SBA 162 - Analyze Traffic with

Wireshark
Version 1.0, August 2023

Before you Begin - How to Complete This Activity

Having a Google account is strongly recommended.
Once logged in to your Google account, you can use this document’s File menu to make a
copy of the file. The copy will reside in your personal Google Drive. Once you have a copy of
the lab file, you can type answers to questions and paste screenshots directly into the lab file.
NOTE: Do not request edit access to the file.
If you do not have a Google account, use this document’s File menu to download the lab file
in a format compatible with your document editor. Open the file for editing using your editor of
choice (Microsoft Word, LibreOffice, PDF editor, or other), type answers to questions, and
paste screenshots directly into the file.
When you have completed the lab, save the file in .pdf format.
NOTE: You will also create a Wireshark .pcap file in this assessment.
Upload the completed .pdf document and the Wireshark .pcap file to Canvas using the
Submit button.
Still confused? Refer to The Lab Process guide.

Introduction
Wireshark is a widely used open-source network protocol analyzer. It is primarily used for
capturing and analyzing the traffic that flows across a computer network. Wireshark allows
users to inspect the data packets exchanged between devices on a network, providing
detailed information about the communication process.
During this module, you have explored different features of Wireshark. In this Skill-Based
Assessment, you will demonstrate your skills in capturing and analyzing network traffic.
Note: As Wireshark constantly evolves, images, functions, and tool locations may differ
slightly from what is displayed here.

Objectives
● Capture network traffic with Wireshark.
● Create a profile.
● Customize the profile.
● Analyze ICMP traffic with Wireshark.
● Analyze DNS traffic with Wireshark.
● Analyze TCP headers with Wireshark.

Page 1 of 13
SBA 162 - Analyze Traffic with Wireshark

● Analyze TLS with Wireshark.

● Analyze ARP traffic with Wireshark.

Equipment
● A laptop or PC running Windows with Internet connectivity or A Windows Virtual Machine
with Internet connectivity.
● Wireshark Protocol Analyzer installed on the laptop, PC, or virtual machine.

Instructions
Answer the questions and provide screenshots.

Capture network traffic with Wireshark.

Before you start capturing traffic with Wireshark, you will clear the DNS and ARP caches
on the capturing device. This will help ensure that you capture the traffic necessary for
this SBA.

a. On your Windows machine, launch the Wireshark program (Do not start the capture
yet).
b. On your Windows machine (the same one you will use to capture network traffic for this
SBA), search for cmd and select Run as administrator from the Command Prompt
App options.

Page 2 of 13
SBA 162 - Analyze Traffic with Wireshark

c. In the Command Prompt, type ipconfig /flushdns and press Enter key.

d. Once you are notified that Windows IP Configuration successfully flushed the DNS
resolver Cache, type arp -d into the Command Prompt and press the Enter key.

e. Back on the Wireshark program, what is the name of the interface you will be using to
capture network traffic?

[enter answer here]

f. Start the network traffic capture using Wireshark.

g. Back on the Command Prompt, ping the 8.8.8.8 IPv4 address. Take a screenshot of the
ping results and paste the image into the box below.

[Paste image here]

Page 3 of 13
SBA 162 - Analyze Traffic with Wireshark

h. Launch a Web browser and navigate to www.example.com

i. Let the capture run for one more minute.
j. Stop the capture.
k. How many frames did you capture?

[enter answer here]

Create a profile.
a. Create a new Wireshark profile and name it with your name.
b. Take a screenshot of the Wireshark window displaying your new profile and paste the
image into the box below.

[Paste image here]

Customize the profile.

a. Using your new profile, zoom in to enlarge the display of the captured content.
b. Resize the packet list to fit the contents.
c. Ensure the display layout contains three panes, as shown in the image below.

d. Set pane number three to display bits.

e. Add a new column named Delta and set it to Detla time displayed.
f. Move the new column (Delta) to the right of the Time column.

Page 4 of 13
SBA 162 - Analyze Traffic with Wireshark

g. What information does the Delta column display?

