Guardando algunos ejercicios de wireshark (en inglés)
I) Exercise One
Open “Wireshark”, then use the “File” menu and the “Open” command to open the file “Exercise One.pcap”. You should see 26 packets listed.
This set of packets describes a ‘conversation’ between a user’s client and a central server. This entire conversation happens automatically, after a user types something and hits enter. Look at the packets to answer the following questions in relation to this conversation.
In answering the following questions, use brief descriptions. For example, “In frame X, the client requests a web page, and in frame Y, the server delivers the content of the page.”
a) What is the IP address of the client that initiates the
conversation?
a) Use the first two packets to identify the server that is
going to be contacted. List the common name, and three
IP addresses that can be used for the server.
b) What is happening in frames 3, 4, and 5?
c) What is happening in frames 6 and 7?
d) Ignore frame eight. However, for your information,
frame eight is used to manage flow control.
e) What is happening in frames nine and ten? How are
these two frames related?
f) What happens in packet 11?
g) After the initial set of packets is received, the client
sends out a new request in packet 12. This occurs
automatically without any action by the user. Why does
this occur? See the first “hint” to the left.
h) What is occurring in packets 13 through 22?
i) Explain what happens in packets 23 through 26. See the
second “hint” to the left.
j) In one sentence describe what the user was doing
(Reading email? Accessing a web page? FTP? Other?).
II) Exercise Two
Open “Wireshark”, then use the “File” menu and the “Open” command to open the file “Exercise Two.pcap”. You should see 176 packets listed.
a) In the first few packets, the client machine is looking up
the common name (cname) of a web site to find its IP
address. What is the cname of this web site? Give two
IP addresses for this web site.
b) How many packets/frames does it take to receive the
web page (the answer to the first http get request only)?
c) Does this web site use gzip to compress its data for
sending? Does it write cookies? In order to answer
these questions, look under the payload for the
reassembled packet that represents the web page. This
will be the last packet from question b above. Look to
see if it has “Content-Encoding” set to gzip, and to see
if it has a “Set-Cookie” to write a cookie.
d) What is happening in packets 26 and 27? Does every
component of a web page have to come from the same
server? See the Hint to the left.
e) In packet 37 we see another DNS query, this time for
us.i1.yimg.com. Why does the client need to ask for
this IP address? Didn’t we just get this address in
packet 26? (This is a trick question; carefully compare
the two common names in packet 26 and 37.)
f) In packet 42 we see a HTTP “Get” statement, and in
packet 48 a new HTTP “Get” statement. Why didn’t the
system need another DNS request before the second get
statement? Click on packet 42 and look in the middle
window. Expand the line titled “Hypertext Transfer
Protocol” and read the “Host:” line. Compare that line
to the “Host:” line for packet 48.
g) Examine packet 139. It is one segment of a PDU that is
reassembled with several other segments in packet 160.
Look at packets 141, 142, and 143. Are these three
packets also part of packet 160? What happens if a set
of packets that are supposed to be reassembled do not
arrive in a continuous stream or do not arrive in the
proper order?
h) Return to examine frames 141 and 142. Both of these
are graphics (GIF files) from the same source IP
address. How does the client know which graphic to
match up to each get statement? Hint: Click on each
and look in the middle window for the heading line that
starts with “Transmission Control Protocol”. What
difference do you see in the heading lines for the two
files? Return to the original “Get” statements. Can you
see the same difference in the “Get” statements?
III) Exercise Three
Open “Wireshark”, then use the “File” menu and the “Open” command to open the file “Exercise Three.pcap”. You should see 22 packets listed. These packets represent two different requests for web pages.
Packets 1-7 involve the request for the web page www.yahoo.com. Packets 8-22 involve the request for the web page my.usf.edu.
a) Compare the destination port in the TCP packet in
frame 3 with the destination port in the TCP packet in
frame 12. What difference do you see? What does this
tell you about the difference in the two requests?
The following table compares the two requests for web pages. For example, row i) shows that
frames 1-2 and frames 8-9 represent the DNS lookups for each of the web requests.
b) Explain what is happening in row “iii” above. Why are
there no frames listed for yahoo in row “iii"?
c) Look at the “Info” column on frame 6. It says: “GET /
HTTP / 1.1. What is the corresponding Info field for the
my.usf.com web request (frame 21)? Why doesn’t it
read the same as in frame 6?
No hay comentarios:
Publicar un comentario