This lab will give you practice at using the Wireshark network protocol analyser. This tool lets you analyse network traffic and is used by network security professionals to carry out analysis of what is going on in a network. For example, a piece of malware that is sending data stolen from the network back to a command-and-control centre.
We're going to show you in this lab how to do some simple analysis of a person's browsing on the Internet and try to snoop on their activities.
NOTE Wireshark can ONLY be used for the intended purpose on the school machines, and any use of Wireshark on the rest of the network at uni is PROHIBITED. Furthermore, Wireshark is known to be a very vulnerable software that can lead to various attacks on the systems it is installed on (be careful).
This lab will give you practice at:
Finding out what sites are being accessed by watching domain name service traffic.
Identifying unencrypted HTTP traffic.
Extracting images from the HTTP traffic.
Observing HTTPS traffic.
There will be an assignment question where you will use these skills.
Resources and links
template for your answers (you will need to use OpenOffice, Word or similar because we will ask you to paste in screenshots). Please convert to PDF for submission.
lab3.zip contains files for completing the exercises.
Installing Wireshark: You will need to install Wireshark ONLY if you intend to work at home, note that we recommend that you come into University and use the preinstalled Wireshark on a lab machine.
Finding domain name lookups: You can find out what sites and machines are being accessed by tracing domain name lookups.
HTTPS to the rescue: You can demonstrate to yourself that HTTPS protects your web traffic from snoopers.
Finishing up: Submit your answers for the lab to get feedback on what you got right and wrong to help you with the next assignment.
Going Further: Want to go further? Check out the resources on Wireshark.
1. Installing Wireshark
Only do this step if you are working from home, if possible, come into a lab and do it there because we already have Wireshark installed for you.
Their video provides step-by-step instructions on installing Wireshark on Windows, Mac OS X and Ubuntu.
Installing Wireshark on Windows 10.
You can download Wireshark from here.
Installing Wireshark on Mac OS X.
You can download Wireshark from here and XQuartz from here https://www.xquartz.org/releases/index.html.
Install Wireshark on Ubuntu.
2. Finding domain name lookups
Whenever a user enters a new domain name, e.g. ecs.vuw.ac.nz, the operating system will contact the local Doman Name Server (DNS) to resolve these human-friendly addresses into IP addresses. This gives away what sites are being accessed even if HTTPS is being used.
To do this task, use the file task-2.pcapng found in the zip file, load this into Wireshark.
Include screenshots showing that you can use Wireshark to display the DNS traffic.
3. Finding web traffic and inspecting it
When HTTP is being used, all the traffic is unencrypted. This means that you can see what sites people are visiting and any network traffic to and from the websites. In this case, the website has the IP address 130.195.5.21. You will want to display the TCP stream that represents traffic between the client and the web server.
To do this task, download task-3.pcapng found in the zip file, load this into Wireshark.
Include a screenshot to show that you have been able to follow a HTTP stream and demonstrate you can see unencrypted traffic.
4. Extracting HTTP objects from a stream
When images are sent over the network, they are encoded using Base64, to view the images, you need to find them in the traffic and extract them as objects that can be converted back into images. This will reveal downloaded images and anything that might be being uploaded.
To do this task, download task-4.pcapng found in the zip file, load this into Wireshark.
Include a screenshot to show that you were able to find the binary data and use Extract HTTP object to extract a picture from the stream and include it in your document.
5. HTTPS to the rescue
HTTPS will ensure that the network traffic is encrypted using a symmetric key that is established between the web browser and the website. This means that our previous snooping should be prevented.
To do this task, download task-5.pcapng found in the zip file, load this into Wireshark.
Include answers to the following questions in your document:
Try exporting the HTTP objects, what do you see?
Can you view any files now that HTTPS is used?
5. Finishing up
Submit your answers to these questions using the submission system. In your web browser, go to the top of the Lab Exercise 3 page, and click on the "Submit" link.
The submission page will let you upload your files to the submission system, where the tutors and markers can access them.
You may re-submit the same file as often as you like, but the submission system will only remember the latest version of each file.
Use the "+Upload files..." button, then navigate to and select the Lab3_answer_sheet.pdf file, which you created on your desktop computer.
If you accidentally add a file the submission system does not accept, e.g. Lab3_answer_sheet.docx there will be a red line shown.
Once you submit your answers, your complete submission process should succeed, and you will be presented with a success screen.
If you decide you want to change your answers after submission, you should submit it again using the same process. You can resubmit files as many times as you wish --- your latest submission will be treated as the real submission. This means that you can submit your answers earlier in the week when it is only partly done, and then submit it again later when you have got more of it finished. This is a good way of checking that the submission process is working.
Going Further
Here are some more resources if you want to explore Wireshark further, Note that on our ECS workstations that you cannot actually sniff traffic, you will need to install Wireshark on your own machine and run it in Administrator mode:
Due 07 May 11:59pm
You will need to install Wireshark ONLY if you intend to work at home, note that we recommend that you come into University and use the preinstalled Wireshark on a lab machine.