 So, good morning everyone. So, today this session is about basic introduction to wire shark. So, for the next half an hour I will give you a brief outline what we will what we are going to do. First we will look at we will answer some basic questions about wire shark like what is wire shark, what are the features of wire shark and its applications. Then we will briefly touch upon how to install wire shark on both windows and Linux platforms. Then we will have a look at the wire shark graphical user interface and then we will answer some basic questions using wire shark using a capture file. So, to start with the basic introduction to wire shark, wire shark is a network packet analyzer with what it means is it tries to capture the network packets and displace those packet data in a detailed fashion. A wire shark can also be termed as a packet sniffer. This is a passive entity what I mean by passive is that it cannot send packets on it on its own neither can it generate its own packets. It cannot receive packets that is none of the packets will be destined to wire shark and what it actually does is it creates a copy of the network packets that flows through the network interface and wire shark is free and open source. So, now the features of wire shark wire shark is available for both Linux and Windows platforms. Using wire shark you can capture live packet data from a network interface. You can open files containing already captured packet data. You can capture these packet there are various tools to capture packet data like TCP dump or wind dump or even wire shark. You can import these packets from also from text files which contain hex dumps of the packet data. You can display packets in a with very detailed protocol information at across various levels of the TCP IP protocol stack. You can save packet captured data. You can export all the packet information in a number of capture file formats. You can filter packets based on various criteria. You can search for a particular packet based on a specific criteria. You can colorize packets based on what those packets represent using a very important tool called filters. To analyze the packet information wire shark helps you create various statistics and you can do a lot more. So, the applications of wire shark it helps you to learn network protocol internals. It helps you to debug protocol implementations. You can also troubleshoot network problems using wire shark and you can also examine security problems. So, now I will turn on to the wire shark demo. First we will look at how to install wire shark on Ubuntu platform. So, first we will open the terminal type terminal. So, on the terminal you can type the following command sudo apt hyphen get install and wire shark. So, this will install wire shark on your platform since it will also ask you for the login credentials. So, since wire shark was already installed on this system it is showing the message wire shark is already installed with the newest version. However, if it is not installed on your machine you can install it using the above command and it will install it on your Ubuntu platform. Now, we will turn on to how to install wire shark on the Windows platform. First since Windows in Windows you always I mean to install a software you need an executable file. So, we will go browse to the wire shark website. So, open your browser go to google.com which is the search engine and then type wire shark download. So, you will see a link the first link which appears as a result click on that link it will redirect you to the wire shark website. You can also verify that the URL is somewhat similar to this and then below you will see a Windows installer depending on your OS whether it is a 32 bit or a 64 bit you can download the installer and install wire shark on your system. So, now we will look at the graphical user interface for wire shark once again open the terminal. Now, to open wire shark type the command gksudo space wire shark it will ask you for the login credentials type in the password and click ok. You will see a couple of dialog boxes ignore those now what will I mean to look at the graphical user interface first we will capture some packets. So, now click on the interface which you see that is the network interface. Since now we have not a browse to any website I mean we have started the live capture. So, we have not browse to any website. So, it will not show anything. So, now we will go to the browser and open a link. So, then wire shark will start capturing the packets. So, we have opened a web page now switch on to wire shark again. So, now you see that some packets have been captured. So, now I will briefly tell you what options you have on the graphical user interface of wire shark. On the top you see is a menu bar it allows you to use all the features which are available on wire shark. Next is the main toolbar which lets you access the frequently used features such as start a live capture, stop a live capture, save your capture data and so on. Next important thing is the filter. Filter is widely used in wire shark it helps you to filter packets based on a particular criteria. So, that you do not have to look at all the packets which have been captured instead you can look at only those packets which are of interest to you. So, we will look at a couple of examples later. So, this is called the display filter. Next is the packet list section. In this section each line corresponds to one packet each line is a summary of one packet and there are multiple packets captured. So, you can see what packets have been captured and a brief information about each packet. This is the packet details section. This section lets you see all the header information across various layers of the TCP IP stack like you can see the Ethernet header, IP header in this case the UDP header and the DNS information. We look at these details later and the next section is the packet byte section. It shows the hex and ASCII format of the above representation of information and the final section below is the status bar which also has some useful information to display. So, since we had started a live capture you can stop the running live capture by clicking on this icon. So, now you have stopped the live capture. One another thing that you can do once you have captured your data is that you can save this captured packet data into a file. So, next we will use a capture file we will load a capture file into Wireshark and then answer a few basic questions using this capture file. So, this is the SB dot pcap file which we will use to answer a few basic questions. Now to again open Wireshark open the terminal again type the command GK pseudo Wireshark give the password this will open Wireshark ignore the messages which you may see and now we will load the SB dot pcap file into Wireshark. So, for that go to file click open. So, you can see that I had shown you the SB dot pcap file on the desktop. So, browse to the desktop and then open the SB dot pcap file choose the SB dot pcap file and click open. So, this shows the capture data within the SB dot pcap file. Now to remove a few of these black color distractions which are not important for the purpose of this demo we will disable those coloring rules. So, go to coloring rules. So, we will disable the checksum error color by clicking on the checksum error option and then click disable apply the changes and click ok. So, now we will go through some sample exercises. So, first