Packet Sniffing - Understanding Networks

I used Wireshark, which is a network packet analyzer, to capture and analyze my network traffic at home. Wireshark is able to provide a detailed capture of my packet data, allowing me a peek inside anything happening within my network cable. I left it running for ~1 hour while I did various online errands (check e-mail, do homework assignments, etc.).


I wanted to export my Wireshark file into a CSV in excel, but found I was unable to (I do not know why, there must be something wrong with my excel or preferences). So I did most of my analyzing on Wireshark itself (which made it slightly harder).


I found various protocols that came up, many of which I did not know until I did some further research into it. I was interested in what used what protocol depending on the source and it's destination.


These are some of the different protocols I got:

TCP, UDP, DNS, ARP, SSL, HTTP, ICMP, SSDP, MDNS, NBNS, TLSv1.2, OCSP, DHCP


ARP (Address Resolution Protocol) - Translates the IP address into the physical address (second layers of OSI model).


SSL (Secure Socket Layer) - Provides the security to the data that is transferred between the web browser and server (through encryption).


TCP (Transmission Control Protocol) - Provides acknowledgement of the received packets and is also reliable as it resends the lost packets. Used by application protocols like HTTP and FTP. (example: e-mail, needs every byte).


UDP (User Datagram Protocol) - Send and forget protocol. More unreliable because it does not send acknowledgment or care about every byte of information. (examples: video streaming).


HTTP (Hypertext Transfer Protocol) - Foundational data exchange on the Web and is a client-server protocol.


DNS (Domain Name System) - A hierarchical and decentralized naming system for computers, services, or other resources connected to the Internet or a private network. The phonebook of the internet - translates domain names into IP addresses.


SSDP (Simple Service Discovery Protocol) - An HTTP-based protocol that runs on top UDP rather than TCP. Devices can find and communicate with each other by plugging them in or turning them on, enabling them to ''play'' with minimal configuration on the part of the owner. An invisible networking experience that allows devices to connect automatically.


MDNS (Multicast Domain Name System) - Resolves hostnames to IP addresses within small networks that do not include a local name server.


NBNS ( NetBIO Name Service) - Uses UDP as it's transport protocol. Protocol for name resolution.


ICMP (Internet Control Message Protocol) - Network protocol for IP networking. Transfers control information for the status of the network itself rather than application data. An IP network requires ICMP in order to function properly.


TLSv1.2 (Transport Layer Security v1.2) - Cryptographic protocols designed to provide communications security over a computer network. When the connection starts, the record encapsulates a "control" protocol – the handshake messaging protocol


OCSP (Online Certificate Status Protocol) - An Internet protocol used to determine the state of an identified certificate. OCSP client (browser) will send a status request to an OCSP responder and receive information if the certificate is valid or revoked.


DHCP (Dynamic Host Configuration Protocol) - Management protocol used on UDP/IP networks whereby a DHCP server dynamically assigns an IP address and other network configuration parameters to each device on a network so they can communicate with other IP networks.


Capturing packets in progress:


Some various destinations that used TCP when connecting to me:

aws.adobess.com

Ghostery

Adblock

NYTimes (nytimes.map.fastly.net)

Wix.com (where I host my website)

My mac to Condé Nast (accessing Wired.com)


Things such as blocking and trackers used TCP protocols. This was interesting and also made sense because in order to successfully block anything, it would need to keep track of every byte (and not let any escape - ads accidentally slip through).


Wall street journal used TLSv1.2 protocol for my MacBook.


Some various destinations that used UDP when connecting to me:

google.com

ssl.gstatic.com

safebrowsing.googleapis.com

news.google.com

pay.google.com


When looking at HTTP requests, I could see the GET and Responses. GET requests would use HTTP protocols with response using OCSP.



Destinations that used other protocols:

My iphone used different protocols such as ARP, MDNS, UDP and SSDP.

Fios Quantum (my internet provider) used DNS, SSDP and ARP.


It was interesting seeing the difference between the protocols that my iphone would use as opposed to the ones my macbook would use. MDNS made sense for my iphone because (it is on a smaller network than my computer?).


Fios quantum gateway would used DNS when connecting to me ( Anna's Macbook) because each request I made for a website, an IP address would need to be translated back to me to reach the destination I wanted.


SSDP is an HTTP-based protocol that runs atop UDP rather than TCP. Fios quantum will look for a DNS server as it needs to translate the IP address of the website I search for (i.e. gmail.com). If my machine cannot find a DNS server, it goes on to search for devices that offer DNS services which will be when SSDP is triggered.


There was a lot of back and forth between fios and my macbook using ARP (with who has requests). This makes sense because ARP translates the IP addresses into the physical addresses for my computer. So every request I made would use this.