Exercise 1: Packet Sniffing Basics

Objective

Learn to capture and analyze network packets using Wireshark.

Scenario

Imagine you’re a cybersecurity analyst tasked with monitoring network traffic to detect potential security threats. One of your first assignments is to understand how network communication works by analyzing packets exchanged between devices on a network. Using Wireshark, you’ll capture real-time data and learn to identify different types of network traffic.

Lab Instructions

Step 1: Install Wireshark

• Windows/macOS/Linux: Download and install Wireshark from the official website: https://www.wireshark.org/
• Follow the installation prompts. On Windows, ensure that WinPcap or Npcap is installed if prompted, as it’s required for packet capture.

Step 2: Start Packet Capture

• Open Wireshark.
• Select your primary network interface (e.g., Wi-Fi or Ethernet).
• Click the Start Capturing Packets button (the shark fin icon).

Step 3: Generate Network Traffic

• While Wireshark is capturing traffic, open your web browser.
• Visit several websites, such as:
  • https://www.example.com
  • https://www.wikipedia.org
  • https://www.openai.com

Step 4: Stop Capture and Apply Filters

• Return to Wireshark and click the red square button to stop the capture.
• In the filter bar, enter http and press Enter to filter HTTP traffic.
• Observe the captured GET and POST requests.

Step 5: Analyze Packets

• Click on individual packets to expand their details.
• Identify the Source IP and Destination IP addresses.
• Examine the request methods and the payload data if available.

Step 6: Save Capture File

• Go to File > Save As.
• Save the capture with a descriptive name, e.g., http_traffic_analysis.pcapng.

Solution & Explanation

HTTP Traffic Analysis

• GET Requests: Used by the browser to request data from a server. Example: fetching a webpage.
• POST Requests: Used to send data to a server. Example: submitting a login form.

Identifying IP Addresses

• Source IP: The device initiating the request (your computer).
• Destination IP: The server receiving the request (the website server).

By analyzing these packets, you can understand how web traffic operates and identify patterns or anomalies that may indicate suspicious behavior.

Testing & Verification

• Verify that HTTP traffic is displayed after applying the http filter.
• Confirm that GET and POST requests are visible in the captured data.
• Cross-check the Source and Destination IPs using the ipconfig (Windows) or ifconfig (Linux/macOS) command to confirm your machine’s IP address.

Additional Script (Optional)

To automate packet capture, you can use the tshark CLI tool (Wireshark’s terminal-based version):

# Capture HTTP traffic for 60 seconds and save to a file
sudo tshark -i eth0 -f "tcp port 80" -a duration:60 -w http_capture.pcapng

Conclusion

This exercise introduced you to the fundamentals of packet sniffing using Wireshark. By capturing and analyzing HTTP traffic, you now have a foundational understanding of how network communication works and how to inspect network packets for security analysis.