Snoopy by pengxuebo


Due Date: Nov 4
Points: 25 Points


To gain experience intercepting/capturing HTTP/TCP traffic on a network.

Equipment Needed

You may download a fresh version of the Ubuntu OS. The OS has the WireShark network protocol
analyzer software properly configured and installed. You will also need an Ethernet connection, i.e. a cat 5


A packet sniffer or commonly called a network analyzer is often used by a network or system administrator
to monitor and troubleshoot network traffic. Using the information captured by the network analyzer an
administrator can pinpoint bottlenecks and maintain efficient network data transmission.

The network analyzer behaves by simply capturing all data packets that pass through a given network
interface (e.g. Ethernet or Wireless adapters). Typically, the network analyzer would only capture packets
that were intended for the machine in question. However, if placed into promiscuous mode, the packet
sniffer is also capable of capturing ALL packets traversing the network regardless of destination.

By placing a network analyzer on a network in promiscuous mode, a malicious intruder can capture and
analyze all of the data that passes through a network. Within a given network, username and password
information is generally transmitted in clear text which means that the information would be viewable by
analyzing the packets being transmitted.


1. Configuring VirtualBox Network Settings

In the VirtualBox window with your Ubuntu machine Powered Off, highlight the Ubuntu machine and the
click on the “Network” selection in the right pane. In the “Attached to:” pull down menu select “Bridged
Adapter”. This selection will allow your Ubuntu OS to obtain an IP address for its exclusive use instead of
using the IP address of the host OS. You will not longer be able to use the wireless connection for any
outgoing connections from Ubuntu. Hence, you might want to change the network setting back to “Nat”
when you finish this experience.

2. Configuring WireShark

       2.1 To start WireShark open a „Terminal‟ and type „sudo wireshark‟ (you will be
           prompted to enter the root password).
       2.2 Before you can begin click „Ok‟ on the pop-up dialog indicating you are running this
           program as root; it may be hiding behind WireShark.

       2.3 Once WireShark opens click the            icon (first icon below „file‟) to choose a
          network interface to listen for packets; the dialog below should appear.

       2.4 Choose eth*, where * represents a number (your device could be 0 – 9).
           Make note of the IP address (yours will be different) we will be using
           this IP address in Step 4 for interactions with your web-server.
       2.5 Select Start; WireShark will immediately begin intercepting packets.
       2.6 From the top menu, Select „Capture‟ -> „Stop‟

3. Intercepting, Filtering, & Analyzing Raw Packets

       3.1 It is suggested that you close all open internet browsers; if you prefer to keep them
           on, it may be necessary to comb through more data to complete this section.
       3.2 Select „Capture‟ -> Start
       3.3 In Ubuntu open Firefox and go to
       3.4 After the page completes loading
           Select „Capture‟ -> Stop
           WireShark will continuously report all packets to your machine of all network activity
           that is not filtered once capturing starts. To avoid being inundated with HTTP/TCP
           data we stop capturing data at this point to analyze the data.

By default WireShark intercepts the raw data from hundreds of protocols. To prevent information overload,
we must configure WireShark to only allow protocols that are of interest and filter out all others.

       3.5 Select „Capture‟ -> „Capture Filters…‟
                                     *Dialog Box Below Should Appear*
3.6 Select „HTTP TCP port (80)‟
        -- If this is not shown choose „TCP or UDP port 80 (HTTP)
3.7 Click „Ok‟
    This sets a filter to only allow the reporting of data flowing through the TCP protocol that is an
    HTTP data session.

WireShark User Interface
3.8 WireShark is partitioned into three sections
        3.8.1 Section 1 (top): Sequence of Packets captured
        3.8.2 Section 2 (middle): Data extracted from Hex Dump of packet in human-
                                   readable Format (of a selected packet)
        3.8.3 Section 3 (bottom): Raw Hex Dump (of a selected packet)
3.9 Notice the „green highlighted‟ rows; this is HTTP/TCP network traffic
3.10 In Section 1
        3.10.1 Right Click the first HTTP protocol, the „info‟ column should read
                „GET / HTTP 1.1‟
        3.10.2 Select -> „Follow TCP Stream‟. Scroll through the data; what do you see?
               Is the data encrypted or in plaintext? Carefully review its contents.

