Scribd
Upload
2 views

Lab_1__CNS_

This document outlines Lab 1 for a Computer and Network Security course, focusing on the use of Wireshark for packet capture and analysis. Students are instructed to perform various tasks involving ICMP, DNS, and TCP packets, while adhering to ethical hacking guidelines. The lab emphasizes hands-on experience with network protocols and packet inspection using Wireshark's features.

Uploaded by

hamza.oukil
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
2 views

Lab_1__CNS_

This document outlines Lab 1 for a Computer and Network Security course, focusing on the use of Wireshark for packet capture and analysis. Students are instructed to perform various tasks involving ICMP, DNS, and TCP packets, while adhering to ethical hacking guidelines. The lab emphasizes hands-on experience with network protocols and packet inspection using Wireshark's features.

Uploaded by

hamza.oukil
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Intelligent Systems Engineering Department

The National School of Artificial Intelligence


3rd Year, Semester 2 — 2024/2025

Computer and Network Security

Lab 1
Description. This lab is an introduction to Wireshark, a powerful packet capture (sniffer) and
analyzer. You will use Wireshark to capture various types of communications and use Wire-
shark’s protocol dissectors to inspect each packet with respect to the protocols’ specifications.

Prerequisites
To rock this lab out, make sure to have:
• Two computers running GNU/Linux (or one VM plus your host machine).

• Wireshark installed, up and running (on one of the computers).


Disclaimer
Hacking without permission is illegal. This labs are strictly educational for learning about cyber-
security in the areas of ethical hacking and penetration testing so that we can protect ourselves
against the real hackers. Hence, any attack technique, tools, and technology, learned during this
lab should only be launched on systems you either own or have permission to launch attacks on.
Introduction to Wireshark
Wireshark is a powerful and widely used packet analyzer software that allows users to capture,
analyze, and inspect network traffic in real-time. It uses protocol dissectors to interpret and
display the details of various network protocols present in the captured packets.

1. Open Wireshark and click on Capture Option.

2. Make sure the network interface you are connecting with is set to promiscuous mode.

1.1. ping (ICMP packets)

1. Run $ping www.mesrs.dz.

2. On Wireshark, you should see some ICMP packets along with other packets. Stop it.

3. On the filter bar, type in icmp, so that only ICMP transactions are displayed.

4. The command you executed on Step 1, generated some “Echo (ping) request” packets,
and some “Echo (ping) response” packets. Those are ICMP packets.
Copyright © Dr. Karim Lounis, 2024/2025.
5. Go over the captured packets and answer the following questions:
• What is the source and destination IP address?
• What is the TTL value of your ping requests and ping responses?
• The source address will be Natted. What would be the assigned communication port?

6. Run $ping 192.168.1.55 (an address that is not used in your network), and run the
packet capture on Wireshark. You should see some ARP packets. Stop the packet capture
and answer these questions:
• What is the destination address?
• What is this packet used for?
• Were there responses to those ARP packets? why?

7. Let us add one line in the sysctl file. $sudo nano /etc/sysctl.conf.

8. Scroll down and add net.ipv4.icmp echo ignore all = 1.

9. Save the changed by running $sudo sysctl -p.

10. The line you added to the file will be displayed.

11. Ask a classmate to ping your computer and capture the packets using Wireshark.
• Do you receive ICMP responses?
• Explain what happened although your machine is up and running.

1.2. nslookup (DNS packets)

1. Run $nslookup www.ensia.edu.dz.

2. On Wireshark, you should see some DNS packets along with other packets.

3. On the filter bar, type is dns, so that only DNS transactions are displayed.

4. The command you executed on Step 1, generated a “Standard DNS query for an A-record”,
and a “Standard DNS response with an A-record”.

5. Go over the packets and answer the following questions:


• What is your default DNS server?
• Which transport protocol is used by DNS?
• What is the port used by the DNS server and the one used by nslookup.
• What is the IP address of www.ensia.edu.dz?

1.3. traceroute (X packets)

Copyright © Dr. Karim Lounis, 2024/2025.


1. Run $traceroute www.ensia.edu.dz.
2. On Wireshark, you should see some ICMP packets along with other packets.
3. On the filter bar, type is icmp, so that only ICMP transactions are displayed.
4. Go over the packets and answer the following questions:
• Why you are getting “Time-to-live exceeded” packets from different sources?
• What are those sources?
• You should have received a packet with “Destination Unreachable (port unreach-
able)”. ICMP packet do not contain port number, could you check the content of
those packets? Is there a transport protocol being used?
• Which transport protocol is used by DNS?
• What is the port used by the DNS server and the one used by nslookup.
• What is the IP address of www.ensia.edu.dz?

1.4. TCP three-way-handshake (TCP segment)

1. Open a browser and connect to the access point.


2. On Wireshark, you should see some TCP packets along with other packets.
3. On the filter bar, type is tcp, so that only TCP transactions are displayed.
4. Go over the packets and answer the following questions:
• Did you manage to capture and identify the three TCP packets: SYN, SYN-ACK,
and ACK? What is the destination and source port?
• Try to connect to www.ensia.edu.dz and relaunch the packet capture. Did you capture
the three TCP segments? What is the destination and source port?
• Did you capture a “Client Hello” and “Server Hello” messages? What are these for?

ANNEX

You may want to use these filteres:


• eth.dst eq ff:ff:ff:ff:ff:ff
• ip.src == 192.168.1.1
• ip.dst eq www.mit.edu
• ip.addr == 129.111.0.0/16
• tcp.port in 80,443,8080

Copyright © Dr. Karim Lounis, 2024/2025.

You might also like