P a g e
Lab 3: Packet Capture
In this lab, you will use a “packet sniffer” called Wireshark to capture and analyze TCP and HTTP packets
generated between the PC browser and a web server, such as
. When the
application layer of the TCP/IP protocol stack creates an HTTP message, that message is “encapsulated”
by a transport layer header.
The header identifies the protocol TCP which is used to make a reliable
connection to a web server.
TCP uses a three-way handshake to establish a connection and a three-way
handshake to take down a connection between the two hosts. The Internet layer adds a header
indicating the logical IP address, but is also responsible to retrieve the MAC address which is passed to
the Data Link layer for addition into the LAN header.
You will see how the Internet layer uses a protocol
called ARP (Address Resolution Protocol) to find the MAC or Ethernet address of the next link. Lastly, you
will see the message syntax and sequence of the HTTP protocol.
Demonstrate basic packet capturing with Wireshark
Examining the TCP handshake used to set and take down a reliable connection
Examine how the Internet layer uses ARP
Examine the message syntax and sequence of the HTTP protocol
Use the MyApps folder to locate Wireshark
Click the Launch button to open Wireshark
at a command prompt to get the IP and physical addresses of the local
Select an Interface to capture called “Ethernet” which shows activity on it. Similar to the screen
Before we capture packets delete the ARP cache.
This area of memory keeps a mapping or IP
addresses to MAC addresses. We want to delete any previous entry so that the protocol ARP will
need to be used in our capture
Physical Address of host
IP Address of host
IP Address of default gateway
Physical address of default gateway