Project 1:  Writing Wireshark filter expressions for packet capture


Download Wireshark and install it on your computer. Search for online tutorials and other handy information, such as YouTube videos for using Wireshark.

Note that Wireshark can be used to sniff wireless traffic (see the wiki article WLAN Capture Setup).

1.  Experiment Description

Write the exact packet capture filter expressions to accomplish the following:

  1. Capture all TCP traffic to/from Facebook, during the time when you log in to your Facebook account
  2. Capture all HTTP traffic to/from Facebook, when you log in to your Facebook account
  3. Find a popular YouTube video and play it while capturing all traffic to/from YouTube
After you run Wireshark with the above capture filters and collect the data, do the following:
  1. Write a DISPLAY filter expression to count all TCP packets (captured under item #1) that have the flags SYN, PSH, and RST set. Show the fraction of packets that had each flag set.
  2. Use a DISPLAY filter expression to separate the packets sent by your computer vs. received from Facebook and YouTube in items #2 and #3 above. Show the fractions for each type.

Note that when sniffing out TCP packets, you will be receiving TCP packets, SSL packets, and HTTP packets. This is because HTTP/SSL run on top of TCP and you capture their packets by default because they are subclasses of TCP packets.
So, capture them all and store in a local database.
Then use display filters to separate the subset of TCP packets that are also HTTP packets. (You can do this by filtering only packets on port 80).

2.  Captured Data Analysis

Count how many TCP packets you received from / sent to Facebook or YouTube, and how many of each were also HTTP packets.

Determine if any TCP packets with SYN or PSH flags set were sent from your host or received from Facebook/Youtube.
Go flag-by-flag and count how many packets have tcp.flags.push set, then how many have tcp.flags.syn set, and finally, how many have tcp.flags.reset set.
Report all three counts in a table.
Of course, you may do more. For example, you could find out if any packets had both PSH and RST set, or other flags not listed here.

Draw a rough PowerPoint sketch with a timeline of your Youtube session (roughly 5 minutes, or whatever is the duration of your chosen video) and indicate approximately when during the session the packets with SYN or PSH flags occurred. Your timeline should start at the time when the first video packet is received and end when the last video packet is received. You don’t need to draw a precise timeline—just illustrate the relationships.

Analyze if during the course of a video session your client connected to multiple Youtube servers. Indicate approximately on the timeline where this occurred. Did packets with SYN or PSH flags occur at about the same time when your server changed? Provide some explanation as to why SYN/PSH packets were sent at all and if they were correlated with the server switching.

Analyze the Youtube packet sizes. Draw a histogram showing how many packets were received within a range of sizes. E.g., how many packets had length 0 - 100 bytes, 100 - 200 bytes, 200 - 300 bytes, etc.

3.  Report Preparation and Submission

The report should contain the following information:

  1. Location where the experiments were run (University campus/lab, home, other) and the type of your computer.
  2. Exact Wireshark filters used for capture and display.
    To improve the readability of your report, provide the filter expressions in separate lines and use the Courier font to write the filters.
  3. Explanation for every component of your filter expressions.
  4. The exact URL for all Youtube videos that you visited for this experiment.
  5. A table of observed statistics for counting the set flags in captured TCP packets.
  6. Histogram of the Youtube packet lengths.
  7. Sketch of the timeline of your Youtube session.
  8. The list of references used during the data analysis and report preparation, such as websites, blogs, books, etc.

You may include your Wireshark *.pcap files as an appendix to your report

When presenting a figure in your report, do not just say “see Figure 5”. Tell us where to look in Figure 5 and what should we see. If you don’t tell us where to look and what to see, we may not see interesting or important features that you wanted to highlight and as a result you will not receive credit for your analysis.

To receive credit, it is not enough just to attach the raw Wireshark data to your report. Instead, you must analyze and discuss the data, and include diagrams and charts. It is critical that your report summarizes the captured data in diagrams, and the narrative provides discussion and explanation of the observations.
The items listed above form just a minimum requirement for the report and can be satisfied to a different degree. Only the students who have performed greatest number of experiments and provided most extensive analysis and discussion of their results shall receive the top score (100%). The reports that have satisfied all the required items, but only to a bare minimum, shall receive 60% out of 100% of the maximum score.

Each group should submit a single project report as a PDF document (no other formats will be accepted).

The cover page of the report should include:
⋅ the course title and number
⋅ the project title
⋅ the group members
⋅ the submission date
Optional:  To help us assign the grades fairly, you may indicate the breakdown of contributions for each team member.

Submission deadline is given on the course syllabus page.


@   Back to Wireshark projects page
&   Back to Computer Networks textbook page

Last Modified: Wed Nov 14 13:51:25 EDT 2012

Maintained by: Ivan Marsic