CIS 457 Lab Assignment 1: Network Traffic analysis


Objective: Gain familiarity with the structure of network packets and experience using wireshark.

Deliverables: The answers to all numbered questions below, in hard copy.

Teams: All questions in this lab should be answered individually, although you may of course discuss with classmates.

Grading: All questions are equally weighted (each question is worth one point).


Start a packet capture in wireshark. You will be able to choose from more than one interface, although only one will have traffic (on the lab computers the correct interface is usually called eth0). If you choose the wrong interface, simply stop the packet capture and start again. If you selected the correct interface, you should now be seeing a list of packets your computer is recieving.

  1. Explain why wireshark is seeing traffic even when you are not actively using any network applications.
  2. Choose some protocol you are seeing in the traffic. What does this specific protocol do? Why is it important to the network?
  3. How can you tell if a packet is sent by your computer? Can you find any packets that are neither sent by or destined specifically for your computer? (You should be able to.) Why do you see these?
Now, open a web browser, start a new packet capture, load a unencrypted web page (such as networksorcery.com), and stop your packet capture. This should cause some HTTP traffic to be seen. Find the HTTP GET packet corresponding to your web request (you can filter to see only HTTP packets). This should be one of the first HTTP packets you see.
  1. List the protocols being used by this packet at the application, transport, network, and link layers.
  2. If you requested any web page aside from a very minimal one, you should see a large amount of traffic generated, not just a single request and response. Explain why.
  3. The protocols at two different layers contain address information. In which protocols do you see addresses? Why does it make sense for there to be addresses at both of these layers?
  4. Find the HTTP response packet corresponding to the HTTP request. Compare the contents of the network layer headers in the request and response. Is there a relation between the information in this header in the two packets? Explain.

Change your filter to show only DNS packets. While HTTP was an application to transfer web pages, DNS is an application that runs behind the scenes and translates host names into the corresponding network address. Humans often only know the host name of the server they want to visit, but the network needs the address to direct the traffic to the correct destination.

  1. The protocols used at some layers are dependant on the application, and at some layers dependant on the network. Comparing the DNS packet you found with the HTTP packet, at which layers did the protocol in use change between the two packets? At which layers did it stay the same?
  2. Compare the information in a TCP header and a UDP header. If some packets work fine with the smaller amount of information in the UDP header, why do you think TCP is used for the HTTP traffic?
  3. Looking at the actual packet contents, which protocols send meaningfully human-readable (ascii) data over the network? Is there any reason why we would want network traffic to be human-readable?