Basics (HTTP) We will be studying HTTP in detail in several exercises. In the second portion of our "kick the tires" exercise, you will be using Wireshark to analyze HTTP traffic. The goal of the exercise is to help you understand how to use Wireshark and it's supporting tools, nslookup and ipconfig/ifconfig, to learn new protocols and find information with no, or a limited amount of knowledge. Part 1 Demonstrate your knowledge of Wireshark by performing the following once you review the video: Download Wireshark located here (Links to an external site.)Links to an external site. Install Wireshark You will also be asked to install the pcap library, make sure you do this as well Select the option to start Wireshark after install Determine what interface you use to for external network access to the Internet Use ipconfig (or ifconfig on linux/MAC) Search for the active interface Use nslookup to locate an IP address for www.google.com, (Links to an external site.)Links to an external site. record this address for later use Go to Wireshark and locate the interface you wish to trace Select the interface Select the "start" option next to the green shark fin You should see packets to start to fill the capture screen Go to your browser and input the URL for Google using the following format: http:///search?q=hello+world+example (Links to an external site.)Links to an external site. For example : http://216.58.219.100/search?q=hello+world+example (Links to an external site.)Links to an external site. Note, the IP addresses for Google change, so make sure your using an active one The browser should display the results of the search Stop the network capture Using the tool bar, select the red "stop" button Using the Capture menu, hit the "stop" option Use filtering to find the HTTP client request message Filter on the IP address In the Filter menu, use the format, ip.dst== For example ip.dst==216.58.219.100 Manually search for the HTTP protocol packet with the "GET" information Should look like "GET /search?q=hello+world+example HTTP/1.1" Search for the word "GET" Use the menu Edit/Find Packet... Specify "GET" as the value and "string" as the type (via the radio button) Search down and up to find the correct results we are looking for Look for a string like "GET /search?q=hello+world+example HTTP/1.1" Filter on the HTTP protocol and manually locate the client request to the server In the Filter menu, type http This will show all HTTP packets Try using a logic combination, "http && ip.addr==" Example : http && ip.addr==216.58.219.100 Look for a string like "GET /search?q=hello+world+example HTTP/1.1" Select the packet that contains the client to server (try using a string search for the GET command above Select the application protocol (Hypertext Transfer Protocol) in the packet frame Select the "GET request in the packet/application frame you should see other HTTP tags, such as Accept, User-Agent Take a snapshot of your screen Submit your snapshot using the assignment file submission Part 2 To learn more about HTTP, save your Google trace, then download and open the following trace fileView in a new window. Select the packet with the HTTP GET request and right mouse click. Select "Follow TCP stream" (remember, select the packet, and do a right mouse click, select Follow TCP stream) and you will see the entire request from the client to the server, to include the data that is being sent as a response from the server. The Red Text is the client data, the Blue Text the server. What you will learn is that HTTP is a "Texted" base protocol. The first line of the server response should be "HTTP/1.1 200 OK", indicating that the request was successful. When you find a "HTTP/1.1 200 OK" result, look at the response, why can't we read it? The answer is simple and embedded in the response header of the server, look for Content-Encoding, what type of format is used? Now examine the Google trace you saved by opening it. Look for the "HTTP/1.1 200 OK" result. Can you find it? What results do you find? Find the "HTTP/1.1 302 Found", what do you see as the content? It is a redirection, what does it redirect to? You have just learned your first lesson in network security, while some servers will use standard means to communicate, as in our first example, others such as Google will use the "Best Practices" by encrypting the content. While you may not understand the means used to perform these operations yet, we will learn how this is accomplished as we proceed through the course. Part 3 Download the following PCAPView in a new window file and load it into wireshark by using the File/Open option. As in Part 1, locate the "Get" request. Determine the HTTP Web server that we are communicating with by first using "nslookup" and look up the server IP address. Determine the HTTP Web server that we are communicating with by locating the HTTP "Host" header tag in the Get request. Do the two (nslookup and HTTP host value) match? What type of browser is supported? Hint, look at "User-Agent", use the following link for helpLinks to an external site. What language is support? Now locate the response packet (it contains the string "200 OK") Was this a successful request? What type of content was returned? What type of encoding was done on the content What is the size of the payload (Generally determined by the content length returned) ?

Upload your snapshot for Part 1

Upload your snapshot for Part 2 showing the results of the Follow TCP stream.