Sniffing HTTP Traffic with Wireshark (NETLAB)

Purpose

This project introduces Wireshark, an extremely useful program which we will be using throughout the course.

The first task to perform with Wireshark is examining HTTP requests and responses, which are used to view Web pages. This happens at layer 7 of the OSI model.

Use your Kali32 Machine

Open the Kali32 virtual machine. Log in as root with the password toor

Starting Wireshark

In a Terminal window, execute this command:

wireshark

A box pops up saying "Lua Error during loading". Press Enter to close it.

Another box pops up warning that 'Running as user "root" and group "root"' is dangerous. Press Enter to close it.

It's worth noting that Wireshark can be exploited by attackers, but if you are using virtual machines with no personal data on them, the risk is small.

In the lower left of the Wireshark window, under the Start button, click eth0 to highlight it, as shown below.

Capturing All Network Traffic With WireShark

Click the Start button.

On the left side of the Kali desktop, click the topmost icon to open IceWeasel. Go to attack.samsclass.info.

Wireshark shows a lot of text scrolling by, as shown below on this page. Each line in the upper pane summarizes one frame (or packet).

Find these columns in the Wireshark window:

No              Frame Number
Time            Time in seconds that the frame was captured
Source          Source address of the frame
Destination     Destination address of the frame
Protocol        Protocol of the frame
Info            Other information

Notice that some lines show Broadcast in the Destination column. Broadcast traffic is common on networks as network devices alert one another of their presence. But it's usually not very interesting. To make Wireshark easier to use, you can Filter the traffic, to see only the interesting packets.

Capturing HTTP Traffic With WireShark

At the upper left of the Wireshark window, in the "Filter" bar, type

http

In Wireshark, on the right side of the Filter bar, click Apply.

Wireshark now shows only HTTP packets, as shown below.

Viewing OSI Layers

In Wireshark, click the packet with "Info" of "GET / HTTP/1.1", to highlight it, as shown above.

Look at the middle pane of Wireshark to see this packet dissected into the most important OSI layers.

The layers are labelled in black font on the right side of the image above.

Layer 1: Physical shows bits on the wire
Layer 2: Data Link shows an Ethernet frame, with MAC addresses
Layer 3: Network shows an IP packet, with IP addresses
Layer 4: Transport shows a TCP segment, with port numbers
Layer 7: Application shows an HTTP request

Understanding HTTP GET Packets

Find the packet with "Info" of "GET / HTTP/1.1", as highlighted in the image above. This packet requests a Web page.

The next packet, with "Info" of "HTTP/1.1 200 OK...", is the response from the Web server.

Following the TCP Stream

In Wireshark, click the packet with "Info" of "GET / HTTP/1.1", to highlight it, as shown in the image above.

From the Wireshark menu bar, click Analyze, "Follow TCP Stream".

This is the most convenient way to examine HTTP traffic. The request is shown in red, and the response is shown in blue, as shown below.

In the "Follow TCP Stream", click Close.

Last modified: 8-14-13 12:40 pm
Modified for NETLAB 6-16-16