured trace

2: Ethernet [6 marks]

Find a get HTTP packet in the trace similar to the snapshot presented in Fig. 1. Examine the details of the packet presented in the middle panel of the Wireshark graphical interface.

1. Sketch a figure of the get message that shows the position and size in bytes of the Ethernet header fields (show the range of the Ethernet header and the Ethernet payload). [2 marks]

2. Draw a figure that shows the relative positions of your computer, the router, and the remote server. Label your PC/laptop and the router with their Ethernet addresses. Label your PC/laptop and the remote server with their IP addresses. [2 marks]

Change the display filter to arp, which denotes ‘address resolution protocol’. Choose a packet, expand the Ethernet header field (using the “>” expander or icon) and examine the details.

3. What is the broadcast Ethernet address and which bit of the Ethernet address is used to determine whether it is unicast or multicast/broadcast?

Show a snapshot of your trace that supports your answer. [2 mark]

3: IP Packet Structure [12 marks]

Change the display filter to “ip”.

1. Select any packet in the trace and expand the IP header fields (using the “+” expander or icon) to see the details similar to the snapshot presented in Fig. 2. Examine the details of the IP header fields presented in the middle panel of the Wireshark graphical interface.

By examining the details of the IP packets in your trace, answer the following questions:

a. What does the TTL field represent and what is its initial value? Discuss the importance of this field. [2 mark]

b. What does the Total Length field include? Provide an example from the trace to support your answer. [2 mark]

c. How can you check whether a packet has been fragmented? Discuss all possible cases. [3 mark]

Fig. 2: Trace of a traffic showing the details of the IP header

2. What is the percentage of TCP packets in your captured trace to the total traffic? What is the percentage of UDP ones?Generate an I/O Graph that shows the traffic of each of those transport protocols. [Your answer should be supported by appropriate snapshot(s) of Wireshark.] [3 marks]

3) Use Wireshark to measure the average bit rate of your captured trace (or the trace you obtained from the BB module shell) [2 marks]

4: IP Header Checksum [5 marks]

1. Pick a packet from the trace captured in the previous task, and check that the IP header checksum is correct. Your answer should clearly show the summation process and a snapshot. [2 marks]

2. Explain why the checksum in IP covers only the header and not the data. [3 marks]

5: IEEE 802.11 Standards [7 marks]

Among the recent advances in 802.11 is the introduction of IEEE 802.11ax also known as WiFi

a. Describe IEEE 802.11ax highlighting its underlying technologies

b. Compare the main features of IEEE 802.11ax to those of IEEE 802.11ac and the proposed IEEE 802.11ay

c. The development of the next WiFi generation, WiFi 7, has attracted a lot of research interest recently. Highlight the main specifications projected to be met by WiFi 7 or IEEE 802.11be and its potential features. (Maximum length 1000 words)

Your answer should be supported by recognised publications, preferably from IEEE, that are cited properly using the IEEE referencing style. [7 marks]

Get instant help from 5000+ experts for