# Wireshark Analysis Lab
## Getting Started with Wireshark
Open Wireshark and you will see a list of available network interfaces. Click on the interface you want to capture from, typically your active Ethernet or WiFi adapter. The capture begins immediately and packets start appearing in the packet list pane.
## Lab 1 - Capturing and Analyzing HTTP Traffic
Step 1: Start a Wireshark capture on your active network interface.
Step 2: Open a browser and navigate to any http not https website.
Step 3: Stop the capture after the page loads.
Step 4: In the display filter bar type http and press Enter to show only HTTP packets.
Step 5: Find the HTTP GET request packet and click on it.
Step 6: In the packet details pane expand the Hypertext Transfer Protocol section.
Step 7: Observe the request method, requested URL, host header, and user agent.
Step 8: Find the HTTP 200 OK response packet and examine the response headers and content type.
## Lab 2 - Analyzing DNS Resolution
Step 1: Start a capture and type a new website URL in the browser.
Step 2: Stop the capture and filter by dns.
Step 3: Find the DNS query packet. Note the query type which should be A for IPv4 address lookup.
Step 4: Find the DNS response packet. Note the IP address returned.
Step 5: Expand the DNS details to see the question and answer sections.
## Lab 3 - Examining TCP Three-Way Handshake
Step 1: Start a capture and connect to any website.
Step 2: Filter by tcp.flags.syn equals 1 to find SYN packets.
Step 3: Find the first SYN packet from the client to the server.
Step 4: Note the source port, destination port, and initial sequence number.
Step 5: Find the SYN-ACK response from the server. Note the server's sequence number and the acknowledgment of the client's SYN.
Step 6: Find the final ACK completing the handshake.
Step 7: Right click any packet in the TCP connection and select Follow TCP Stream to see the complete conversation.
## Lab 4 - Finding Network Problems
Step 1: Capture network traffic during a slow or failing connection.
Step 2: Look for TCP retransmissions by filtering with tcp.analysis.retransmission.
Step 3: Look for TCP duplicate ACKs with tcp.analysis.duplicate_ack which indicate packet loss.
Step 4: Look for TCP zero window conditions with tcp.window_size equals 0 which indicate receiver buffer full.
Step 5: Check ICMP error messages by filtering with icmp.type equals 3 which is destination unreachable.
Step 6: Use the Statistics menu and select IO Graphs to visualize traffic volume over time.
## Useful Wireshark Display Filters
ip.addr == 192.168.1.1 shows all traffic to or from that IP
tcp.port == 80 shows all HTTP traffic
http shows all HTTP protocol traffic
dns shows all DNS traffic
tcp.flags.syn == 1 and tcp.flags.ack == 0 shows TCP SYN packets only
tcp.analysis.retransmission shows retransmitted TCP segments
not arp and not dns shows traffic excluding ARP and DNS noiseBack to Subject