United International University

Network Monitoring Analysis using

Wireshark Tools (Term Project).

Submitted By:
Md. Anisur Rahman
MSCSE, CSE Department
United International University.

Submitted To:
Mohammad Mamum Elahi ( MME)
Assistant Professor, CSE,
United International University.

Submission Date:
05/10/2020
This project is included in Cyber security Standard And Government and
Management.
(CSE 6195).
 Abstract
Wireshark unique is also what makes it kind of problematic. Since Wireshark is
totally open source, there’s no solid support structure. This means no tech support,
no 1-800 numbers to call, no representative for you to speak with for immediate
assistance. This might not be an issue for the industrious home user who would
prefer to solve their own problems, but employees in a large IT enterprise might
not necessarily have the time to go on a fact-finding mission. There can also be
legal issues around using open-source software for many companies.

Users should be aware that with the great freedom allowed by open-source
softwares comes great responsibility. Still, it’s not a good enough reason to write
Wireshark off entirely. It’s important to consider whether this tool can offer your
network some benefits.

I have done of network monitoring analysis using Wireshark . It is open source so

that I would prefer that tools. It is easy to control network monitoring analysis.

Keywords: Wireshark, Network Monitoring, Filters, Analysis, Problems

investigations.
 Introduction:

Network Monitoring:
In today's world, the term network monitoring is widespread throughout the IT
industry. Network monitoring is a critical IT process where all networking
components like routers, switches, firewalls, servers, and VMs are monitored for
fault and performance and evaluated continuously to maintain and optimize their
availability. One important aspect of network monitoring is that it should be
proactive. Finding performance issues and bottlenecks proactively helps in
identifying issues at the initial stage. Efficient proactive monitoring can prevent
network downtime or failures.

Monitoring the Essentials:

Faulty network devices impact network performance. This can be eliminated

through early detection and this is why continuous monitoring of network and
related devices is essential. In effective network monitoring, the first step is to
identify the devices and the related performance metrics to be monitored. The
second step is determining the monitoring interval. Devices like desktops and
printers are not critical and do not require frequent monitoring whereas servers,
routers and switches perform business critical tasks but at the same time have
specific parameters that can be selectively monitored.
TCP/IP Layers Model:

The OSI Model we just looked at is just a reference/logical model. It was designed
to describe the functions of the communication system by dividing the
communication procedure into smaller and simpler components. But when we talk
about the TCP/IP model, it was designed and developed by Department of Defense
(DoD) in 1960s and is based on standard protocols. It stands for Transmission
Control Protocol/Internet Protocol. The TCP/IP model is a concise version of the
OSI model. It contains four layers, unlike seven layers in the OSI model. The
layers are:
1. Process/Application Layer
2. Host-to-Host/Transport Layer
3. Internet Layer
4. Network Access/Link Layer
The diagrammatic comparison of the TCP/IP and OSI model is as follows:
IPV4 Header:

 Version: The IPV4 has version number 4.

 Header length: It shows the size of the header.
 DS Field: DS field stands for differentiated services field and is deployed
for constructing packets.
 Total length: It denotes the size of the header plus the size of the data
packet.
 Identification: This field is used for fragmentation of data packets and for
allocating each field and thereby helps to construct the original data packet.
 Flags: Used to denote the fragmentation procedure.
 Fragment offset: It indicates the fragment number and source host that uses
them for rearranging the fragmented data in the correct order.
 Time to leave: This is set at the source host end.
 Protocol: It denotes the protocol that it is using for transmitting data. TCP
has protocol number as 6 and UDP has the protocol number as 17.
 Header Checksum: This field is used for error detection.
 Source IP address: It saves the IP address of the source end host.
 Destination IP address: It saves the IP address of the destination host.
TCP Header:

 Whenever the application layer needs to circulate the flow of huge traffic or
data, it sends it to the transport layer in which the TCP performs all the end
to end communication between networks.
 TCP initially set-up a three-way handshake process between the source and
destination and then it splits the data into small chunks known as segments,
and includes a header into every segment and then forwards it to Internet
layer.

Below this figure, shows the format of the TCP header.

DNS Packet Structure
All DNS packets have a structure that is
+---------------------+ | Header |
+---------------------+ | Question | Question for the name server
+---------------------+ | Answer | Answers to the question
+---------------------+ | Authority | Not used in this project
+---------------------+ | Additional | Not used in this project
The header describes the type of packet and which fields are contained in the
packet. Following the header are a number of questions, answers, authority
records, and additional records. For this project, we will be ignoring the authority
and additional fields - your client program must accept packets with such fields,
but must ignore them. Note that a response for a single question may contain
multiple answers, such as if an address has multiple IP addresses, or if an address
has a CNAME and an A record. Your client must process the entire answer section
and report on each one of these records. The format of each of these sections is
described is the sections that follow.

