As in Lab 2, you will be using Wireshark. You will continue with packet analysis. You will examine network traffic with a display filter.

A packet trace of normal network traffic will contain more than just the packets you want to look at. You can apply a display filter to isolate conversations within the trace. For this exercise you will use a trace file of a student at home using a browser to connect to UMUC. The trace captures the traffic that resulted when the student pointed a browser to www.umuc.edu.

If you are using an older, or newer version of Wireshark, or different OS some of the buttons (options) may be in different positions/locations.

Assignment

Answer the following questions about trace file EX03 www_umuc_edu.cap.

Download trace file EX03 www_umuc_edu.cap from the LEO Lab 3 assignment folder and open it with Wireshark. (If you are using the UMUC remote facility, the file is in the Lab3Folder on the desktop.)

Find the first TCP handshake. What are the packet numbers in the handshake? The three packet numbers ____, _____, and _____ (20 Points).

What is the IP address of the host that started the handshake? __________________ (15 Points)

What is the TCP port connection pair for this handshake? ______, ______ (15 Points)

In the first packet of the handshake, the source port is the ephemeral port this host wants to use for the connection, and the destination port indicates the application the host wants to use on the serving host. What application does the host want to use on the serving host?______________ (15 Points)

Look at packet number 14. Is this part of the conversation initiated by the first handshake? ______ (15 Points)

Build a filter to see only the first handshake and the conversation for this connection.

Click Analyze (or "Edit" on other versions of ethereal) and select Display Filters from the drop-down list. This brings you to the Edit Display Filters List.

Click "Expression"

Expand TCP (click the plus sign next to TCP), and highlight "Source (src.port)