Wireshark LABS

Wireshark is a software for capturing and analyzing network traffic. It captures the traffic on a specified network interface on the machine where it is being executed. The traffic can be saved in a file for later analysis, possibly on a different machine.

Wireshark is a powerful tool with many capabilities and constitutes “the” choice for professionals. Wireshark may also be useful for learning purposes. In this case, it is important to carefully balance the complexity of Wireshark, the complexity of real network traffic and the learning objectives.

The “Wireshark Labs” freely available on-line as a supplement to the book “Computer Networking: A Top Down Approach - Jim Kurose, Keith Ross” are an excellent suite of examples in this respect. Each of the labs consists of a document with step-by-step instructions for capturing packets from a live connection and for analyzing important properties of the captured traffic. Furthermore, for each lab, a file with traffic already captured is available.

Before looking at the labs, please read the notes below carefully.

Computer Networks 2

Students are strongly advised to execute autonomously the following Wireshark labs (see above), in the specified order:

  1. Getting started

  2. TCP

The first lab can be executed at the very beginning of the course. The second lab can be executed after the early lectures on TCP, more or less in parallel with those lectures.

Execution of these labs is not a requirement for the exam. There will be no formal control over whether they have actually been carried out. Their execution may be very useful to students irrespective of the exam, though.

The NAT lab might be useful but it probably does not add very much to the other labs. If a student wanted to execute further labs, those suggested below for Computer Networks 1 could perhaps be more useful than the NAT one.

Computer Networks 1

The current structure of this course makes the exam quite heavyweight. Adding Wireshark labs might subtract time and might be distracting. If a student is sufficiently motivated and interested, though, autonomous execution of the following Wireshark labs may be very helpful: it may improve the understanding of some key concepts and it may make the overall topic “more concrete”.

  1. Getting started

  2. DNS

  3. HTTP

  4. Ethernet and ARP.

  5. IP and/or ICMP.

All these labs should be done in the second part of the course, even those about DNS and HTTP. They can be executed in any order, except for the “Getting started” lab that must be the first one. Labs 4 and 4 should be done after the lectures on traceroute (the fragmentation section of Lab 5 should not be done, as it is based on concepts not included in the course).

The DHCP lab should not be executed and its reading may even be misleading (the course describes DHCP in a very over-simplified way: the real DHCP is quite different from the one described in the lectures).


The documents below describe the basic steps for:

  • Using a PC as a platform for analyzing the network traffic of a “device”. The device may be a smartphone, another PC, or any other device with IP connectivity: Kindle, PS4, Chromecast, Internet of Things, whatever (with some limitations, though: devices that do not communicate only with DNS and HTTP/HTTPS and whose DNS configuration cannot be modified, require software tools and configuration operations more complex than those described in these documents).

  • Installing a fully functional DNS server on a PC.

  • Installing a fully functional web server with HTTPS support on a PC.

  • Connecting a smartphone to a fake website, that is, to a copy hosted on a PC of a real website.

  • Inspecting and modifying the traffic between a browser and a web server (even on HTTPS).

The steps and suggestions in the various documents refer to a PC running Windows 10 and a smartphone running Android 9.


The documents are not meant to be step-by-step guides:

  • Execution of most steps will require some thought (e.g., how to make sure that “the device sends its DNS requests to the IP address of the PC”?).

  • Some steps will work smoothly and some others could not work as expected. Some amount of personal work will certainly be required.

  • It is strongly suggested to invent and apply a form of self-discipline for working. Take note of the most important problems, what worked and what did not. Take note of important command parameters, websites and alike. Take time to cleanup your notes periodically.

Even more important

The traffic originated by a real “device” is usually very complex and, in practice, can be understood only in minimal part for two basic reasons:

  • A lot of traffic travels on TLS and thus cannot be decrypted while in transit.

  • The real traffic includes components that in Computer Networks 1/2 are not covered, or are covered in a simplified form (i.e., there is something missing), or are covered in an over-simplified form (i.e., different from the reality).

Learning to cope with such a complexity is an essential skill for a modern engineer. One has to figure out autonomously which things can be understood and which ones cannot; which things must be analyzed in more depth and which ones could be analyzed but may be omitted. This know-how can only be built with personal experience, patience, thought (and Google).

Computer Networks 2

Labs 1, 2, 3 are guides for the project required for the exam (the "Strict Transport Security" appendix in 3 is not required for the exam).

The other labs are not a requirement for the exam. They may be very useful for better understanding the corresponding topics and make them more concrete. Their execution requires some time and motivation, though.

Computer Networks 1

None of the labs listed below is a requirement for the exam.

Execution of the Web server lab may be very helpful (for motivated students, as observed above for Wireshark).

Execution of the MITM on smartphone might be feasible at the end of the course. However, this lab is complex and time-consuming. I do not recommend its execution.

Execution of the other labs requires the knowledge of topics not covered in Computer Networks 1.

  • The only exception is the "Rogue CA" lab. Reading the lab up to that section (included) may be helpful for improving the understanding of HTTPS and of certification authorities, even without actually executing the lab.