How to Analyze Basic Protocols With Wireshark

In this tutorial, we are going to analyze the most commonly used protocols with Wireshark. Knowing how to diagnose connections problems sometimes can be difficult, and sometimes requires the use of a network analyzer like  Wireshark. During the process of establishing connections between two computers many things take place, but connections are always started with the 3 way handshake. From there, application and network protocols take control. Moreover, it would be useful before proceeding to know what the OSI layer is and what protocols belong to each layer. This tutorial is aimed at learning the basics of wireshark and troubleshoot common connection problems.

Wireshark-1024x320

The OSI layer: OSI (Open Systems Interconnection) is reference model for how applications can communicate over a network. A reference model is a conceptual framework for understanding relationships. The purpose of the OSI reference model is to guide vendors and developers so the digital communication products and software programs they create will interoperate.

OSI-layer

Before continuing we’re going to take a look at some basic protocols.

TCP/IP: The TCP/IP protocol is a stack of protocols. consisting of several different protocols, on layes 3 and 4 of the OSI model, including TCP, IP, ARP, DHCP, ICMP, and others.
TCP – Transmission Control Protocol: is a layer 4 protocol that is commonly used because it provides an efficient method of reliable bi-directional communication, where computers can transmit and receive data simultaneously.
IP – Internet Protocol: is a layer 3 protocol that provide the addressing system that allows communication on the network, IP is a connectionless protocol which means that it needs of TCP to ensure the reliability of transmitted data.
The TCP 3 way handshake: before you can transfer data from another computer, the sender and the receiver need to complete the TCP 3 way handshake. The handshake is a 3 step process where the client computer establishes a connection with the server computer. All of this is possible through the different types of TCP packets and flags: SYN, SYN/ACK, ACK.
You can see the full 3 way handshake in the following figure.

The SYN Packet:

as shown in the figure the first packet #73 send from the client to the server is a SYN packet, this packet is design to establish synchronization with the server, which ensure that client and server keep their communication in proper order. The SYN packet carries a 32 bit number with it called the sequence number located in the header of the packet. Refer to the next figure to view some useful information like the type of packet, the sequence number.

The SYN/ACK Packet:

The next packet #74 is the response from the server. Once the server receive the SYN packet from the client it reads the packet’s sequence number and it uses that number for the response, in other words it tells the client computer that the server received the SYN packet, it does this by incrementing the sequence number sent in the original SYN packet by one and using it as an acknowledgment number containing the original SYN sequence number, now the client knows that the server can receive its communication.

The ACK Packet:

On packet #75 the client sends an ACK to the server, this packet tells the server that the client received its SYN/ACK packet, and like the previous step the client also increments the sequence number of the packet by one and send it to the server once this last packet is received by the server, the communication can begin.

ARP – Address Resolution Protocol: Address Resolution Protocol is used to translate layer 3 IP addresses into layer 2 MAC address. For a computer to transmit data to another computer it must know the destination computer MAC address, this is done with the help of ARP as it translate IP address into MAC address, to better analyze this process lets take a look at the capture file in the following figure.

In packet #16 the client computer is sending a broadcast packet asking who has computer ip address 172.16.243.2, as the packet is received by the switch (layer 2 MAC address) doesn’t know what to do with the pack, and forwards the packet to all its ports, this packet only function is to ask every computer whether or not it has ip address 172.16.243.2, computer with different ip will simply drop the packet, while the one that has it will identify itself by sending a response containing its layer 2 MAC address back to the client computer( packet #17).

DNS – Domain Name System.

Domain Name System translate host names to ip address, it translate DNS addres like msn.com into their corresponding ip address, in most cases it only takes 2 packets to get this done, for this lets take a look at the following capture file.

The first packet #1 is a request from source (ip 10.200.50.5) to the network’s local DNS server (ip 192.168.10.1) that is asking what is the ip addesss of msn.com? the second packet #2 is the response from the DNS server (ip 192.168.10.1) to destination computer (ip 10.200.50.5) saying that msn.com resides on a server with ip address of 207.68.172.246. Once this process is complete layer 3 can take over and complete its TCP 3 way handshake so that data transfer can begin.

DHCP – Dynamic Host Configuration Protocol.

Dynamic Host Configuration Protocol automatically provides clients with network related configuration information, such as DNS server, NTP server, WINS server, Default-Gateway and unique ip address, the lease process is a client/server communication and it takes four packets to complete the process. For this lets take a look at the following capture file.

dhcp_filter

 

1-The process begins on packet #1, the client request an ip address by broadcasting a DHCPDiscover packet to the local subnet

2-The client is offered an address when a DHCP server responds with a DHCPOffer (packet #2) message containing an IP address and configuration information for lease to the client.

3-The client indicates acceptance of the offer by selecting the offered address and replying to the server with a DHCPRequest (packet #3) message.

4-The client is assigned the address and the DHCP server sends a DHCPAck (packet #4) message, approving the lease. Other DHCP option information might be included in the message.

HTTP – Hypertext Transfer Protocol.

Once the communication session has been established (handshake), it’s time for the request and transmission of the web page you are trying to view. This involve both HTTP and TCP. The process begins with http packet which ask the server to transmit the web page to the client as illustrated in the figure.

http_filter

 

As you can see this packet invokes a GET command (Request Method: GET), once HTTP has made the initial GET request, TCP takes over the data transfer process, during the rest of the connection HTTP will request data from the server and the server then will use TCP to transfer data back to the client, the server lets the client know the request was valid by sending and HTTP OK message before transmitting the data.

Closing the Session.

When there’s no more data to be transmitted the connection can be terminated, in a manner very similar to the TCP 3 way handshake, instead of using SYN and ACK packet this process uses FIN and ACK packets as shown in the sample capture file.

will start with packet 371 shown above, when the server finishes transmitting data, it sends a FIN/ACK packet to the client, this packet is design to close the connection. On packet #372 the client responds with an ACK packet that uses the sequence numbers and incrementation rules that finds in the FIN/ACK packet. This closes the communication from the server’s end. To complete the process the client must initiate this process again with the server. The FIN/ACK process must be initiated and acknowledged by the by both the client and the server packets # 373 and 374.

ICMP – Internet Control Message Protocol. (ping command)

Internet Control Message Protocol is part of the IP protocols, and it is used for troubleshooting other protocols, and is what the ping command uses for sending ECHO REQUEST and REPLY. Lets take a look at the capture file to see what ICMP looks like.

We can see in packet #1 is a type ICMP ECHO REQUEST, send to destination computer, when the destination machine receives the request it responds by sending an ICMP ECHO REPLY (packet #2), and this process is repeated over until the ping command finishes.

in work citation

OSI Reference Model. Associated publication/college/etc., year published. 24/2/2017.

 

Share This!

Leave a Reply

Your email address will not be published.