Three-Way Handshake:
It is the process deployed by TCP to establish a connection between the source and
destination host in the network. It is used to perform reliable data transmission. It
deploys SYN and ACK flags of code bits of the TCP header to perform the task. It
provisions reliable communication by performing positive acknowledgment with
re-transmission and is also known as PAR. The system using PAR will re-transmit
the data segment until it receives the ACK. Whenever the receiver discards the
data, the sender has to re-transmit the data until it receives the positive ACK from
the receiver.
There are 3 steps of three-way handshaking, which are as follows:
1. Step 1: The source host A wants to establish a connection with the
destination host B, it transmits a segment with the SYN and sequence
number, which denotes that the host A wants to initiate a session of
communication with Host B and with what sequence number it is defined in
that segment.
2. Step 2: The host B responds to the request of host A with SYN and ACK set
in the signal bit. ACK denotes the response of the received segment and
SYN denotes the sequence number.
3. Step 3: The host A acknowledges the response from the Host B and both
establish a secure connection between them and then begin data transmission
over it.
As described in the below figure, in the three-way handshake process, firstly the
source host sends a TCP header to the destination host by setting the SYN flag. In
response, it gets back the SYN and acknowledgment flag set. The destination host
practices the received sequence number plus 1 as the acknowledgment number.

TCP IP supports the client-server model of the communication system.

Three-Way Handshake Process:

UDP Header:
UDP header is 8-bytes fixed and simple header, while for TCP it may vary from
20 bytes to 60 bytes. First 8 Bytes contains all necessary header information and
remaining part consists of data. UDP port number fields are each 16 bits long,
therefore range for port numbers defined from 0 to 65535; port number 0 is
reserved. Port numbers help to distinguish different user requests or process.

1. Source Port: Source Port is 2 Byte long field used to identify port number of
source.
2. Destination Port: It is 2 Byte long fields, used to identify the port of destined
packet.
3. Length: Length is the length of UDP including header and the data. It is 16-
bits field.
4. Checksum: Checksum is 2 Bytes long field. It is the 16-bit one’s complement
of the one’s complement sum of the UDP header, pseudo header of
information from the IP header and the data, padded with zero octets at the
end (if necessary) to make a multiple of two octets.
 Introduction to Wireshark:

Wireshark, formerly known as Ethereal, is a popular network analysis tool to

capture network packets and display them at a granular level. Once these packets
are broken down, you can use them for real-time or offline analysis. This is great
for users who want to generate statistics based on this data or change it into a
handy graph. The interface is user-friendly and easy to use once you know the
basics of capturing packets.

Wireshark is unique because it’s totally free and open source, making it not only
one of the best packet analyzers out there, but also one of the most accessible. The
free version you download of Wireshark is the full version—no demo versions
with reduced functionality here.

Wireshark used for it’s designed for anyone who needs to monitor their network
activity, from home users to enterprise IT teams. A lot of monitoring software falls
short when it comes to scalability, but the folks over at Wireshark have managed to
come up with a program that doesn’t need a whole bunch of extra add-ons to get
the bare minimum of functionality. In contrast, the additional tools I recommend
below make a good thing better.
Ping - 8.8.8.8 in windows command line wirh Wireshark:

On a windows system if you initiate a ping to 8.8.8.8 with a length value greater
than 68 (e.g. 69), Microsoft's ping will indicate that the ping is successful, but
Wireshark's analysis reports "no response found!".

C:\>ping -8.8.8.8

Pinging 8.8.8.8 with 69 bytes of data:

Reply from 8.8.8.8: bytes=68 (sent 69) time=26ms TTL=54
Reply from 8.8.8.8: bytes=68 (sent 69) time=13ms TTL=54
Reply from 8.8.8.8: bytes=68 (sent 69) time=12ms TTL=54
Reply from 8.8.8.8: bytes=68 (sent 69) time=23ms TTL=54

Ping statistics for 8.8.8.8:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss)
,
Approximate round trip times in mili-seconds:
Minimum = 12ms, Maximum = 26ms, Average = 18ms

But there's a subtle addition to the Microsoft's ping Reply report. Note that it
indicates "bytes=68 (sent 69)".
Wireshark Capture Packets Analyze:

Once you’ve finished capturing packets, it’s time to look at them. Wireshark
divides the view into three panes: packet list, packet details, and packet bytes.

