WIRESHARK ANALYSIS

EX NO : 4

                                                     Packet analysis using Wireshark

Basic Wireshark Usage

1. Install Wireshark

* Download from Wireshark official website

* Install and allow packet capture permissions (Npcap/WinPcap on Windows)

2. Start Capturing Packets

1. Open Wireshark

2. Choose a network interface:

   * Wi-Fi (for wireless traffic)

   * Ethernet (for wired)

3. Click the **blue shark fin icon** to start capturing

3. Understand the Interface

Wireshark has 3 main panes:

* **Packet List** (top): Summary of captured packets

* **Packet Details** (middle): Protocol breakdown (TCP/IP, HTTP, etc.)

* **Packet Bytes** (bottom): Raw data in hex + ASCII

4. Use Filters (Very Important)

Filters help you find specific traffic.

Display Filters (after capture)

* `http` → show HTTP traffic

* `dns` → DNS queries

* `ip.addr == 192.168.1.1` → specific IP

* `tcp.port == 80` → traffic on port 80

* `icmp` → ping packets

Capture Filters (before capture)

* `host 192.168.1.1`

* `port 443`

* `net 192.168.1.0/24`

5. Inspect Packets

* Click any packet → expand layers:

  * Ethernet

  * IP

  * TCP/UDP

  * Application layer (HTTP, DNS, etc.)

6. Follow Streams

* Right-click a packet → **Follow → TCP Stream**

* Lets you see full conversations (like web requests)

7. Save & Export

* File → Save As (.pcap format)

* Export specific packets if needed

Common Use Cases

* 🛠 Troubleshooting slow networks

* 🔍 Debugging APIs or web requests

* 🔐 Detecting suspicious traffic

* 🎓 Learning protocols like TCP/IP, DNS, HTTP

Important Notes

* Requires admin/root privileges

* Only capture traffic you’re authorized to monitor

* Encrypted traffic (HTTPS) won’t show readable content unless decrypted

Beginner Tips

* Start with `dns` and `http` filters (easy to understand)

* Use **coloring rules** to visually separate traffic

* Try capturing while loading a website to see real-time packets

1. Open the installer

• Click the downloaded file (top-right popup)
  OR

• Go to your Downloads folder and double-click:

  Wireshark-4.6.4-x64.exe

2. Installation process (important parts)

During setup:

✔️ Keep these options checked:

• Wireshark (main program)

• Npcap → VERY IMPORTANT (this allows packet capture)

⚠️ When Npcap installs:

• Select:

  • ✅ “Install Npcap in WinPcap API-compatible Mode”

EXPLANATION:

🟡 What that yellow line means

Ethernet II, Src: ZerooneTechn_78:01:7c (e4:3a:6e:78:01:7c), 

Dst: Broadcast (ff:ff:ff:ff:ff:ff)

```

Breakdown:

1. **Ethernet II**

* This is the **frame format** used at the Data Link Layer (Layer 2)

* It’s the standard format for most modern networks

2. **Src (Source MAC Address)**

ZerooneTechn_78:01:7c (e4:3a:6e:78:01:7c)

* This is the **physical address of the sender**

* "ZerooneTechn" = manufacturer (based on MAC prefix)

* `e4:3a:6e:78:01:7c` = actual MAC address of your device or another device on your network

3. **Dst (Destination MAC Address)**

```

Broadcast (ff:ff:ff:ff:ff:ff)

```

* This means the packet is sent to **ALL devices on the network**

* Broadcast is used when the sender doesn’t know the target device yet

1) Why this packet exists (important)

This packet is an **ARP request** (you can see that above):

> “Who has 10.203.15.82? Tell 10.203.0.1”

2) What’s happening:

* A device is trying to find:

  👉 “Which device has this IP address?”

* Since it doesn’t know the MAC address, it sends a **broadcast**

* All devices receive it, but only the correct one replies

## 🧩 Simple analogy

Think of it like shouting in a room:

> “Who owns IP 10.203.15.82?”

* Everyone hears it (broadcast)

* Only the correct person replies

---

## 🎯 Key takeaway

That yellow line shows:

* **Who sent the packet (MAC address)**

* **Who receives it (broadcast = everyone)**

* It’s part of a **device discovery process (ARP)**

EXPLANATION:

👉 The red highlighted line simply means:

“Which device has IP 10.203.15.82? Please reply to 10.203.0.1.”

✅ It’s just a device asking on the network:

“Who owns this IP address?”

📌 This is normal and called an ARP request.

🔄 What happens next

1. A device sends this message to everyone (broadcast)

2. All devices receive it

3. Only the device with IP 10.203.15.82 replies:

   I am 10.203.15.82 → My MAC address is XX:XX:XX:XX:XX:XX

**red-highlighted areas** in your Wireshark capture:

1. Frame Details (Top Red Box)

This section shows **basic information about the captured packet**:

* **Frame length**: 60 bytes → size of the packet.

* **Arrival time**: Exact time the packet was captured.

* **Interface ID**: Network interface used for capturing.

* **Protocols in frame**: `eth:ethertype:arp` → this packet contains an **ARP protocol**.

* **Capture length**: How much of the packet was recorded (same as frame length here).

In short: This part describes **when, where, and how the packet was captured**.

2. Ethernet II Details (Bottom Red Box)

This shows **Layer 2 (Data Link layer) information**:

* **Source MAC address**: Sender device (e.g., ZerooneTech…).

* **Destination MAC address**: `ff:ff:ff:ff:ff:ff` → **broadcast** (sent to all devices in the network).

* **Type: ARP (0x0806)** → Indicates the packet is an **ARP request**.

In short: This part shows **who sent the packet and to whom (broadcast)**.