User Account

All Pages

Briefly discuss how each capture filter works

Assignment Help Computer Networking
Reference no: EM131990591

Networking Assignment: Wireshark Capture Filter

Part 1 - Wireshark and traffic capture basics

Describe what the term promiscuous mode means in relation to capturing network traffic with Wireshark and similar network traffic analysers.

The Capture > Options dialog allows the Name Resolution of Network Layer names. Describe what this means and describe how it could be used for capturing network traffic.

Describe the difference between a network switch and a network hub. Then explain how switched networks limit the network traffic that is visible to Wireshark in comparison to networks that used hubs. (Note - switches are the technology used in today's computer networks)

In TCP/IP networking IP addresses are used to identify specific computers (or hosts) on the network, clients use ports numbers to specify a particular instance of a client program (for example a specific tab on a web browser) and servers normally use well known port numbers on which to listen for client requests. For instance ftp at the server uses ports 20 and 21.

From the web or any other source determine the well-known port numbers of the following server programs:

• ftp data
• ftp control
• http
• NTP
• ssh

Also find the well know port numbers for 6 other network protocols and describe the function that each protocol performs.

Part 2 : Capture filters

In this section of the assignment you are required to learn the syntax for creating Wireshark Capture Filters. Then document and use capture filters to capture specific network traffic.

Discussion of Berkeley Packet Filter (BPF) syntax

The following discussion gives a brief explanation of the BPF syntax to help you get started with constructing your own capture filters.

Wireshark capture filters use the Berkeley Packet Filter (BPF) syntax to specify particular traffic. This syntax is used by the libpcap (in Unix/Linux) and Winpcap (in Windows) libraries that are used by Wireshark to capture network traffic.

Note - WinDump is the Windows version of a Linux/Unix program called TCPDump and hence TCPDump documentation applies to capture filter syntax as used on Windows machines.

Syntax

The BPF syntax consists of one or more Primitives that specify a particular type of traffic to capture.

Some examples of simple primitives are shown below:

(i) host 192.168.12.22
(ii) host google.com
(iii) src host google.com
(iv) tcp port 80

Things to note about these primitives:

• Primitives start with one or more qualifiers (eg. host, src host, dst host etc.)
• Primitives end with an ID (eg. 192.168.12.22, google.com, 80 etc.)

Note - If you use named IDs like google.com then you need to enable name resolution in the capture filter dialog box when specifying capture filters.

In summary a capture filter consists of one or more primitives and those primitives consist of one or more qualifiers followed by an ID.
{ <------- primitive ------> } { operator } { <- primitive -> }
dsthost 192.168.12.13&&tcp port 80

The references dst, host, tcp and port are called qualifiers.

The references 192.168.12.13 and 80 are called ID's.

The boxed example above also shows the AND operator being used to join two primitives to make a capture filter expression. The AND operator isone of the three possible operators that are allowed in capture filters, the other two are ORand NOT.

Sources of documentation of the Berkeley Filter Syntax that you should refer to are:

Documentation that describes the BPF syntax.
There are also good cheat sheets for TCPDump (Wireshark Capture Filters) and Wireshark Display filters.

The Wireshark Users Guide (Access from Help in Wireshark)

End of discussion of BPF syntax

Documenting BPF qualifier syntax

There are three types of BPF qualifiers:

• Type (3)
• Dir (2)
• Proto (8)

The Type qualifier has three possible options: host, net andport. The other two qualifier types also have associated options, there are 4 options associated with Dir qualifier type and 8 options associated with Proto qualifier type(please disregard the fddi, decnet options as they are seldom used in today's networks).

You are required to describe what each qualifier means and list a total of 10 capture filter examples that incorporate at least 1 qualifier and one ID, and explain how each capture filter works.

Documenting the 3 logical operators for combining primitives

The boxed example above show the logical AND operator ( && ) being used to combine two primitives. There are two other such logical operators.

Document all three logical operators and give one example of how each could be used in a capture filter.

Implementing BPF capture filters

In this section of the assignment you are required to create a range of capture filters, implement those capture filters in Wireshark and take a screenshot of associated captured traffic.

Your screen captures must include the Time, Source, Destination and Protocol fields of the Wireshark display along with at least two packets (the graphic below shows three, packets 7,8 & 9).

Because the Time field is displayed to such a fine resolution your screenshot capture will be unique from all other students doing this assignment. This will therefore act as an automatic plagiarism detector.

After creating an appropriate capture filter you may need to generate appropriate traffic for Wireshark to capture. For instance, if you create a Capture Filter to capture ftp traffic you will need to run an ftp client to effect the traffic capture. Likewise, when capturing web traffic you could use a browser to generate appropriate traffic. To capture ICMP traffic you might use the ping command because it uses the ICMP protocol to query other hosts.

Example capture filter:

Filter requirements

Capture all traffic between your computer (that is running Wireshark) and the Google search engine in response to the query "caviar" being entered.

Procedure:

Open a browser to www.google.com

From the Wireshark interface select:

Capture > Options >

Select the desired interface (or select all interfaces)

Enter host google.comin the capture filter entry area

Select the display option Resolve network layer names

Start the capture

Then enter the word caviar into the google query field of the browser

Wireshark will captures the require traffic.

