CPSC 441, Networking and Distributed Processing, Fall 2004
Lab 2: Ethereal and the HTTP Protocol
ETHEREAL IS a packet sniffer program. It can make a record of every network frame that arrives at or departs from your computer. It can display the frames and analyze them in various ways. It knows the format for the data sent by many different protocols, and it can interpret much of that data for you.
Ethereal must be run as root, since it needs administrative privilege to access the network interface (that is, the Ethernet card, in our case) in "promiscuous mode". (In promiscuous mode, a network interface reports every packet that it sees to the operating system; usually, it only reports packets that are addressed to it.)
Your First Session
You can start Ethereal by giving the command ethereal on the command line. This opens a window, which is a GUI interface to Ethereal's packet capture utility. (You'll want to make this window bigger.)
The basic procedure with Ethereal is to first use it to "capture" a bunch of packets. This is done with the "Start" command in the "Capture" menu. This opens a window where you can set some options and click "OK" to start the capture. You can ignore the options for now. Start capturing packets now by selecting "Start" from the "Capture" menu and then clicking "OK".
Once you do this, another window appears that shows the numbers of various types of packets that have been captured. This window has a stop button that you have to press to stop the capture. While the capture is running, generate some network activity by looking at a couple of web pages.
After a minute or so, click the "Stop" button to stop the capture session. A list of all the packets that have been captured will appear in the top of the Ethereal window. There is a lot of info in this list, including the time at which the packet was captured (given in seconds since the start of the session), the source and destination addresses, the protocol used, and some indication of the contents of the packet. By clicking on any packet in the list, the contents of the packet will be displayed in the middle and bottom sections of the Ethereal window. The bottom section shows each byte of the packet in hexadecimal form, as well as an ASCII translation of those bytes that represent characters. In the middle of the window, the packet is analyzed in detail. Ethereal knows about many different protocols and can interpret the contents of many different types of packets. Click on some of the packets and take a first look at their contents.
At the bottom of the Ethereal window [or the top in some configurations] is a box labeled "Filter". You can enter a display filter in this box. A display filter specifies the type of packets that you would like to see. All packets that do not match the filter are hidden from the list in the top of the window. A display filter can be the name of almost any protocol, including ip, tcp, udp, arp, icmp, http, telnet, and dns. It can test the values of various parameters of the protocols, as in "ip.src == 172.30.217.13" or "tcp.port == 13". You can combine all these with and, or, and not, as in "ip and not udp". The "Filter" box has the nice property that its background color changes from pink to green when its content is a legal display filter. Try entering "http" into the "Filter" box, and press return, so that you only see packets that make or respond to web requests.
By the way, when you perform a second capture or exit from the program, Ethereal will ask whether you want to save the captured packets into a file. There is no need to do so for this lab, so you can just say "No."
Exercise 1: Click on one of the HTTP packets and examine it in detail in the middle section of the Ethereal window. You can confirm that the structure of the packet is HTTP data wrapped in a TCP segment, which is wrapped in an IP datagram, which is wrapped in an Ethernet frame. If you click one of the little triangles in front of the word "Ethernet", your view of the Ethernet header will be expanded to show the content of the header. Similarly for the "Internet Protocol," "Transmission Control Protocol," and "Hypertext Transfer Protocol" lines. If you click on any of the lines in the middle section of the window, the corresponding data in the display in the bottom third of the window will be hilited. Based on all this, answer the following questions:
- Question 1: What does an Ethernet address look like, and what is the Ethernet address of your computer?
- Question 2: How many bytes are there in an Ethernet header?
- Question 3: What is the IP address of the server computer? How did you find this out by looking at info in the packet?
- Question 4: The HTTP server communicates on port 80. What port number on your computer was used for the communication? How did you find this out?
Exercise 2: Now, enter "not ip" as the display filter. This lets you see non-IP packets. What protocols do you see? (Hint: Many of the non-IP packets are for the ARP protocol. Try using the filter "not ip and not arp" to find other protocols.) Describe some of the things that you can discover or guess about these protocols, just from information available in the Ethereal window. (If you are ambitious, you can try investigating UDP packets as well and report on your observations.)
Investigating the HTTP protocol
Now that you have seen some of what Ethereal can do, you will use it to investigate the HTTP protocol. The basic procedure is to start a capture session, look at a Web page or two, stop the capture, and apply "http" as the display filter on the captured data. Then, you can look at the individual packets to help you understand the communication that has gone on between the client and the server. The following exercises ask you to look at certain web pages. These should be pages that you have not looked at recently in the browser that you are using. If you have looked at them recently, you should clear your browser's cache before proceeding. Ask for help on how to do this, if you need it.
Exercise 3: For this exercise, we look at accessing a simple page. Start a capture session. Load the page http://math.hws.edu/eck/cs441/f04/lab1.html. Now, close your browser, reopen it, and load the same page again. Stop the capture and look at the result using display filter "http". Answer the following questions:
- Question 1: What web server software is running on math.hws.edu? How did you find the answer?
- Question 2: How many packets did the server use to send the requested page to your computer? What was in the first packet, and want was in the remaining packets? How many bytes of web page content were sent in each packet?
- Question 3: What was the difference between the first request for the page and the second request? How did the server's response differ?
- Question 4: Were the two page requests sent over the same TCP connection, or was a separate connection used for each request? What evidence do you have for your answer?
Exercise 4: Next, consider a slightly more complex situation. Load the URL http://math.hws.edu/eck during a capture session. (Do not add a "/" at the end of this URL.) Use the http packets to answer the following questions:
- Question 1: What was the response from the server to the request for http://math.hws.edu/eck ? What was the value of the "Location:" header in the server's response? What did your web browser do with this header?
- Question 2: In addition to the web page itself, your browser sent requests for four images. What is the value of the "Referrer:" header in the requests for these images? Why?
- Question 3: Find the "Content-type:" headers in the server's responses? What values do you find for this header? What do you suppose this header is for?
Exercise 5: This exercise looks at the POST method, which is often used to transmit data that the user enters into a form on a Web page. Start a capture session, and use the form at http://math.hws.edu/eck/mysql.php. What this form does is not important; you can fill in the boxes with some nonsense data. Click the "Submit Query" button. Find the POST request in the capture data. What is the content type in the POST request? Where is the actual data from the form?
Exercise 6: For this exercise, you should use Ethereal to look at the use of cookies. Load the web page http://www.hws.edu, and look at how cookies are set by the server and returned to the server by the web browser. Report on what you find.
Extra Info: Capture Filters
If you run Ethereal remotely (through ssh -X), you do not want to capture ssh packets! (Can you see why?) To avoid doing so, you can use a capture filter. A display filter selects which captured packets are to be displayed; a capture filter selects which packets are to be captured in the first place. Packets that don't match the capture filter are ignored.
When you use the "Start Capture" command, the window that appears has a box where you can enter a capture filter. Unfortunately, the syntax for capture filters is different from the syntax for display filters. To avoid capturing ssh packets, you can use "not port ssh" as the capture filter.
Other possible capture filters include "ip", "udp", and "tcp." These can be combined with and, or, and not, as in "ip and not port ssh". Such filters can be useful in a long capture session when you want to avoid saving a lot of uninteresting packets.
The Capture window also has an option named "Update list of packets in real time." If you turn this on and also turn on the option "Automatic scrolling in live capture," then you can see the packets in the Ethereal as they are being captured. This can be useful for monitoring the network and diagnosing network problems, especially when used with a capture filter that selects just the packets that interest you.
David Eck, September 2004