Q Lab 1: Identifying Parts of the TCP Packet Requirements: • Wireshark o http://www.wireshark.org/download.html • Snipping Tool (Windows) o Or equivalent tool such as Greenshot ? http://getgreenshot.org/ • Internet Connection • This document Part 1: Installing Wireshark 1. Download and run the executable. 2. Be sure to install WinPcap when prompted. 3. (Optional) Install USB filters 4. Open Wireshark from the Start Menu 5. Click on the capture interface (usually either Wi-Fi or Ethernet depending on your connection). 6. Open a web browser of your choice and generate traffic to ensure Wireshark is properly sniffing packets. 7. Stop the capture by clicking the red square in the toolbar. 8. Please contact the instructor with any questions or problems. Part 2: Wireshark Familiarization Answer the following questions using the snipping tool (or whatever method you like) to take screen clips of the information requested. 1. Open Wireshark, start a capture, and generate some traffic by browsing the internet. Be sure to visit at least 3 sites. 2. When finished, click on the button in the toolbar that looks like this: . This will stop the capture. 3. Browse through some of the menu dropdowns of Wireshark and take screenshots of 3 tools you find. Provide a description of what the they do (you may have to do internet research). Part 3: Analyzing Traffic 1. With a new Wireshark capture running, navigate to https://news.google.com/, then click on any link. 2. When finished, click on the button in the toolbar that looks like this: . This will stop the capture. 3. Scroll to the top of the capture and find the TCP handshake. Paste it as your answer. 4. Highlight the first SYN packet, right click, and select follow TCP stream. Find the User agent string and record is as your answer. 5. Open any TCP packet, click on the “>”s to expand the information and identify these items: a. DEST IP Address in Decimal and hexadecimal b. SRC Port in Decimal and hexadecimal c. Time and Date d. Header Length e. Sequence Number f. Source MAC address i. Take that address and input it into http://aruljohn.com/mac.pl ii. What is the manufacturer? 6. Find a TCP teardown (FIN, FIN ACK, ACK). 7. Under the dropdown “Statistics” -> “Conversations” -> “IPv4”, List a private IP and a public IP. 8. Go to http://whois.domaintools.com/ and lookup one of the public IP address. Take a screen shot of the results. 9. In no less than a paragraph, assume this was an ongoing investigation on a live network. a. What sort of evidence have you collected? b. What conclusions can you make based on the evidence you collected? c. What conclusions could you NOT make based on the evidence you collected?