This document provides instructions for Assignment 2, which involves using Wireshark to analyze Ethernet MAC frames. Students are asked to download and install Wireshark on their own computer, capture basic HTTP traffic, and answer questions about the Ethernet frame structure and specific packet details. The assignment involves identifying interfaces, examining TCP handshake and HTTP request/response packets, and explaining fields in the Ethernet frame such as destination/source MAC addresses.
1. Instructor:Dr. Shaji Khan(shajikhan@umsl.eduor314-489-9733)
Page 1 of 6
INFSYS 3842/6836
Assignment 2 (Lab): Understanding layering and Ethernet MAC Frames Using Wireshark
Points Possible: 100
Due Date: Oct 8, 2016 by 11:59pm Central Time
IMPORTANT NOTE: THIS LAB MUST BE CARRIED OUT ON YOUR OWNCOMPUTER AND OWN
NETWORK. PLEASE DO NOT CAPTURE PACKETS ON A NETWORK THAT YOU DO NOT OWN.YOU’VE
BEEN WARNED!
Lab Overview:Itis importantwe are able to understandthe ideabehind“layersof functionality”
providedbydifferentprotocolsthatworktogetheratdifferentlevelsto accomplishdatanetworking.
Capturingsome networktrafficusingWiresharkandcarefullyanalyzingthe packetsisagreatway to
learnaboutlayeredfunctionalityaswellasthe syntax of some keyprotocolssuchas Transmission
Control Protocol (TCP),InternetProtocol (IP),andEthernet aswell assome commonapplicationlayer
protocolssuchas Hyper-TextTransferProtocol (HTTP)
Lab Purpose:
1) To downloadandinstall Wiresharkonstudents’personal computers
2) To learnthe basicsof howto use Wiresharkto capture networktraffic(fromstudentsown
computersandownnetworks)
3) To learnaboutbasic “Capture Filters”available inWireshark
4) Understandthe syntax of Layer 2 Frames.
Lab Tasks: There are twotasks forthislab.
TASK 1
Downloadandinstall WiresharkonOWNComputer.Visithttp://www.wireshark.org anddownloadthe
latestversion.Installationmayvarya bitdependingonyouroperatingsystem.The bestsource of helpis
the Wiresharkwiki (https://wiki.wireshark.org) butitcanbe a bitcryptic for beginners.There are plenty
of othertutorials/videos online incase youneedhelp.
TASK 2: (This task has five questions)
In thistaskyou will use Wiresharktocapture basicHTTP trafficand complete the activitiesand
questionsasdescribedbelow.
I recommendyouwatchsome videosonYouTube oncapturingHTTP trafficusingWireshark.The
processisfairlysimplyasdemonstratedinclassbutfeel freetolearnmore.
Alsofamiliarize yourselfwiththe basicinterfaceof Wireshark(the menus,options, filtersetc.).Again,
plentyof videosare availableonline andthe Wiresharkwikiis bestif youreallywanttolearn.
STEPS:
1) OpenWiresharkandidentifythe interface youwill capture trafficfrom(WirelessorEthernetLAN)
2. Instructor:Dr. Shaji Khan(shajikhan@umsl.eduor314-489-9733)
Page 2 of 6
LAB Question1: How many interfacesdoesWiresharkrecognize yourcomputerhas?Whattypesof
interfacesare they(WiredEthernetLAN/Wireless/Virtual?)?
There are fourinterfaces.Those are:1) Wi-Fi 2) VirtualBox Host-OnlyNetwork3) NetworkConnection
and 4) USBPcap1
CONTINUE:
2) Close all browserwindows andotherapplications.Also,clearyourbrowser’s
cache/history/temporaryfiles.InInternetExplorerhit(Ctrl + Shift+ Delete).
3) Opena browserwindowandtype in http://www.umsl.edu/~khanshaj/3842/basic_http.html.DO
NOT Press Enter yet.
4) Go back to Wiresharkand Start a capture.
5) Go back to the browserwindowandnow hitenterto visitthe page.
