Peek into a web download using Wireshark

We will use Wireshark, a network packet capture tool, to look at TCP packets when grabbing a webpage.

Installation

You can find installation instructions here: https://www.wireshark.org/#download

On Mac and Linux, you can also install from command line (homebrew/macports, yum install, apt-get install).

If you run into any problems, you can refer to https://www.wireshark.org/docs/wsug_html_chunked/ChapterBuildInstall.html for more detailed help.

Start a live capture in Wireshark

Open wireshark interface. On the left side, select one (or more) interfaces that you want to capture from, then click “Start”. Then you should be able to see packets flowing! Click the red square button on top to stop the capture.

Warning: keep your other network activities to the minimum for a better experience, e.g., avoid streaming Netflix when capturing in Wireshark.

What to turn in

1. Curl/wget to grab a webpage

Start a live capture in Wireshark. Then, run a curl/wget to grab a webpage. After the curl/wget is done, stop the capture in Wireshark.

Look at the packets you've captured. Example screenshot below.

Questions:

1. What's the command that you run?

2. Any DNS packets?

3. Describe the TCP packets that you see, i.e., how each packet corresponds to TCP handshake, data transfer and closing connection steps.

2. Open a webpage in a browser

Now, we will open a webpage with embeded objects (e.g., cnn.com which has a lot of images/videos embeded) in a browser. Again, use Wireshark to capture the traffic while you open up the page.

Example screenshot below. You should use your own screenshot.

Questions:

1. Which website did you go to?

2. Do you see any parallel connections your browser makes? If so, how many can you see in your screenshot?

Tip: you can always use filter in Wireshark to just display the packets you want to see.