WA4. Wireshark Capture Analysis¶

Statement¶

You are a network engineer who has been assigned a new client company. Your senior network engineer has informed you that you will be tasked with analyzing the HTTP and TCP traffic flow in the client’s network. This information will be used to improve the performance, security, and general management of the client’s network. Your specific tasks are listed below:

Start Wireshark capture.
Open a web browser and visit http://www.example.com/
Stop the Wireshark capture and answer the following questions with screenshots attached for each:
- a. Identify the TCP 3-way handshake interaction.
- b. What is the MAC address of your PC as shown in Wireshark?
- c. Which vendor manufactured the network card on your PC? Use the PC MAC address as shown in Wireshark.
- d. What is the MAC address of your gateway device as shown in Wireshark?
- e. What is the IP address of your PC as shown in Wireshark?
- f. What version of HTTP is captured?
- g. What is your PC’s operating system (OS) platform as shown in Wireshark?
- h. What language is your PC’s browser configured to as shown in Wireshark?
You are to save and submit your Wireshark capture file. Add screenshots for all questions from 3a-3h along with their answers in MS Word or PDF file and submit the same.

Answer¶

a. Identify the TCP 3-way handshake interaction¶

To start we need to find the source (my PC) and destination () IP addresses; the screenshot below shows the process of finding the IP addresses, according to (UoPeople, 2024).

a. finding the src/dst ip addresses

I ran the command ipconfig getifaddr en0 to find my IP address on MacOS, which is 192.168.0.5.
I ran the command ping www.example.com -c 3 to find the IP address of the destination, which is a
Next, we need to find the TCP 3-way handshake interaction; by putting the right filters in Wireshark.
We use the filter ip.addr==93.184.216.34 to find all packets sent or received to the website’s IP address.

a. filtering to finding the 3-way handshake

Examining the packets we see that we have established multiple connections to the website; I guess that I have refreshed the page while capturing the packets.
In the image below, the packets highlighted in blue identified a 3-way handshake interaction; note the [SYN] Seq=0, [SYN, ACK] Seq=0, and [ACK] Seq=1 flags that define the handshake (Upulie, 2022).

a. the 3-way handshake

b. What is the MAC address of your PC as shown in Wireshark?¶

I selected the first SYN packet that was sent from my device, opened the details, and then expanded the Ethernet II section to find the MAC address of my device.
My MAC address is Apple_70:30:28 (f4:d4:88:70:30:28) as shown in the image below.

b. my MAC address

c. Which vendor manufactured the network card on your PC? Use the PC MAC address as shown in Wireshark¶

The MAC address of my device is f4:d4:88:70:30:28 (from the previous step).
I visited https://dnschecker.org/mac-lookup.php?query=f4%3Ad4%3A88%3A70%3A30%3A28 and entered the MAC address to find the vendor.
The vendor of my network card is Apple, Inc. as shown in the image below.

c. my network card vendor

d. What is the MAC address of your gateway device as shown in Wireshark?¶

I used the same SYN packet from the previous step and expanded the Ethernet II section to find the MAC address of the gateway.
The SYN was sent from my device to the gateway, so the destination MAC address is the gateway’s MAC address.
The MAC address of the gateway is Destination: SkyUk_19:9b:01 (04:81:9b:19:9b:01) as shown in the image below.

d. the gateway's MAC address

Another way to find the gateway’s MAC address is to filter for the ARP protocol to find the gateway’s MAC address.
You see in the image below the ARP packets between my device and the gateway, and the gateway’s MAC address is 04:81:9b:19:9b:01.

d. the gateway's MAC address

e. What is the IP address of your PC as shown in Wireshark?¶

I filtered for http, selected the first packet, and then expanded the Internet Protocol Version 4 section to find the IP address of my device.
You see my IP address is the Source Address: 192.168.0.5, and it is identical to the one I found using the ipconfig command (step a).

e. my IP address

f. What version of HTTP is captured?¶

I expanded the Hypertext Transfer Protocol section of the first packet to find the version of HTTP that was captured.
The version is HTTP/1.1 as shown in the image below.

f. the version of HTTP

g. What is your PC’s operating system (OS) platform as shown in Wireshark?¶

I grabbed the User-Agent from the first packet and expanded the Hypertext Transfer Protocol section to find the OS platform.
The OS platform/User-Agent is Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 as shown in the image below.

g. my OS platform

h. What language is your PC’s browser configured to as shown in Wireshark?¶

I grabbed the Accept-Language from the first packet and expanded the Hypertext Transfer Protocol section to find the language.
The language is en-US,en;q=0.9,ar;q=0.8,es;q=0.7 as shown in the image below.

References¶

UoPeople. (2024). CS 4404 – Written Assignment 4 Instructions. My.uopeople.edu. https://my.uopeople.edu/pluginfile.php/1828160/mod_workshop/instructauthors/CS4404_Unit4_WA_Instructions.pdf
Upulie H. (2022, July 11). TCP 3-Way Handshake using Wireshark - Upulie Handalage - Medium. Medium; Medium. https://upu.medium.com/tcp-3-way-handshake-using-wireshark-d0c8c7ee4dd2

‌ ‌