CS408 Lab1 Packet Analysis With Wireshark Instructor PhD Albert Levi. What is a Network Analyzer ?(a.k.a Packet sniffer ).
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Packet sniffers are software programs that can see the traffic passing over a network or part of a network. As data streams travel over the network, the program captures each packet and eventually decodes its content following the RFC specification.
Why do we need such an analysis?
Ethernet was built around a "shared" principle: all machines on a local network share the same wire. So, all machines are able to "see" all the traffic on the same wire. Thus, Ethernet hardware is built with a "filter" that ignores all traffic that doesn't belong to it.
It does this by ignoring all frames whose MAC address doesn't match. If you put your Ethernet Hardware into "promiscuous mode“, you will deactivate the mentioned “filter” and start accepting packets rather than discarding them...
Each Host in the same ethernet network has an IP adress.
Inorder to send data to a destination host, first we have to know the MAC Adress for the destination host. To get the IP adress of the destination, the source broadcasts an ARP packet over the network. ARP stands for Adress Resolution Protocol. (RFC 826)
All network hosts maintain their own ARP tables (caches) to reduce the ARP broadcast overhead. The table is as follows
Simply Remeber this:
ARP translates IP address into a physical MAC address.
To see your computers ARP Cache type “arp –a” and hit enter
Remember the 4 Layer Model, in each layer, the data coming from the upper layer is encapsulated into the current layers PDU.
The Application data is sent to a host with the above encapsulation scheme.
The following ethereal screen shots are from the last frame containig HTTP response from a URL with the HTML data “ Hello CS 408”
Bit 0: reserved, must be zero
Bit 1: (DF) 0 = May Fragment, 1 = Don't Fragment.
Bit 2: (MF) 0 = Last Fragment, 1 = More Fragments.
010 =Dont fragment , Last Fragment
There is not much to say about HTTP header as its mostly ASCII.
Observe that HTTP header is ending in two line-feeds (0D 0A 0D 0A) and then the data comes. <html><b> Hello CS 408 </b><html>