6) Once the page loads, Close the BrowserWindow.
7) Returnto Wiresharkand Stop the capture. Save the capture on your computer. Call it
“BasicHTTPCapture”.
8) Examine the packetscapturedandscroll to find“greencoloredrows”thatdenote “TCP”based
traffic.Notice the Three-stephandshakeandthe HTTPrequestsanddata responsesfromthe server,
acknowledgements,andfourstepclosing.
9) FINDTHE PACKETthat belongstothe HTTP Getrequestaskingforthe basic_http.html file.See
picture below foranexample.Once located,rightclickonthatpacketand choose “Follow TCP
Stream”.Thisshouldremove all otherpacketsallowingyoutofocusonjust thisTCPsession.
Anotherwindowshowingthe HTTPrequestsandresponsesshouldalsoopen.Youcanminimize it.
3. Instructor:Dr. Shaji Khan(shajikhan@umsl.eduor314-489-9733)
Page 3 of 6
10) Withthe above GET requestpacket selected(itshouldremainhighlighted),please complete the
rest of thislab
LAB Question2:
Usingthe packetassociatedwiththe GET requestasmentionedabove,please complete the following
fieldsinthe Frame Headerbelow(SEENEXTPAGEFOR FIGURE).
The ideahere is to learnabout the differentfieldsandwhat they accomplish.
NOTE: Althoughthe fieldvaluesare alwaysinbinary(asseeninthe bottommostsectionof your
capture) please feelfree toprovide the valuesastheyappearinthe MIDDLE part (i.e.eitherdecimal or
hex as the case maybe) of Wiresharkwindow.
Type in yourvaluesinthe “LightGray” shadedareasimmediatelybelow eachfield. Onlyfieldswithlight
gray areas belowthem are requiredto be completed.
[Hint:please visit https://en.wikipedia.org/wiki/Ethernet_frame tolearnmore aboutEthernetandits
Frame Structure and to betterunderstandwhateachof the fieldsbelow mean]
4. Instructor:Dr. Shaji Khan(shajikhan@umsl.eduor314-489-9733)
Page 4 of 6
Layer1Ethernetpacket(theactualbitssentatthephysicallayer)
Preamble - 7 Octets(NotdisplayedinWireshark)
Start of Frame Delimiter(SFD) - 1 Octet(NotdisplayedinWireshark)
Layer2EthernetFrame
Layer2EthernetFrameHeader Destination MAC Address - 6 Octets
78-24-AF-C3-53-0A
Source MAC Address - 6 Octets
B4-AE-2B-27-8D-B5
802.1Q tag - 4 Octets (Optional. Present only in 802.1Q tagged frames. Can have more than one of these).
Tag Protocol ID (2 Octets)
Tag Control Information (2 Octets)
PCP
(3
bits)
DEI
(1
bit)
VLAN ID (12 bits)
Ethertype (present in Ethernet II frames) or length (present in ‘pure’ IEEE 802.3 frames) 2 Octets
IPv4
FrameData
Payload (Either 42 octets or 46 octets minimum to 1500 octets maximum)
Layer 3 Header
(IPDatagram/PacketHeader)
Layer 4 Header
(e.g., TCP Segment Header)
Application Data
(e.g., HTTP)
PADDING (if needed)
Frame
Trailer
Frame CheckSequence (a32-bitCyclicRedundancyChecknumber, 4Octets) (NotdisplayedinWireshark)
Inter-packet Gap (12 Octets)
5. Instructor:Dr. Shaji Khan(shajikhan@umsl.eduor314-489-9733)
Page 5 of 6
LAB Question3: Using the https://en.wikipedia.org/wiki/Ethernet_frame linkorany other sources
you find,please brieflyexplainwhateach of the followingfieldsmean(i.e.theirpurpose).Please do
not simplycopy-paste but try to understand and explain.[Copy-paste answerswill not receive any
credit]
[Hint:A goodreadingof the above linkandunderstandingthe frame structure willhelpwiththistask.