[enter answer here]

h. Set the No. column to alline its contents to the center.

i. How would you change the display format of the Time column to display the time of day
(note, do not change this, just explain how)?

[enter answer here]

j. Add a coloring rule for TCP SYNs. The rule should be the second rule after the existing
Bad TCP and should color the background of the TCP SYN packets bright green. Use
the filter tcp.flags.syn == 1
k. Scroll through your packet capture or use a filter to find a TCP 3-way handshake. Take a
screenshot of the Wireshark window displaying a TCP 3-way handshake using your
coloring rule and paste the image into the box below.

[Paste image here]

Analyze ICMP traffic with Wireshark.

a. Your packet capture should contain traffic generated by the ping 8.8.8.8 command
issued by you earlier. Use a filter to display only the packets related to this exchange.

Page 5 of 13
SBA 162 - Analyze Traffic with Wireshark

b. Take a screenshot of the result and paste the image into the box below.

[Paste image here]

c. How many packets did you find?

[enter answer here]

d. What is the frame number of the first ping request?

[enter answer here]

e. What is the frame number of the reply to the first ping request?

[enter answer here]

f. What is the length of the first frame (request frame) in bytes?

[enter answer here]

g. What is the Delta (time) between the first request and reply frames?

[enter answer here]

h. Compare the Delta between the first request frame and the first reply frame with the first
reply of the ping command in the screenshot you pasted into this file earlier. What can
you conclude?

[enter answer here]

Page 6 of 13
SBA 162 - Analyze Traffic with Wireshark

i. What is the MAC address of the sending device on the first ping request frame?

[enter answer here]

j. What is the MAC address of the router used to forward the ping request to 8.8.8.8?

[enter answer here]

k. What hexadecimal value within the Ethernet II header identifies the IPV4 protocol?

[enter answer here]

l. What is the IPv4 address of the sending device?

[enter answer here]

m. Within the Internet Protocol Version 4 section of the packet details (in pane 2), select the
Source Address. This will highlight the bits representing the address in pane 3. Enter the
32 bits representing the IPv4 source address into the box below.

[enter binary IPv4 address here]

n. What is the decimal value within the Internet Control Message Protocol that signifies an
Echo (ping) request?

[enter answer here]

o. What is the decimal value within the Internet Control Message Protocol that signifies an
Echo (ping) reply?

[enter answer here]

Analyze DNS traffic with Wireshark.

a. Your packet capture should contain DNS traffic generated by navigating to
www.example.com. Note other DNS traffic may also have been captured.
b. Apply a filter in Wireshark to display only the DNS traffic associated with resolving
www.example.com.
c. Type the filter you used into the box below.

[type filter here]

d. How many DNS packets are associated with resolving www.example.com?

[enter answer here]

e. What type(s) of DNS records are queried in regard to www.example.com?

[enter answer here]

Page 7 of 13
SBA 162 - Analyze Traffic with Wireshark

f. What version of the Internet Protocol is used to route the DNS packets?

[enter answer here]

g. What is the IP address of the DNS server?

[enter answer here]

h. What transport layer protocol is used to send DNS queries?

[enter answer here]

i. What is the source port number(s) used to send the DNS queries resolving
www.example.com?

[enter answer here]

j. What is the destination port number used to send DNS queries?

[enter answer here]

k. Navigate into the Domain Name System query in the details section of the capture,
locate the www.example.com name in the A record query, and highlight it. Take a
screenshot of Wireshark displaying the result in all three panes, with the name displayed
as highlighted bits on pane number three.

[paste image here]

l. What is the source port number(s) used to send the DNS response(s)?

[enter answer here]

Page 8 of 13
SBA 162 - Analyze Traffic with Wireshark

m. What IP address(es) are found in the Answers section of the DNS response to an A
record query)?

