Homework answers / question archive / CPS 470/570: Wireshark Lab HTTPS Two weeks, 60 pts   1

CPS 470/570: Wireshark Lab HTTPS Two weeks, 60 pts   1

Computer Science

Share With

---

CPS 470/570: Wireshark Lab HTTPS

Two weeks, 60 pts

 

1. Purpose

The goal of this lab is to introduce you to Wireshark and observe HTTPS traces in Wireshark.

2. Description

2.1. Download and Learn Wireshark

a) Wireshark Basics

 

The basic tool for observing the messages exchanged between executing protocol entities is called a packet sniffer. As the name suggests, a packet sniffer captures (“sniffs”) messages being sent/received from/by your computer; it will also typically store and/or display the contents of the various protocol fields in these captured messages. A packet sniffer itself is passive. It observes messages being sent and received by applications and protocols running on your computer, but never sends packets itself. Similarly, received packets are never explicitly addressed to the packet sniffer. Instead, a packet sniffer receives a copy of packets that are sent/received from/by application and protocols executing on your machine.

 

Figure 1 shows the structure of a packet sniffer. At the right of Figure 1 are the protocols (in this case, Internet protocols) and applications (such as a web browser or ftp client) that normally run on your computer. The packet sniffer, shown within the dashed rectangle in Figure 1 is an addition to the usual software in your computer, and consists of two parts. The packet capture library receives a copy of every packet that is sent from or received by your computer. Recall from the discussion from section 1.5 in the text (Figure 1.24) that messages exchanged by higher layer protocols such as HTTP, FTP, TCP, UDP, DNS, or IP all are eventually encapsulated in link-layer frames that are transmitted over physical media such as an Ethernet cable. In Figure 1, the assumed physical media is an Ethernet, and so all upper layer protocols are eventually encapsulated within an Ethernet frame. Capturing all link-layer frames thus gives you all messages sent/received from/by all protocols and applications executing in your computer. The second component of a packet sniffer is the packet analyzer, which displays the contents of all fields within a protocol message. 

 

 

 

 

Figure 1. Packet sniffer structure

 

You will be using the Wireshark packet sniffer [www.wireshark.org] for this assignment, allowing you to display the contents of messages being sent/received from/by protocols at different levels of the protocol stack. In order to run Wireshark, you will go to www.wireshark.org and download/install the Wireshark binary for your computer:

 

 

 

The Wireshark FAQ at wireshark.org has a number of helpful hints and interesting tidbits of information, particularly if you have trouble installing or running Wireshark. 

 

 

b) Running Wireshark

 

When you run the Wireshark program, the Wireshark graphical user interface shown in

Figure 2 will be displayed. Choose a network interface. Since I use my desktop in office, I double clicked Ethernet. If you use your laptop, you may choose Wi-Fi or other wireless connection. 

 

Figure 2. Wireshark Graphical User Interface

 

 

You will then see the window capturing packets from Ethernet:

 

 

 

The best way to learn about any new piece of software is to try it out. We’ll assume that your computer is connected to the Internet. Do the following:

 

1. Start up your favorite web browser, which will display your selected homepage.

 

2. Start up the Wireshark software. 

 

3. While Wireshark is running, enter any https://your-favorite-e-commerce in your browser.

 

 

4. After your browser has displayed the web page, stop Wireshark packet capture by selecting stop in the Wireshark capture window. You now have live packet data that contains all protocol messages exchanged between your computer and other network entities! There will be many other types of packets displayed as well. Even though the only action was to download a web page, there were evidently many other protocols running on your computer that are unseen by the user! 

 

 

 

2.2. SSL (Secure Socket Layer). Total: 15×4 = 60 points

The main task in this assignment is to investigate the HTTPS protocol, focusing on the SSL/TLS records sent over a TCP connection. We’ll do so by analyzing a trace of the SSL records sent between your host and an e-commerce server. We’ll investigate the various SSL/TLS record types as well as the fields in the SSL/TLS messages. You may want to review Chapter 8. 

 

If you have difficulty creating a trace, you should download the zip file gaia.cs.umass.edu/wireshark-labs/wireshark-traces.zip and extract the ssl-etherealtrace-1 packet trace. Then open the trace in Wireshark.

 

2.1. Capturing packets in an SSL session 

The first step is to capture the packets in an SSL session. To do this, you should go to your favorite e-commerce site and begin the process of purchasing an item (but terminating before making the actual purpose!). After capturing the packets with Wireshark, you should set the filter so that it displays only the packets that contain SSL/TLS records sent from and received by your host. (An SSL/TLS record is the same thing as an SSL/TLS message.) 

 

2.2. A look at the captured trace 

Your Wireshark GUI should be displaying only the Ethernet frames that have SSL records. It is important to keep in mind that an Ethernet frame may contain one or more SSL records. (This is very different from HTTP, for which each frame contains either one complete HTTP message or a portion of a HTTP message.) Also, an SSL record may not 

completely fit into an Ethernet frame, in which case multiple frames will be needed to carry the record. Whenever possible, when answering a question below, you should have a printout of the

2 packet(s) within the trace that you used to answer the question asked.  Annotate the printout to explain your answer. To print a packet, use File->Print, choose Selected packet only, choose Packet summary line, and select the minimum amount of packet detail that you need to answer the question.

 

 

 

1. For each of the first 8 Ethernet frames, specify the source of the frame (client or server), determine the number of SSL records that are included in the frame, and list the SSL record types that are included in the frame. Draw a timing diagram between client and server, with one arrow for each SSL record. 
2. Each of the SSL records begins with the same three fields (with possibly different values). One of these fields is “content type” and has length of one byte. List all three fields and their lengths. 

ClientHello Record: 

3. Expand the ClientHello record. (If your trace contains multiple ClientHello records, expand the frame that contains the first one.) What is the value of the content type? 
4. Does the ClientHello record contain a nonce (also known as a “challenge”)? If so, what is the value of the challenge in hexadecimal notation? 
5. Does the ClientHello record advertise the cyber suites it supports? If so, in the first listed suite, what are the public-key algorithm, the symmetric-key algorithm, and the hash algorithm? 

ServerHello Record: 

6. Locate the ServerHello SSL record. Does this record specify a chosen cipher suite? What are the algorithms in the chosen cipher suite? 
7. Does this record include a nonce? If so, how long is it? What is the purpose of the client and server nonces in SSL? 
8. Does this record include a session ID? What is the purpose of the session ID? 
9. Does this record contain a certificate, or is the certificate included in a separate record. Does the certificate fit into a single Ethernet frame? 

Client Key Exchange Record: 

 

² What do we mean by “annotate”? If you hand in a paper copy, please highlight where in the printout you’ve found the answer and add some text (preferably with a colored pen) noting what you found in what you ‘ve highlight. If you hand in an electronic copy, it would be great if you could also highlight and annotate. 

10. Locate the client key exchange record. Does this record contain a pre-master secret? What is this secret used for? Is the secret encrypted? If so, how? How long is the encrypted secret? 

 

Change Cipher Spec Record (sent by client) and Encrypted Handshake Record: 

11. What is the purpose of the Change Cipher Spec record? How many bytes is the record in your trace? 
12. In the encrypted handshake record, what is being encrypted? How? 
13. Does the server also send a change cipher record and an encrypted handshake record to the client? How are those records different from those sent by the client? 

 

 

Application Data 

 

14. How is the application data being encrypted? Do the records containing application data include a MAC? Does Wireshark distinguish between the encrypted application data and the MAC? 
15. Comment on and explain anything else that you found interesting in the trace.