📡

Wireshark for TCP and UDP Analysis

Oct 9, 2024

Lecture Notes: Packet Tracer 10.4 - Using Wireshark to Examine TCP and UDP Captures

Introduction

  • Lecturer: Mr. McKee
  • Course: SEC 210
  • Topic: Packet Tracer 10.4 - Utilizing Wireshark for TCP and UDP analysis.

Overview of the Lab

  • Part 1: TCP Capture from FTP Session

    • Utilizing Wireshark to capture and analyze TCP protocol header fields for FTP file transfers.
    • Topology includes a workstation VM with internet access and an FTP client.

  • Part 2: UDP Capture from TFTP Session

    • Using Wireshark to capture and analyze UDP header fields for TFTP file transfers.

TCP and UDP Protocols

  • Transport Layer Protocols:
    • TCP (Transmission Control Protocol):
      • Supports communication for HTTP, FTP, etc.
    • UDP (User Datagram Protocol):
      • Supports communication for DNS, TFTP, etc.

Part 1: Capturing TCP Packets

  1. Starting Wireshark:

    • Open a terminal to set up Wireshark capture on the appropriate Ethernet interface (e.g., emp0s3).

  2. Connecting to FTP Server:

    • Command: ftp ftp.cdc.gov
    • Use "anonymous" as username and no password.
    • Download file using get readme command.

  3. Analyzing Captured TCP Packets:

    • Use filter: tcp && ip.addr == 198.246.117.106 (check for updated IP if needed).
    • Identify the initial packets, including SYN, SYN-ACK, and ACK for establishing a TCP session.
    • Understand TCP header fields:
      • Source Port: Random value above 1023.
      • Destination Port: Typically port 21 for FTP.
      • Sequence Numbers: Indicating order of packets.
      • Acknowledgment Numbers: Next expected byte.
      • Flags: SYN, ACK, FIN (control session management).
    • TCP performs an orderly shutdown of the session when the FTP session is finished.

  4. FTP Communication Flow:

    • Acknowledge commands with response codes (e.g., 220, 221).
    • Observe the complete sequence of TCP and FTP communications in Wireshark.

Part 2: UDP Packet Capture

  1. Setting Up TFTP Server:

    • Create a text file on the TFTP server using the command line.
    • Example command: echo "This file contains my TFTP data" > srv/tftp/my_tftp_data
    • Confirm file creation.
    • Ensure the receiving file exists on the client before transfer.

  2. Capturing TFTP Traffic:

    • Start Wireshark capture on the appropriate interface.
    • Execute TFTP command to request the file from the server.
    • Example command: tftp 10.0.0.11 get my_tftp_data

  3. Analyzing UDP Packets:

    • Inspect header fields of UDP packets captured using Wireshark.
    • Key fields include:
      • Source Port & Destination Port
      • Length and Checksum (check for integrity).
    • Understand UDP's lack of a reliable connection and how that impacts data integrity.

  4. Closing the Session:

    • Use quit command to close the FTP session.
    • Analyze the final packets to observe session termination.

Conclusion

  • Key Differences Between TCP and UDP:
    • TCP provides reliability through acknowledgments and session management.
    • UDP is connectionless and does not guarantee delivery or order.

Additional Notes

  • Ensure proper configuration of virtual machines to avoid memory issues during lab.
  • Always create a snapshot of the VM before starting the lab work.
  • Feel free to reach out for clarifications on any specific topics discussed.

Full transcript