The packet list section, at the top of the window, lists all the packets from the
capture file. You can browse through each of the following data points:

 Time: timestamp for exactly when the packet was captured

 Source: the IP address where the packet originated

 Destination: the address where the packet is being directed
 Protocol: the packet’s protocol name
 Length: the packet length, in bytes
 Info: any additional details

The packet details section holds the protocols and protocol fields of the selected
packet in collapsible form. Packet bytes, at the bottom of the page, shows the
internal data for the selected packet. By default, this info is presented in
hexadecimal format, but if you want to change it to bit format, you can right-click
on the pane and select this option from the menu.

For the visual learners out there, you can use Wireshark to view network traffic in
an IO graph. Just click on the STATISTICS menu and choose IO GRAPHS. You
can set up the graph with whatever settings you want depending on the data you
want to display. Only one graph is automatically enabled, so if you want to make
more, you have to click on them manually. To add a display filter to the graph,
click the filter icon on the graph you want to work with. Finally, use the style
column to change what kind of graph you use to display your packet data—line,
FBar, dot, or Impulse.
Real PCAP Files Packet Analysis using Wireshark:

PCAP Files Time Stream Protocol Source IP address: Destination IP address

Name Arrival Time
1-http_ip4and6 Nov 22, 2015 TCP, HTTP 172.16.16.140 172.16.16.139
23:58:11
2-a3-problem Jul 12, 2017 ARP, SMTP 192.168.1.100 192.168.1.1
21:25:11
3-tftp May 1, 2013 TFTP Cisco_18:9a:40 AbitComp_d7:8b:43
18:24:11
4-telnet Jul 12, 2017 TELNET, TCP 192.168.1.100 192.168.1.102
23:36:35
5-dns- Jan 25, 2010 DNS 172.16.0.8 172.16.0.102
recursivequery- 22:33:50
client
6-dns- Jan 25, 2010 DNS 172.16.0.8 172.16.0.102
recursivequery- 22:33:50.65
server
7-a4-problem Jul 26, 2017 TCP, ARP, DNS 192.168.1.103 192.168.1.100
03:07:49
8-ftp-session Jul 17, 2017 TCP, FTP 192.168.1.100 192.168.1.102
23:52:57
9-ftp- Jan 8, 2007 FTP, TCP, HTTP 67.180.72.76 128.121.136.217
download- 01:15:10
good2
10-http-google Feb 9, 2010 HTTP, FTP, TCP 172.16.16.128 74.125.95.104
07:18:39
Real Packet Analysis Investigations Using Wireshark:

Packet Name: a3-problem.pcap Analysis (ARP)

 Version: The IPV4 has version number 4.

 Frame length: 42 bytes
 Protocol: TCP, ARP, DNS.
 Sender IP address: 192.168.1.100
 Target IP address: 192.168.1.1
 Source IP address: 192.168.1.1
 Destination IP address: 192.168.1.100
 Sender MAC address: VMware_b1:5d:ca (00:50:56:b1:5d:ca)
 Target MAC address: VMware_b1:33:b1 (00:50:56:b1:33:b1)

Problems Scenario:

 SMTP – Destination Unreachable (Port unreachable)

 Flags – 000x0
Reserve bits – Not Set
Don’t Fragment – Not Set
More Fragment – Not Set
 Header checksum – 0x77a8
Validation Disable
Packet Name: a4-problem.pcapng Analysis (TCP)

 Version: The IPV4 has version number 4.

 Frame length: 42 bytes
 Protocol: TCP, ARP, DNS.
 Sender IP address: 192.168.1.100
 Target IP address: 192.168.1.102
 Source IP address: 192.168.1.1
 Destination IP address: 192.168.1.100
Problems Scenario:

 SMTP – Destination Unreachable (Port unreachable)

 TCP- Retransmission
80 to 49174 [PSH, ACK]
Seq = 467, ACK –=840, Win = 31360, Len=512
 HTTP Host: www.bankofamerica.com is retransmission and next time
unreachable.

Packet Name: ftp-download-good2.pcapng Analysis (FTP)

 Version: The IPV4 has version number 4.

 Frame length: 42 bytes
 Protocol: TCP, ARP, DNS.
 Source IP address: 67.180.72.76
 Destination IP address: 128.121.136.217.

