Home‎ > ‎CIS 140NA‎ > ‎

Lab 2: Capture, Filter and Save

In this lab you will use the filters and dissectors to extract information from a packet capture. 

Introduction

Wireshark can do much more than just grab packets. It includes powerful tools for you to extract useful information from those packets once they're captured. In order to complete this lab you are required to extract information from an HTTP session. This lab will use Cabrillo's website because it does not use HTTPS. In later labs we'll see how to decrypt HTTPS connections. 

Capture and Dissect

Start Wireshark and begin a live capture. Once you are capturing follow this link to take you to Cabrillo's website. NOTE: Your browser cache may cause the browser to avoid reloading the images on Cabrillo's website if you've been there recently. If that happens you will not see image files when you export HTTP objects. Try the following: 
  • On Chrome: Hold the SHIFT key and click the reload button.
  • On Firefox: CTRL + SHIFT + R 
  • On IE: CTRL + SHIFT + R

Filter out Only Cabrillo

Your capture will have all the packets that your machine saw during the capture period. Your first job is to eliminate all the packets that are not a part of your HTTP connection with cabrillo.edu. You may have multiple connections to Cabrillo. Save just the packets of interest into a separate file. You will submit this file. 

Extract Resources from your Capture 

Open the file you created in the previous step. The packets you captured should contain the images that were loaded when your browser accessed cabrillo.edu. Use Wireshark to extract at least one image from the packet stream and save it. You will turn this image in. 

Try Wikipedia

Repeat the experiment by starting a packet capture on your computer then following this link: 


The link takes you to a random article on Wikipedia. After you visit the link filter out only the packets going to or coming from Wikipedia and save the packets to a separate file. 
  • Can you determine from the packets which article you read on Wikipedia? 
  • Can you extract any images from the packet capture?

Turn In

  1. A packet capture file containing only Cabrillo packets called cabrillo.pcapng
  2. An image file that you extracted from your capture (May be a *.png, *.jpg or *.svg).
  3. A packet capture file containing only Wikipedia packets called wikipedia.pcapng 
  4. Answers to the Try Wikipedia questions.
Submit your homework on Canvas.

Grading

  • 10 points for Cabrillo packets and image.
  • 10 points for Wikipedia packets and answers.
Comments