Title: Network Traffic Analysis and Protocol Inspection using Wireshark
Tools Used:
Laptop
Wi-Fi / Ethernet
Browser
Wireshark
Will capture and analyze:
ARP
DNS
TCP 3-way handshake
HTTP vs HTTPS
ICMP (ping)
TLS handshake
To find network card - run>>type ncpa.cpl
Capture Live Traffic Setup
Open Wireshark
Select:
Wi-Fi interface (or Ethernet)
Click Start Capture
Open browser → visit:
run ping google.com in CMD
Stop capture after ~2 minutes.
Protocol Analysis Tasks
🔹 ARP Analysis
Filter: arp
ARP Request: “Who has X.X.X.X? Tell Y.Y.Y.Y”
ARP Reply: “X.X.X.X is at AA:BB:CC:DD:EE:FF”
Destination MAC = ff:ff:ff:ff:ff:ff (broadcast)
Q: Why is ARP request broadcast? A: Because the sender does not know the destination MAC address. Broadcasting ensures all devices on the local network receive the request, and only the device owning the IP responds.
Q: Why is ARP reply unicast? A: The requester’s MAC address is already known from the ARP request, so the reply is sent directly to that device.
Q: Where is ARP used in the OSI model? A: Between Layer 2 (Data Link) and Layer 3 (Network). It maps IP addresses to MAC addresses.
🔹 DNS Analysis
Fliter: dns
Standard query (A record)
Standard response
Query name (e.g., google.com)
Source port = random (>1023)
Destination port = 53
Q: What is DNS used for? A: DNS resolves human-readable domain names into IP addresses so devices can locate servers on a network.
Q: What is the difference between DNS query and response? A: A query asks for an IP address of a domain; a response returns the mapped IP address.
Q: Why does DNS usually use UDP? A: UDP is faster and has lower overhead. DNS uses TCP only for large responses or zone transfers.
🔹 TCP 3-Way Handshake
Filter: tcp.flags.syn == 1 || tcp.flags.ack == 1
To narrow Only Handshake: tcp.flags.syn == 1 && tcp.flags.ack == 0
SYN – Client → Server
SYN-ACK – Server → Client
ACK – Client → Server
Q: Why does TCP use a three-way handshake? A: To ensure both sender and receiver are ready to transmit data and to synchronize sequence numbers.
Q: What happens if SYN-ACK is not received? A: The client retransmits the SYN packet or eventually times out.
Q: How is TCP different from UDP? A: TCP is connection-oriented, reliable, and ordered; UDP is connectionless and faster but unreliable.
🔹 HTTP vs HTTPS
Filters: http
tls
HTTP: readable headers and data
HTTPS: encrypted payload
TLS handshake messages
Q: Why can HTTP data be read but HTTPS cannot? A: HTTP is unencrypted, while HTTPS uses TLS encryption to secure data in transit.
Q: What happens during TLS handshake? A: Client and server exchange certificates, negotiate encryption algorithms, and establish secure keys.
Q: Which port does HTTPS use? A: Port 443 (HTTP uses port 80).
🔹 ICMP
Filter: icmp
Echo request
Echo reply
Time-to-live (TTL)
Round-trip time
Q: What is ICMP used for? A: ICMP is used for error reporting and network diagnostics (e.g., ping, traceroute).
Q: Does ICMP use TCP or UDP? A: Neither. ICMP is a Layer 3 protocol directly over IP.
Q: Why might ping fail even if the host is up? A: Firewalls may block ICMP traffic for security reasons.
Summary:
Analyzed live network traffic using Wireshark, applying protocol-specific filters to inspect ARP broadcasts, DNS resolution, TCP handshakes, encrypted HTTPS traffic, and ICMP diagnostics.