Problems Scenario:

 TCP payload (1460 bytes)

 FTP Data (1460 bytes data)
 [Setup frame: 8]
[Setup method: PASV]
[Command: SIZE OS Fingerprinting with ICMP.zip]
 [Command frame: 12]
[Current working directory: /articlefarm/OS Fingerprinting with ICMP/]
Packet Name: http-fault-post.pcapng IPV4 Header Analysis (TCP) :

 Version: 4
 Frame 26: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface
unknown, id 0.
 Frame Length: 60 bytes (480 bits)
 Capture Length: 60 bytes (480 bits)
 Version: version number 4.
 Header length: 20 bytes.
 Total length: 40
 Identification: 0x00000616 (1558).
 Flags: 0x4000, Don't fragment.
 Fragment offset: 0
 Time to leave: 111
 Protocol: TCP (6)
 Source Port: 80
 Destination Port: 2580
 Header Checksum: 0x0b31 [validation disabled]
 Source IP address: 216.23.168.114
 Destination IP address: 24.4.97.25

Problems Scenario:
Window size value: 64166
Window size scaling factor: [2 (no window scaling used)]

Packet Name: http-fault-post.pcapng IPV4 Header Analysis (HTTP) :

 Version: 4
 Frame 16: 1423 bytes on wire (11384 bits), 1423 bytes captured (11384 bits) on
interface unknown, id 0
Interface name: unknown
Frame Length: 1423 bytes (11384 bits)
Capture Length: 1423 bytes (11384 bits)
 Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
 Flags: 0x4000, Don't fragment
 Fragment offset: 0
 Total Length: 1409
 Time to live: 128
 Header checksum: 0x72e2 [validation disabled]
 Protocol: HTTP
 Source Port: 2580
  Destination Port: 80
 Acknowledgment number (raw): 3045572448
 Source: 24.4.97.251
 Destination: 216.23.168.114

Problems Scenario:
 Content-Type: application/x-www-form-urlencoded\r\n
 Host: www.discoverconsoles.com\r\n
 Connection: Keep-Alive\r\n
 HTML Form URL Encoded: application/x-www-form-urlencoded
 Form item: "validate" = "[type Function]"
 Form item: "formcheck" = "[type Function]"
 Form item: "mailform" = "flashmail.asp"
 Form item: "confirm" = "thank you. We will get back to you soon !"
 Form item: "action" = "send"
 Form item: "error1" = "please enter your first name"
 Form item: "error2" = "please enter your last name"
 Form item: "error3" = "please enter a valid email adress"
 Form item: "error4" = "please enter correct phone number"
 Form item: "error5" = "please enter a subject"
 Form item: "error6" = "Your comments please!"
 Form item: "txtFirst_Name" = "Laura"
 Form item: "txtLast_Name" = "Chappell"
 Form item: "txtEmail" = [email protected]
 Form item: "txtSubject" = "FTP Background Traffic?"
 Form item: "txtComments" = "It appears that your software is loaded on one of
our lab Media Center Edition HP boxes. It makes an FTP connection in the
background (which cannot locate the file it is looking for). What is it trying to
update.
 Form item: "txtPhone_No" = "408-378-7841"

TFTP Pcap file Analyze (TFTP)

 Version: 4
 Header Length: 20 bytes (5)
 Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
 Total Length: 48
 Time to live: 255
 Protocol: UDP (17)
 Header checksum: 0x3965 [validation disabled]
 Source: 192.168.0.253
 Destination: 192.168.0.10
Dns-recursivequery-client.pcapng Analyze (UDP):
 Version: 4
 Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
 Total Length: 62
 Time to live: 128
 Protocol: UDP (17)
 Header checksum: 0x0000 [validation disabled]
 Source Port: 56125
 Destination Port: 53
 Checksum: 0x58ca [unverified]
 Source: 172.16.0.8 & Destination: 172.16.0.102

Domain Name System (query):

 Transaction ID: 0x8b34
 Flags:
0... .... .... .... = Response: Message is a query

.000 0... .... .... = Opcode: Standard query (0)

.... ..0. .... .... = Truncated: Message is not truncated

.... ...1 .... .... = Recursion desired: Do query recursively

.... .... .0.. .... = Z: reserved (0)

.... .... ...0 .... = Non-authenticated data: Unacceptable

 Questions: 1
 Answer RRs: 0
 Authority RRs: 0
 Additional RRs: 0
 Queries: www.nostarch.com: type A, class IN
 [Response In: 2]
 Conclusion:
The purpose of this project is to demonstrate how Wireshark is applied in network
Monitoring diagnosis and can be used to discover network Traffic such as port
scanning, covert FTP and IRC channels, ICMP-based problems, the case studies in
this Project illustrate the idea of using Wireshark to identify Network Traffic
Analysis.

For information Technology (IT), IT Administrator can control network

monitoring using Wireshark to entry-level advancing to intermediate, I think
Wireshark is pretty handy and cool ways to understand network traffic analysis,
how communication takes place when particular protocols are involved, where it
went wrong when certain issues occur.