 So I'm going to try and capture with kept capture the net cap packets So I'll start TCP dump start the capture and then on computer 14 start a server Listen on port one two three four five and Then start my client connected to computer 14 Port one two three four five Send my messages and now we'll see that in the capture So just you send some packets between computer one and 14 stop my capture and now open that in wire shark and have a look And remember it's useful to Disable name resolution, then you won't see the nicknames. You'll see the raw addresses And I see there are a lot of packets. Let's try and find how do I filter on packets? There are different ways to filter port numbers can be filtered IP addresses protocols So it's the the slides show some different filters that you can use All right, so you can filter by protocol if you know the IP address TCP has its port number TCP dot port equals One two three four five because I know I listened on port one two three four five so that's one way and I find these packets and I'll just turn off color coding here the time let's hide that for now even the Source and destination So computer one is me computer 14 was the other computer running the net cat server So the first message is sent from me to the server and then back What are these messages? Well, we see the first three Me to the server back and then a third one from me to the server These are TCP messages and the way that TCP works is before we send any data. We set up a connection We synchronize the two endpoints and The way to synchronize two endpoints in TCP is to send some synchronized packets So that TCP segments, but there's a flag set called sin to synchronize So the way that it normally works is that I send something to the server saying I want to synchronize with you the first sin The server sends back an act saying okay, and the server also sends a synchronized message to me And it combines them together into one packet That's why we have a sin and an act together and the third one is this me sending the server acknowledging its sin message Roughly, we can try and draw that if we try and draw that on the screen if I can get at the work There's me and computer 14 This is our message sequence diagram and the first message is the sin message Sent from computer one to computer 14 So this is what we're going to draw is called the message sequence diagram try to capture the messages And then there's the sin act that comes back and then the third act This is TCP setting up the connection So the way the TCP works is before we send data we set up a connection and the typical way is sin sin act They're trying to synchronize sequence numbers and synchronize the two entities so they're ready for data transfer From my computer one to 14 you should write the IP address here to be more precise Okay, so I've just written the computer number then the next message we see I Send something to the server computer 14. What do I send in TCP? It's called a push message and Push usually means it contains data. It's saying here's some data Give it push it to the application at the other side as soon as possible And if we look inside that one message the fourth one here, we actually see the data Down the bottom we see it contains the word that I typed in the words. I typed in so hello Steve So this is the data message coming from Client to server and then the next one is an act There's no data in this one. It's just an act saying thanks for the data So we could draw that So the fourth message is the data and then there's an act that comes back So I don't write PSH comma act because what it really means to me It's data and the data was whatever the message I typed in and there's some more messages after that I could draw them if I like depends how many you sent but that's that's the important parts of what we see in that Message transfer we see a connection set up and then the data transfer and that keeps going If you're lucky you may see a connection close at the end may see some thin segments to finish the connection But you may not see them So this is what we call a message sequence diagram And I'd like you to draw them for each time we ask you to capture packets So for each of the three tasks today Don't draw things that you don't understand That is don't write names here, which are exactly like on wireshark Interpret to what it really means or simplify it So I don't write PSH comma act. I just write data because I know it's really the data Okay, and the next one's the act. I could add up more details But that's enough in the context of this question You could add sequence numbers if you like but that's sufficient to see the types of messages Then the other type of diagram is to draw maybe one or two of the packets in detail Let's say focus on the data packet Let's look zoom in on that one data packet and try and draw that this one data packet Is this fourth one in my capture if I double click It shows me that details of that one data packet and the way to interpret the wireshark information note these rows here That tells us the basic structure of the packet or a frame is a more precise name. The entire frame is 78 bytes long The frame is made up of an Ethernet header an IP header a TCP header and 12 bytes of data So if I want to draw this frame I'll try and illustrate that there's an Ethernet header an IP header TCP and data Let's try and draw that and quite simply just illustrate it as a packet diagram And you've seen in lectures how we draw this Some form of rectangle to illustrate that one packet And what do we have split it into four chunks doesn't have to be to scale There's an Ethernet header I can get this to Spell correctly Ethernet IP What was next TCP and then the data and all of this was our one large frame total size How big was the Ethernet header? So that's my frame That's how I say to draw the packet diagram identify the headers And the other useful thing is the size of each It's easy to see the size when you click them on one of the rows and I'll go back to the main window in Wireshark when I click on The Ethernet row if you look down the bottom in the status bar it shows you the size of that ethernet header 14 bytes IP right down the bottom 20 bytes TCP 32 bytes data 12 So we write the sizes on the packet as well. So the total frame size 78 bytes When we select it or we see here captured 78 bytes That's the entire frame But it's split into an Ethernet header IP TCP data That's how we can visualize it. The entire frame is 78 bytes the individual headers or the chunks Listed there. So that's the basic way to draw a packet diagram Sometimes it's useful to add a few details. What's inside the headers? in Wireshark What's inside the headers is shown when we again zoom in on a particular packet We can expand and see the Ethernet header contains a destination address source and the type IP packet the IP header Contains a number of different fields including source and destination TCP sequence numbers act numbers flags port numbers and the data Well, the data is just the data that I sent So sometimes it's useful on the packet diagram to draw the values of important fields Maybe the addresses are useful For example, I can draw the the source and destination IP addresses Now you don't need to draw all fields on the packet and sometimes you can get away with drawing none But some sometimes if there's a key value of importance highlighter on your diagram Addresses are usually important port numbers Sometimes there's a particular field in a question that that will arise So whenever you capture Whenever we give you tasks of capturing draw these two types of diagrams You don't need to draw every packet Maybe the main ones like I chose the data packet the act packets not very interesting the data's of interest And in the frame exchange the message sequence diagram You don't have to draw every single packet captured again. Just select the main ones or a sample of the main ones So that's your task for today The first so you draw a message sequence diagram a packet diagram Better draw ones there You should have captured with NC you should quickly try even if you don't capture try to use NC and UDP mode All right, try to use NC and UDP mode. You don't need to capture it Then we'll have a break and then at 240 you can continue on with tasks two and three So just get keep going with them task two is to use ping capture Look in wire shark answer some questions task three access a website while capturing look in wire shark answer some questions With the aim of learning about how to use wire shark and TCP dump today