The answersare givenonthe linkabove buttry to actuallyunderstandwhateachfielddoes]
1. Preamble - 7 Octets: Thisconsistsof a 56-bit(seven-byte)patternof alternating1and 0 bits,
allowingdevicesonthe networkeasilysynchronizethe receive clocks,whichisfollowedbySFD
to mark a newincomingframe.
2. Start of Frame Delimiter(SFD) - 1 Octet: Aneight-bit(one-byte)value thatmarksthe endof the
preamble,whichisthe firstfieldof anEthernetpacket,andindicatesthe beginningof the
Ethernetframe. Alsoconsideredasenvelopingthe frame.
3. DestinationMAC Address - 6 Octets: Unique identifier(address;IPv4orIPv6) to the location
whichyouare sendingpacketsto. Inotherwords,itis physical addressthe informationis
gettingreceivedby.
4. Source MAC Address - 6 Octets: The physical address (unique identifier) tothe machine in
whichyouare using.Canbe foundbyrunningipconfig/all inthe commandprompt.
5. Ethertype (presentin EthernetII frames) or length(presentin‘pure’ IEEE 802.3 frames) 2
Octets [explainbothpurposes clearly and clarify how is it known what purpose these 2 octets
are serving]:EthernetII framingdefinesthe two-octetEtherTypefieldinanEthernetframe,
precededbythe destinationandmacsource addresses,thatidentifiesanupperlayerprotocol
encapsulatingthe frame data. Soan EtherType value of 0x0800 signalsthat the frame contains
an IPv4 diagram. Likewise,tothat,an EhterType value of 0x0806 indicatesanARPframe,0x8100
indicatesanIEEE 802.1Q frame and 0x86DD indicatesanIPv6frame.
6. Frame CheckSequence - 4 Octets: (clearlyidentifywhat part offrame is this presentin,what
is the purpose, and how doesit work) The Frame CheckSequence isatthe endof the trailer
calledthe Frame Trailer.The purpose istocheck all the receivingfilesforcorruption;itiscalled
the cyclic redundancycheck.The Frame CheckSequence checkseachreceivingfile withan
algorithm,the resultwillalwaysbe zeroif the filesare error-free.
LAB Question4: In general,what is the minimumsize of the Layer 2 EthernetFrame in bytes?What
is/are the maximumsize(s)? The minimumsize of Layer2 EthernetFrame is64 bytes.Maximumsizes
are 1518 bytesand1522 bytes.
LAB Question5: Consideringthe payloadof the layer2 Ethernetframe:
1) What is the maximum payloadsizeof a regularEthernet frame? Maximumpayloadsize is1500
octets
2) Brieflybut fullydescribe the contents of the payload. The payloadconsistsof everythingabove
layer2. It encapsulatesthe layer3header,layer4 header,andapplicationdata(layer5). These
wouldinclude HTTP,TCPsegmentheader,andIPdatagram/packetheader.
6. Instructor:Dr. Shaji Khan(shajikhan@umsl.eduor314-489-9733)
Page 6 of 6
LAB DELIVERABLES (to be uploadedto MyGateway):
1) Name Worddocument as “FirstName_LastName_Assignment2”.UploadcompletedWord
document
2) Uploadthe Wiresharkcapture file
GETTING HELP:
1) Call (314-489-9733) / email (shajikhan@umsl.edu)me anytime.Feelfree towalk-intomyoffice
if you see me there orsetupappointment
2) If you live oncampus(dorms) thenyoushouldnotuse wiresharkinyourdorms.Instead,email
me and I’ll sendyoua capture file youcoulduse foransweringthe questions.
3) Tutors will notbe able tohelpyoucapture packetsin Wireshark(capturingmustbe done at
home).Tutorswill be able tohelpwithlabanswersif youbringyourcapturedfile withyou.
4) Of course try to helpeachotherout.If some studentsare alreadyfamiliarwiththe taskslisted
above,Iencourage youto helpothers.“Teaching”andhelpingothersisbyfarthe bestway to
learn!But please,donotsubmitidentical work.