Let’s look at the encapsulation process and how the layers look and Wireshark in this concept are going to be talking about the OSI model layers the appropriate protocol data unit and the addresses layers in the OSI model are represented in many different ways that you might be familiar of for example in the local area connections properties dialog box you can see the OSI model at work when you take a look at the network interface card itself.
you may also like:
Explore the OSI model
There’s where you’ll see the physical and datalink when you look at your bindings for client for Microsoft networks and file and print sharing. That is the application presentation and session layers. And when we look at the Internet Protocol or TCP IP suite this is where you see the network and transport layers.
Understanding encapsulation,When we understand how encapsulation works as data travels down the OS I model it Ready it in proper frame formation a standard frame has the following elements. We have the frame header which includes the source and destination MAC address. The packet header which includes the source and destination IP address the segment header which holds the source and destination port address and then the data but with a frame. There’s also a frame check sequence and this is holding the value of the cyclic redundancy check. This is used for error detection on a network. Now in Wireshark we’re not going to see the contents of the frame check sequence. This is done as a calculation but you won’t see the results when looking at the OSI model.
We’re going to take a look at an example where we look at the layers frame packet segment data in Wireshark will select any H.T. frame and you will see the frame contents from Layer 2 through layer 7 the bits themselves or the physical layer layer 1 will be in the lower panel. We’re going to open up a TCP example. Before we continue going to talk about packet analysis and general packet analysis can be considered a passive attack so you should only do packet analysis on a network either owned by you or you are instructed to perform an act of capture. If you do perform an act of capture you don’t want to generate more traffic on the network then you’re examining.
So what we’re going to do is just show you go to edit and then preferences what you’re going to do is look at name resolution where it says resolves the network IP address. You do not want to select this because it will probably generate more traffic by hitting the DNS server than you want it to. So now that we have a TCP example open this is where we’re going to take a look at the encapsulation process. A TCP example is not a live capture. I’ve already captured this and the other exercise files so we can examine them. Now what we’re going to do is take a look at a single frame.
When you look at the Wireshark interface it generally defaults at three panels. I’ve taken off the last one. I’m gonna bring it back so we can examine the value. Go to view and put on packet bites and down at the bottom you’ll see your lower panel and I’m going to write Clerc and Hecks few in most cases. You’re going to see it represented in this format. This is a Hecks view. And that is from back in the day when we did network analysis.
We had what was called a hex dump for this conversation. I’m going to then convert it now Tibbits view so we can see that layer 1 and what it looks like in a layer 1 format. What I want to do is just look at each HTTP traffic now up on the top. You see all of the frames I have captured but I simply want HTTP traffic so I’m going up to the display filter.
Now the protocol is HTTP. If I put a capital letter on the left hand side of the display filter it won’t work. So now I put an HTTP in the display folder and click apply. Now I see my two HDTV frames over here on the left hand side we see number 36. That simply means that as the 36 frame that was captured now up on the top and this panel here we see frame 36 12 96 bytes on the wire.
There is no head called frame 36 that’s simply something Wireshark uses to help us understand what is happening in that single frame. It’s meta data about data and the lower part of this. We’re going to take a look at the bits on that single frame we focus on a single frame because frames come into your network interface card one frame at a time. And when we put them all together is where we can analyze a whole conversation well when we look at this single frame we see the different layers down below is where we see layer 1.
The physical layer and this is the data as it was transmitted into our network interface card in a stream of bits. I’m going to take off that panel because it’s sort of distracting and I want a little more landscape. I go to view and packet bites and that’ll give me more room to look at. So we talked about layer one the physical layer and that was a stream of bits up at the top is where we see the encapsulation ether net to the frame formation. It is the most common frame formation on a local area network in a frame header. We see the source and destination MAC address.
Now we look at the network layer protocol. This is an IP version for header. The main component we’re looking at is the source and destination IP address. We have the TCP header. This is a segment and it has a source and destination port address the source port is port 80 and the destination port is 54 8 4. Well the source port is port 80 which that makes sense because Port is associated with hypertext transport protocol but the destination port fifty four eight four one that’s not associated with any well-known protocol. The source port is the port that came from the client that says when you deliver that to me I want you to go to Port fifty four 841 and deliver my information. It’s a randomly assigned port by the client to the server to tell where is it. That’s data is to be delivered.
Now we’re looking at the application layer air we see h t t t Hypertext Transfer Protocol but within that protocol we see what we were looking for is an image JPEG that summarizes encapsulation. Again we’ve talked about the OS model and its importance but now we can see how each of those layers works and looks in wireshark.
Latest posts by Hamza Arif (see all)
- What is RDP (Remote Desktop Protocol) & How RDP works - July 20, 2018
- Understanding SNMP & Install and configure SNMP - July 18, 2018
- Ping, Tracert, PathPing – Troubleshoot Network - July 17, 2018