University of Central Punjab

(Incorporated by Ordinance No. XXIV of 2002 promulgated by Government of the Punjab)

FACULTY OF INFORMATION TECHNOLOGY

Computer Communications and Networks

Submitted by:
Shoaib Ahmad
Reg No:
L1S24PACS0006
Submitted to:
Prof. Mohsin Akram
Data:
13.04.2025

Lab 05
Introduction to Wireshark
HTTP and DNS on Wireshark
 Lab Manual 05
Objectives
 Introduction to Wireshark
 Running Wireshark
 Explore Wireshark Filters
 DNS
 HTTP on Wireshark
 Tracing DNS with Wireshark

Reference Material

Introduction to Wireshark:
Wireshark, a network analysis tool, captures packets in real time and display them in human-
readable format. Wireshark is a powerful tool for understanding what happens behind the
scenes when devices communicate over a network. By focusing on HTTP, you can inspect
web traffic, and with DNS, you can analyze domain lookups—making it essential for
troubleshooting, learning, and securing networks.

Running Wireshark:
When you run the Wireshark program, the Wireshark graphical user interface. Initially, no data
will be displayed in the various windows.
 Wireshark Filters
The simplest filter allows you to check for the existence of a protocol or field. If you want to see all
packets which contain the IP protocol, the filter would be "ip" (without the quotation marks).

1. Comparison operators
Fields can also be compared against values. The comparison operators can be expressed either
through English-like abbreviations or through C-like symbols:
eq, == Equal
ne, != Not Equal
 gt, > Greater
Than lt, <
Less Than
ge, >= Greater than or Equal
to le, <= Less than or Equal to
Example
ip.addr == 10.0.0.1 [Sets a filter for any packet with 10.0.0.1, as either the source or dest]
tcp.time_delta > .250 [sets a filter to display all tcp packets that have a delta time of greater than
250mSec in the context of their stream.

2. The membership operator

A field may be checked for matches against a set of values simply with the membership operator. For
instance, you may find traffic on common HTTP/HTTPS ports with the following filter:
tcp.port in {80 443 8080}
as opposed to the more verbose:
tcp.port == 80 or tcp.port == 443 or tcp.port == 8080
Example
To find HTTP requests using the HEAD or GET methods:
http.request.method in {"HEAD" "GET"}
The set of values can also contain ranges:
tcp.port in {443 4430..4434}
ip.addr in {10.0.0.5 .. 10.0.0.9 192.168.1.1..192.168.1.9}
frame.time_delta in {10 .. 10.5}

3. Logical expressions
Tests can be combined using logical expressions. These too are expressible in C-like syntax or
with English-like abbreviations:
and, && Logical AND
or, || Logical OR
not, ! Logical NOT
Example
ip.addr==10.0.0.1 && ip.addr==10.0.0.2 [sets a conversation filter between the two defined IP
addresses]
!(arp or icmp or stp) [masks out arp, icmp, stp, or whatever other protocols may be background
noise. Expressions can be grouped by parentheses as well. The following are all valid display
filter expressions:
tcp.port == 80 and ip.src == 192.168.2.1
not llc
http and frame[100-199] contains "wireshark"
(ipx.src.net == 0xbad && ipx.src.node == 0.0.0.0.0.1) || ip
 How to Use Wireshark for HTTP and DNS Analysis

Wireshark allows users to capture and filter traffic to focus on specific protocols like HTTP and
DNS. Here's how you can use it:

Example 1: Analyzing HTTP Traffic

1. Setup:
o Start Wireshark and select your active network interface (e.g., Wi-Fi or Ethernet).
o Click "Start" to begin capturing packets.
2. Filter HTTP Traffic:
o Use the filter field at the top and type http.
o This shows only HTTP packets (e.g., requests and responses).
3. Analyze Packets:
o Click on a packet to see details like the HTTP method (GET, POST) and URL.
o Example: If you visit google.com, you’ll see a GET request with the URL in the
packet details.
4. Insights:
o Learn response times, status codes (e.g., 200 OK, 404 Not Found), and headers.

Example 2: Analyzing DNS Traffic

1. Setup:
o As before, start capturing packets using Wireshark.
o DNS queries are used for translating domain names (e.g., google.com) into IP
addresses.
2. Filter DNS Traffic:
o Use the filter DNS to isolate DNS packets.
3. Analyze Queries and Responses:
o You can see DNS queries sent from your device and the corresponding responses
from the DNS server.
o Example: If you type google.com in your browser, a DNS query will show the
domain name, and the response will show the resolved IP address.
4. Insights:
o Identify delays in DNS resolution or incorrect IP mapping.
 DNS: Domain Name System
DNS stands for Domain Name System, and it is like the phonebook of the internet. It helps
translate human-friendly website names (like www.google.com) into computer-friendly
IP addresses (like 142.250.200.196 or 2607:f8b0:4004:801::2004).
Computers need IP addresses to communicate over the internet, but humans find it easier to
remember names rather than numbers. DNS handles this conversion automatically.