question we would like to count the total number of HTTP get requests. So, as you can see on the status bar it shows the packets and the displayed packets. So, the total number of packets in this capture file are 718 and since we have not applied any filter to these packets the displayed packets are also 718 as you can see by the bounded red color rectangle. So, now since we want to count the total number of HTTP get requests we will filter out only we will apply a filter to view only the HTTP get request packets. So, for that in the display filter type the following syntax rule. So, you will type HTTP dot request dot method. So, this corresponds to the HTTP request and in the method we will compare it with get since we want to see only the HTTP get request packet. So, this is the syntax HTTP dot request dot method equals get. So, now apply this filter and then you will see that only HTTP get request packets have been displayed. Again when you look at the status bar below now you will see that also the total number of packets are 718 the displayed packets is just 51 which means that the total number of HTTP get requests in this capture file is 51. So, the answer is 51. So, we will move on to the next question we want to find that webpage which was visited by the client using the first HTTP get request. Again we will use the same filter since we want to find the webpage in the first HTTP get request. So, using the same trace this is the first HTTP get request and now in the packet details section we will look at the hypertext transfer protocol information. So, expand the hypertext transfer protocol information. So, within that you will see the host header which shows the webpage which was visited by the client. So, the value to that header is the answer to this question and also the corresponding hex and ASCII representation of the data was shown in the packet byte section. So, the answer to this question is the following webpage. First we would like to know what server software is running on the server side. Since server information is typically sent by the server hence to get the answer to this question we will look at the HTTP response. So, first we will filter apply a filter to look at only HTTP response packets. So, for this in the display filter type HTTP dot response apply the filter now choose any one packet we will choose the first packet and then below in the hypertext transfer protocol section you will see a server field the value to the field displays the server software which was used by the server for the response. And below you will see the hex and ASCII representation of that field. So, the server software which was running on the server side was Apache. Moving on to the next question now we would like to know how much time was elapsed between the first HTTP get request sent by the client and the first HTTP response sent from the server. To get the answer to this question we want to look at both the first HTTP get request and the HTTP response. So, we need to apply a filter which will filter out all the HTTP get request as well as the HTTP response. So, initially we decolorized the look just for convenience and now to apply the filter since we want to look at both HTTP get request and the HTTP response. So, we will use an OR operator to achieve the goal. So, what we will do is we will first filter out the HTTP get request using the syntax HTTP dot request dot method equals get and then we will use the OR symbol which is similar to the ones used in C programming language. So, all HTTP dot response. So, this will list all the HTTP get request as well as the HTTP response. So, on applying the filter you could you can see that all the HTTP get request as well as response have been filtered. That is you can see all the get request and response which were in the capture file. So, we want the first HTTP get request. So, we will just for the sake of convenience we will mark this first HTTP get request. So, you can right click and click the mark packet option. This will mark that packet with black color. So, now since we want to find the time elapsed since this HTTP get request. So, we will set this packet as a reference. So, to do that click on that packet right click and choose the set time reference option. So, what this will as you can see it is marked by the string ref. So, all the timings below this packet will indicate the time elapsed since that packet that is the first HTTP get request. Next we want to find the first HTTP get response. So, we will mark the first HTTP response just for the sake of convenience. So, now as you can see the time elapsed between the first HTTP get request and the response is marked with the red rectangle and that is the answer to this question. So, to undo the changes like marking the packet and setting the time reference the same option can be used as it is a toggle button. And so, you can again choose the same option to undo the changes like marking and time reference. So, the answer to this question was the time which was shown previously. Next moving on to the TCP information we would like to know the source and destination ports that were used to transfer the first HTTP get request. So, now since we are interested in only the HTTP get request we will again apply a filter which will show us only the HTTP get request in the capture file. Again we will use the same syntax and apply the filter we will choose the first HTTP get request. Now, since we want to identify the ports we will expand the transmission control protocol information in the packet details section. And to identify the source and destination ports there are fields corresponding to it which show the source and destination ports that were used to transfer that packet. So, as you can see the source and destination ports have been displayed in the header. So, this will tell you the source and destination port used for the transfer. Moving on to the IP header we would like to know the we would like to identify the client and server IP address that was used to transfer the first HTTP get request. Again we will use the same filter since we are looking at only the HTTP get request. We will choose the first packet now we will look at the internet protocol information in the packet details section it will show various information header information in the packet we will scroll down to look at the source and destination IP address. So, there will be a source field which will tell you the source IP address from where the packet came and the destination IP address which is the destination of the packet. So, another easy way to identify the source and destination you can see them both in the packet listing section corresponding to that packet. So, this will tell you the client and server IP address. So, moving on to the last question we would like to identify the client and server MAC address in the first HTTP get request. Again we will use the same filter since we are looking at only HTTP get request. We will select the first HTTP get request and now in the packet details section we will look at the Ethernet information which is the data link layer information. When you expand it you will see the destination and source fields below. This will tell you the MAC addresses of the source and destination of the first HTTP get request. So, these are the MAC addresses of the client and server. So, thank you for your attention for any queries you can post them on the wire shot forum on Moodle. Thank you.