You are inside a passionate computer engineer's lab...
Proceed at your own risk...

Look for something inside my Lab...

Task: Network monitoring using Wireshark

  1. In ENSI, connect to the wireless network available. Then open a site hosted in Tunisia.
  2. Use Wireshark to monitor the network activity.
  3. Filter the traffic of my own machine.
  4. Generate a network traffic schematic and comment.
The site I'll be using is

I connect to the network, install wireshark. Then open a shell, type:
  • su
to become a root.

I'm connected behind a proxy server whose IP address is on port 80.
To clear ARP cache for the proxy server, I type:
  • arp -d

I need to clear firefox browser cache, to ensure the site I open is loaded entirely from network, not from local cache. So I type:
  • firefox &
then I use the menu command "Tools > Clear Recent History" and choose to clear everything. Then I close firefox.

I type:
  • ifconfig
This gives me the list of network interfaces available on my system. I find out that eth1 is the wireless network card. I note the MAC address of the interface as I'll need it later. My MAC address will be noted later myMAC.

I leave the console open and start wireshark as root to start capturing the traffic for the interface eth1.

I go back to the console and type:
  • firefox &
to access the site. Once the site is fully displayed, I close firefox, stop wireshark capturing and save the capture to a file.

In order to see only the traffic related to my computer, I filter the traffic by Ethernet II MAC address (either as a source address or as a destination address). The appropriate filter for doing that is:
  • eth.addr == myMAC

To further limit the traffic and see only the HTTP traffic, the wireshark filter becomes:
  • eth.addr == myMAC && http
There are several phases in the HTTP capture:
  1. A HTTP GET request is sent to to the proxy server in order to initiate loading of site contents data.
  2. The sent request is acknowledged by the server using a HTTP OK and specifies that the wanted information is a html page.
  3. Then several HTTP GET requests are made to get the files embedded into the home page. Along with respective acknowledgements.
  4. Finally a HTTP GET request is sent to get the site favourite icon, but in our case the site does not offer an icon. So the request is acknowledged by a HTTP 404 Not Found.
Please view the complete image for full details (the blog may display only a part of it, right-click on the image and select "view the image").

We change the filter to see only TCP and HTTP traffic, so it becomes:
  • eth.addr == myMAC && tcp
We note that the HTTP requests delimit the TCP requests, it means that HTTP requests start and end the data transfers.
These are some of the steps captured in wireshark:
  1. In the beginning, the system establishes the connection with the proxy server, that's why it sends the server SYN TCP request. The server accepts the connection and acknowledges it by sending TCP SYN ACK frame. Then the system acknowledges the SYN ACK by sending the server a TCP ACK frame.
  2. The system sends the HTTP GET request as mentioned earlier. The server acknowledges it first by sending the system a TCP ACK frame. Then it starts sending data to the system.
  3. After each frame of data well received by the system, the system sends an acknowledgement to the server to allow it to send the next data frame.
  4. After all data requested by the last HTTP GET request has been sent to the system, the proxy server sends the HTTP OK frame to indicate the end of data. As usual, this frame is acknowledged by the system by sending a TCP ACK frame.
  5. In the very end of the capture, we observe the acknowledgements which involve TCP FIN frame. This ends the data transfer.

1 comment:

  1. Interesting results !!
    I will try this Wireshark myself.
    thanks the details ;)