How Does DNS Work?

When you type a website name in your browser (e.g., www.google.com), here’s what happens:
1. You Enter a Domain Name:
o Example: You type www.google.com in your browser.
2. DNS Request (Query):
o Your computer doesn’t know the IP address for www.google.com, so it sends
a DNS query to a nearby DNS server (often provided by your Internet
Service Provider or a public DNS like Google’s 8.8.8.8).
3. DNS Server Resolves the Name:
o The DNS server looks up the domain name in its database.
o If it knows the IP address (e.g., 142.250.200.196), it sends it back to
your computer.
o If it doesn’t know, it asks other DNS servers on the internet (recursive
query) until it finds the IP address.
4. Your Computer Connects:
o Your computer uses the IP address to contact the server and load the website.

Taking Wireshark for a Test Run

1. Open Wireshark, select interface from list of interfaces (Ethernet in your case). Change your
Interface to the appropriate one from the list provided. Then Press the capture Start button to
start capturing the packets at run time.
2. While Wireshark is running, enter the URL:
http://gaia.cs.umass.edu/wireshark-labs/INTRO-wireshark-file1.html and have that page
displayed in your browser.
3. Now enter another URL http://gaia.cs.umass.edu/favicon.ico and you will see that this page
is not found on the server.
4. In order to display both the pages, your browser will contact the HTTP server at
gaia.cs.umass.edu and exchange HTTP messages with the server in order to download this
page. The Ethernet frames containing these HTTP messages will be captured by Wireshark.
5. After your browser has displayed both the web pages, stop Wireshark packet capture by
selecting stop in the Wireshark capture window. You now have live packet data that contains
all protocol messages exchanged between your computer and other network entities! The
HTTP message exchanges with the gaia.cs.umass.edu web server should appear somewhere
in the listing of packets captured. But there will be many other types of packets displayed as
well.
6. Type in “http” (without the quotes, and in lower case – all protocol names are in lower case
in Wireshark) into the display filter specification window at the top of the main Wireshark
window. Then select Apply (to the right of where you entered “http”). This will cause only
HTTP message to be displayed in the packet-listing window.
7. Select the first http message shown in the packet-listing window. This should be the HTTP
GET message that was sent from your computer to the gaia.cs.umass.edu HTTP server.
When you select the HTTP GET message, the Ethernet frame, IP datagram, TCP segment,
and HTTP message header information will be displayed in the packet-header window3. By
clicking plus and- minus boxes to the left side of the packet details window, minimize the
amount of Frame, Ethernet, Internet Protocol, and Transmission Control Protocol information
displayed. Maximize the amount information displayed about the HTTP protocol. Your
Wireshark display should now look roughly as shown in Figure 5. (Note in particular, the
minimized amount of protocol information for all protocols except HTTP, and the maximized
amount of protocol information for HTTP in the packet-header window).
8. Now try to find out the packet which contains the second request you sent to the browser and
also analyze the packet which your browser received as a result of second GET Request.
 Lab Tasks
Task 1. Explore the packets you captured from test run and answer the following question:

1. What is the response time against HTTP GET Request?

2. Is your browser running HTTP version 1.0 or 1.1? What version of HTTP is the
server running?
3. What is the MAC address of the server and your computer?

4. What are the sending and receiving port numbers? What does Port 80 represent?
 What Does Port 80 Represent?
 Port 80 is the default port for unencrypted HTTP traffic.
o It signifies that the communication is using the standard HTTP protocol (not HTTPS, which
uses port 443).
o The server (128.119.245.12) is listening on port 80 for incoming web requests (e.g., GET
/favicon.ico).

Tracing DNS with Wireshark

Task 2. First, capture the DNS packets that are generated by ordinary Web surfing activity
 Start packet capture in Wireshark.
 With your browser, visit the Web page: http://www.ietf.org
 Stop packet capture.

Answer the following questions:

1. Locate the DNS query and response messages. Are they sent over UDP or TCP?

2. What is the destination and source ports for the DNS query message?
3. Examine the DNS query message. What “Type” of DNS query is it? Does the query
message contain any “answers”?

4. Examine the DNS response message. How many “answers” are provided? What does
each of these answers contain?
5. Consider the subsequent TCP SYN packet sent by your host. Does the destination IP
address of the SYN packet correspond to any of the IP addresses provided in the DNS
response message?

Do not Match...!!