[enter answer here]

Analyze TCP headers with Wireshark.

a. Your packet capture should contain TCP traffic generated by navigating to the
www.example.com Website.
b. Use a filter to display the TCP 3-way handshake between the client and the server
hosting www.example.com.
c. Type the filter you used into the box below.

[type filter here]

d. Take a screenshot of Wireshark displaying the TCP 3-way handshake between the client
and the server hosting www.example.com. Paste the image into the box below.

[paste image here]

e. What is the Internet Protocol version used for this exchange?

[enter answer here]

f. What is the port number used by the client for this exchange?

[enter answer here]

Page 9 of 13
SBA 162 - Analyze Traffic with Wireshark

g. What is the port number used by the server for this exchange?

[enter answer here]

h. On the first packet of the TCP 3-way handshake, on the details pane, under the
Transmission Control Protocol section, locate and highlight the flag indicating the Syn bit
is set (this is the byte of data that indicates to the receiving device that this is a Syn
request).
i. Using the bits pane, enter the binary value of the flag indicating that this TCP packet is a
Syn request into the box below.

[enter Syn byte value in binary here]

j. On the second packet of the TCP 3-way handshake, on the details pane, under the
Transmission Control Protocol section, locate and highlight the flags indicating that both
the Syn and Ack bits are set (this is the byte of data that indicates to the receiving device
that this is a Syn/Ack TCP packet).
k. Using the bits pane, enter the binary value of the flag indicating that this TCP packet is a
Syn/Ack into the box below.

[enter Syn byte value in binary here]

Analyze TLS with Wireshark.

As most of the traffic on the Internet is encrypted, you will use Wireshark to examine a
TLS handshake (or some of it).
Your packet capture should contain encrypted traffic generated by navigating to
www.example.com.
a. Use a filter to display the TLS handshake packets between the client and the server
hosting www.example.com.
b. Type the filter you used into the box below.

[type filter here]

Page 10 of 13
SBA 162 - Analyze Traffic with Wireshark

c. Select a Client Hello packet. In the details pane, locate the server name under the
Extention: server_name section of the Handshake Protocol within the Client Hello. Take
a screenshot of Wireshark displaying the value www.example.com as the Server Name
(this is one way to ensure you are looking at the correct handshake). Paste the image
into the box below.

[paste image here]

d. How many Cipher Suites are supported by the client in this TLS session?

[enter answer here]

e. List five (5) supported Cipher Suites. Include their name, hexadecimal identifier, and
binary representation (16-bit binary string). Enter your answer into the table below.

Cipher Suite name Hexadecimal identifier 16-bit binary

representation

f. How many Signature Hash Algorithms are supported by the client in this TLS session?

[enter answer here]

Page 11 of 13
SBA 162 - Analyze Traffic with Wireshark

Analyze ARP traffic with Wireshark.

Your packet capture should contain ARP traffic generated by devices on the network.

a. Search the capture file for an Address Resolution Protocol (ARP) request frame
(destination address is broadcast) with a corresponding ARP reply (destination address
is unicast). Use a filter in Wireshark to display only these two frames.
b. Type the filter you used into the box below.

[type filter here]

c. Take a screenshot of Wireshark displaying only the two ARP frames. Paste the image
into the box below.

[paste image here]

d. Within the Ethernet II frame, what hexadecimal value signifies that the frame’s payload is
ARP?

[enter answer here]

e. Within the Address Resolution Protocol (request), what hexadecimal value signifies that
the Protocol type is IPv4?

[enter answer here]

f. On the Address Resolution Protocol (request) frame, how many bytes of padding does
Ethernet II add at the end of the frame?

[enter answer here]

Page 12 of 13
SBA 162 - Analyze Traffic with Wireshark

g. What is the value of the bits that make up the padding in the Address Resolution
Protocol (request) frame?

[enter answer here]

h. On the Address Resolution Protocol (request) frame, what is the hexadecimal value of
the Target MAC address?

[enter answer here]

a. On the Address Resolution Protocol (request) frame, what is the binary value of the
destination MAC address?

[enter answer here]

Page 13 of 13