9.2.1.6 laboratory – using Wireshark to observe the TCP 3-Way Handshake Answers

Lab – making use of Wireshark to watch the TCP 3-Way Handshake (Answers Version)

Answers Note: Red font color or gray highlights suggest text that shows up in the instructor copy only.

You are watching: Lab - using wireshark to observe the tcp 3-way handshake

Topology

*

Objectives

Part 1: Prepare Wireshark to catch Packets

Part 2: Capture, Locate, and Examine Packets

Background / Scenario

In this lab, friend will use Wireshark come capture and also examine packets generated between the PC browser using the HyperText deliver Protocol (HTTP) and a web server, such together www.google.com. As soon as an application, such as HTTP or FTP (File move Protocol) an initial starts on a host, TCP uses the three-way handshake to develop a reputable TCP session in between the two hosts. For example, when a PC supplies a web internet browser to surf the internet, a three-way handshake is initiated, and a conference is established between the pc host and web server. A PC have the right to have multiple, simultaneous, energetic TCP sessions with miscellaneous websites.

Note: This lab cannot be completed using Netlab. This rap assumes that you have actually internet access.

Answers Note: utilizing a packet sniffer, such as Wireshark, might be thought about a breach that the security plan of the school. The is recommended the permission be obtained prior to running Wireshark because that this lab. If making use of a packet sniffer is one issue, the instructor might wish to assign the lab as homework or perform a walk-through demonstration.

Required Resources

1 pc (Windows 7, 8, or 10 through a command note access, net access, and Wireshark installed)

Part 1: Prepare Wireshark to capture Packets

In part 1, you will begin the Wireshark program and also select the proper interface to begin capturing packets.

Step 1: Retrieve the PC user interface addresses.

For this lab, you should retrieve the IP address of her PC and also its network interface card (NIC) physical address, likewise called the MAC address.

Open a command note window, kind ipconfig /all, and also press Enter.
*
Write under the IP and MAC addresses associated with the selected Ethernet adapter. The is the source address to look because that when evaluating captured packets.The PC host IP address: ____________________________________________________________Answers will vary. In this case, that is 192.168.1.146.The PC organize MAC address: __________________________________________________________Answers will vary. In this case, it is 00:24:D7:1C:50:44.Step 2: start Wireshark and select the suitable interface.Click the home windows Start button. In the pop-up menu, double-click Wireshark.After Wireshark starts, select the energetic interface for data capture. The active interface will present traffic activities.
*

Part 2: Capture, Locate, and also Examine Packets

Step 1: catch the data.Click the Start switch to begin the data capture.
*
Open a internet browser and also visit www.google.com.Minimize the browser and also return come Wireshark. Prevent the data capture.
*
Note: her instructor may administer you with a various website. If so, enter the website name or deal with here:____________________________________________________________________________________The capture home window is now active. Situate the Source, Destination, and Protocol columns.
*
Step 2: Locate suitable packets for the web session.

If the computer was freshly started and there has actually been no task in accessing the internet, you deserve to see the entire process in the caught output, consisting of the attend to Resolution Protocol (ARP), Domain Name system (DNS), and the TCP three-way handshake. If the PC already had one ARP entry for the default gateway, then it way that it began with the DNS query to fix www.google.com.

*
Step 3: study the information within packets including IP addresses, TCP harbor numbers, and TCP manage flags.In our example, framework 8 is the start of the three-way handshake in between the PC and the Google net server. In the packet perform pane (top ar of the key window), pick the frame. This highlights the line and displays the decoded info from that packet in the two reduced panes. Study the TCP details in the packet details pane (middle ar of the key window).Click the + icon to the left that the Transmission control Protocol in the packet details pane to broaden the see of the TCP information.Click the + icon to the left that the Flags. Look at the resource and destination ports and the flags that are set.Note: friend may have actually to change the top and middle home windows sizes within Wireshark to display screen the important information.
*
What is the TCP resource port number? __________________________ Answers will vary. In this example, the source port is 51563.How would certainly you divide the source port? ________________________ Dynamic or PrivateWhat is the TCP destination port number? _______________________ harbor 443How would certainly you share the destination port? _____________________ Well-known, registered (HTTP or web protocol)Which flag (or flags) is set? ________________________ SYN flagWhat is the relative sequence number set to? ____________________ 0To select the next frame in the three-way handshake, choose Go top top the Wireshark menu and select Next Packet in Conversation. In this example, this is framework 13. This is the Google internet server answer to the initial request to start a session.
*
What room the values of the resource and location ports? ______________________________________Source port is now 80, and also Destination port is currently 51563Which flags are set? ___________________________________________________________________The Syn flag (SYN) and also Acknowledgment flag (ACK)What are the family member sequence and acknowledgment numbers set to?____________________________________________________________________________________The loved one sequence number is 0, and also the family member acknowledgment number is 1.Finally, examine the third packet that the three-way handshake in the example. Click frame 14 in the top home window to screen the adhering to information in this example:
*
Examine the third and last packet of the handshake.Which flag (or flags) is set? _____________________________________________________________Acknowledgment flag (ACK)The loved one sequence and acknowledgment numbers are collection to 1 together a starting point. The TCP link is established and communication between the source computer and the web server have the right to begin.Close the Wireshark program.

See more: Nerf N-Strike Elite Hyperfire Blaster, Nerf Hyper Fire

Reflection

There are hundreds of filters obtainable in Wireshark. A huge network can have countless filters and many different varieties of traffic. List three filters that might be advantageous to a network administrator?_____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________Answers will certainly vary however could incorporate TCP, certain IP Addresses (source or destination), and protocols such as HTTP.What various other ways can Wireshark be used in a manufacturing network?_____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________Wireshark is regularly used for protection purposes because that after-the-fact analysis of normal website traffic or ~ a network attack. New protocols or services may need to be captured to recognize what port or ports room used.