                          * Perform a Print-Screen for Reporting*

3.11 Still in Section 1, now click the first HTTP protocol, the „info‟ column should read
    „GET / HTTP 1.1‟

                    *Your WireShark screen should look similar to below*
      3.12 In section two, inspect all of the data the packet is carrying.
           What is the destination host? What type of user-agent is being used?
      3.13 Review the complete HTTP connection, start to finish. What do you notice? You
          may notice that there is an awful lot of „GET‟ requests and we only “requested” the
 webpage. Inspect the other „GET‟ requests. Find anything of interest?
          Yes, after the initial request for, there is an equal number of „GET‟ requests
          for each image, css-sheet, and others required to fully load the page.

        What is most interesting is that all of the data that you have been sifting through is

4. Snoopy the Password Sniffer

      4.1 Leave WireShark open (and not capturing)
      4.2 Using the IP-address found in Step 2.3
          Point the HOST OS browser to http://<IP-FOUND-IN-STEP-2.3>/login.html
          The remaining efforts of Step 4 will be snooping usernames/passwords being sent
          to your APACHE Web-Server that was set up in a previous experience.
      4.3 In WireShark
              Select „Capture‟ -> „Start‟
      4.4 Switch to your web-browser and fill-in any username and any password.
      4.5 Click „Submit‟
      4.6 In WireShark
              Select „Capture‟ -> „Stop‟
      4.7 In addition to filtering packets based on protocol we can also filter based on their
          packet source, destination, address, etc. For a complete list of IP filters click

                                     *The Below Dialog Box Should Appear*
4.8 Find & Expand „Internet Protocol‟
       4.8.1 Select „ip.dst‟ from the right-most column
       4.8.2 Select „==‟ from the middle column
       4.8.3 Type „<IP-FOUND-IN-STEP-2.3>‟ in the left-most text box
              (the IP-address of

       This tells WireShark to only show those packets that have a destination address of „„<IP-
                                          *Sample Screen*

4.9 Click „Ok‟
4.10 Select „Apply‟ to the far-right of „Expression...‟
4.11 In Section 1 of WireShark, select the packet with protocol „HTTP‟ and info „POST‟
4.12 Carefully search through Section 2 & Section 3 of WireShark OR
            Right Click the packet and select „Follow TCP Stream‟ what do you notice?

                                 * Perform a Print-Screen for Reporting*

5. Sniffing Secure Connections

       5.1 Leave WireShark open (and not capturing)
       5.2 In UBuntu point your browser to
       5.3 In WireShark
               Select „Capture‟ -> „Start‟
       5.4 Switch to your web-browser and fill-in your username and password.
       5.5 Click „Submit‟
       5.6 When the page completes loading…
               Select „Capture‟ -> „Stop‟

What do you see? Firstly, you should recognize that there aren‟t any rows/packets highlighted green!
Remember, rows highlighted in green are for HTTP! Webmail uses secure http (HTTPS); however, you
should see TCP data packets.

       5.7 Right click on a TCP data packet and choose „Follow TCP Stream‟
           What do you see? Is the data traveling in plaintext or is it encrypted?

                                 * Perform a Print-Screen for Reporting*

       5.8 To verify that the information is being sent as we think:
          Click a TCP data packet who‟s „info column‟ reads „Application Data‟.
        5.9 Now looking In Section 2 - look through the data under the Secure Socket Layer
            heading. What did you find? Are the packets encrypted?


E-mail in one message the following to with a subject line of “Snoopy”: Failure
to use the correct subject line will result in a 10 point deduction for this experience.

       1. Attach the screenshots, uncompressed, taken in steps 3.10.2, 4.12, & 5.7

To top