Note - Make sure you have selected the correct network interface, or select all interfaces if you are unsure.

Capturing traffic from/to another machine (2 marks)

In network analysis you will frequently need to capture all traffic or specific traffic between your machine that is running Wireshark and another specified machine.

For this exercise you should generate traffic between the machines with the ping command.

Create capture filters that will:

1. Capture all traffic between your machine (the one running Wireshark) and another machine. Use the IP address of the other machine to identify it in the filter.

2. Capture all traffic between your machine (the one running Wireshark) and another machine. Use the MAC address of the other machine to identify it.

3. Capture all traffic from the other machine. Use either the IP or MAC address of the remote machine to identify it.

4. Capture only ICMP traffic between the two machines

Your discussion for this section should:

• include two screenshots
• list all capture filters you used
• describe how each capture filter works.

Excluding particular network traffic (2 marks)

Create a set of capture filters that will:

• Capture broadcast traffic only
• Exclude broadcast traffic
• Capture all traffic from a range of network addresses but exclude broadcast traffic

Briefly discuss how each capture filter works.

Using port numbers in capture filters

Create capture filters that will capture the following types of network traffic:

1. DNS traffic
2. DNS traffic being sent from your machine
3. DHCP traffic in either direction

Briefly discuss how each capture filter works.

Challenge exercise

The BPF syntax can detect specific content at specific offsets from the start of network packets.

An example of such syntax would be tcp[13] & 4 == 4

This particular capture filter can detect TCP packets that have the RST flag set.

Describe this syntax so that a layman could understand how such filters work.

Reference no: EM131990591

Questions Cloud

Calculate the current stock price-stock price in three years : The E! Network just paid a dividend of $1.90 on each share of its stock. Calculate the Current Stock Price. Calculate the Stock Price in 3 Years
Discuss how you could apply the concepts learned in course : Discuss how you could apply the concepts learned in this course (Strategic Management and Business Policy) to your current or future career.
What is appropriate price for this stock : How much would you pay for a stock that paid $2 dividend recently and whose dividend is expected to grow 5% in perpetuity. what is appropriate price for stock?
What are the goals of the organization : Research the organizational structure of the United Nations Human Rights Council. What are the goals of the organization? How is it structured to accomplish.
Briefly discuss how each capture filter works : Briefly discuss how each capture filter work. Capture all traffic from the other machine. Use either the IP or MAC address of the remote machine to identify it.
What is intellectual property : What is Intellectual Property (IP) and how does counterfeit merchandise impact the U.S. economy?
How a company can mitigate the given factors : Discuss the various factors that influence a company's competitive strategies and compensation practices. Assess how a company can mitigate these factors.
What is the price of an atm put and atm call : What is the price of an ATM PUT and ATM CALL? What is the delta value of 2 long CALLs?
What are annual coupon rate and yield to maturity : A 11-year bond pays interest of $27.90 semiannually, has face value of $1,000, and is selling for $726.29. What are its annual coupon rate and yield to maturity

Reviews

Write a Review

Computer Networking Questions & Answers

  Networking and types of networking

This assignment explains the networking features, different kinds of networks and also how they are arranged.

  National and Global economic environment and ICICI Bank

While working in an economy, it has a separate identity but cannot operate insolently.

  Ssh or openssh server services

Write about SSH or OpenSSH server services discussion questions

  Network simulation

Network simulation on Hierarchical Network Rerouting against wormhole attacks

  Small internet works

Prepare a network simulation

  Solidify the concepts of client/server computing

One-way to solidify the concepts of client/server computing and interprocess communication is to develop the requirements for a computer game which plays "Rock, Paper, Scissors" using these techniques.

  Identify the various costs associated with the deployment

Identify the various costs associated with the deployment, operation and maintenance of a mobile-access system. Identify the benefits to the various categories of user, arising from the addition of a mobile-access facility.

  Describe how the modern view of customer service

Describe how the greater reach of telecommunication networks today affects the security of resources which an organisation provides for its employees and customers.

  Technology in improving the relationship building process

Discuss the role of Technology in improving the relationship building process Do you think that the setting of a PR department may be helpful for the ISP provider? Why?

  Remote access networks and vpns

safekeeping posture of enterprise (venture) wired and wireless LANs (WLANs), steps listed in OWASP, Securing User Services, IPV4 ip address, IPV6 address format, V4 address, VPN, Deploying Voice over IP, Remote Management of Applications and Ser..

  Dns

problems of IPV, DNS server software, TCP SYN attack, Ping of Death, Land attack, Teardrop attack, Smurf attack, Fraggle attack

  Outline the difference between an intranet and an extranet

Outline the difference between an intranet and an extranet A programmer is trying to produce an applet with the display shown in Figure 1 below such that whenever one of the checkboxes is selected the label changes to indicate correctly what has..

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

Submit Assignment

Academics

Major Subjects

Majors

Get In Touch

whatsapp: +1-415-670-9521

Phone: +1-415-670-9521

Email: [email protected]

TERMS & POLICIES

HELP & SUPPORT

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd