ITECH1003/ITECH5003 Networking Assignment Wireshark Capture

Posted on December 27, 2025

ITECH1003/ITECH5003 Networking Assignment Wireshark Capture Filter assignment

This assignment requires students to become familiar with Wireshark capture filters, document the qualifiers used in capture filters, construct and use capture filters to capture specific network traffic, include screenshots of captured network traffic, and present associated discussion.

Part 1 – Wireshark and traffic capture basics: Describe what promiscuous mode means in relation to capturing network traffic; explain network layer name resolution in Wireshark, how it works, and how it can be used; describe the difference between a network switch and a network hub, and how switching limits traffic visibility; identify well-known port numbers for various server programs and describe the functions of additional network protocols.

Part 2 – Capture filters: Learn BPF syntax, document and create capture filters with qualifiers and IDs, and explain how they work; describe the logical operators (AND, OR, NOT) used to combine primitives and provide examples; implement capture filters in Wireshark to capture specific traffic, take screenshots including time, source, destination, protocol, and at least two packets; develop filters to capture traffic between your machine and another, exclude certain traffic, and filter by port numbers, discussing how each works; describe how advanced filter syntax detects specific packet content for laymen; and ensure all screens include detailed Wireshark fields.

Paper For Above instruction

Network analysis plays a crucial role in maintaining the security, performance, and reliability of modern computer networks. Wireshark, a widely-used network protocol analyzer, offers extensive capabilities for capturing and analyzing network traffic. Understanding how Wireshark captures traffic and how to construct effective capture filters is fundamental for network administrators, security professionals, and students studying networking. This comprehensive discussion explores key concepts, practical filter creation, and real-world applications of Wireshark capture filters, emphasizing both theoretical knowledge and hands-on skills.

Part 1: Wireshark and Traffic Capture Basics

Promiscuous mode is a setting in Wireshark and similar network analyzers that enables the network interface card (NIC) to pass all traffic it receives to the CPU for analysis, regardless of the destination MAC address. Under normal operation, NICs only process traffic addressed directly to their MAC address. Enabling promiscuous mode allows capturing all traffic on a network segment, which is essential for thorough network analysis, troubleshooting, and intrusion detection (Kurose & Ross, 2017). However, promiscuous mode does not mean the capture includes all network traffic universally; it is limited to the network segment the interface is attached to.

Wireshark's Capture > Options dialog can enable or disable name resolution for network layer addresses, essentially translating IP addresses into hostnames. This feature simplifies analysis by allowing analysts to interpret addresses more intuitively. When name resolution is activated, Wireshark attempts to resolve IPs to hostnames during capture or display, facilitating easier identification of communicating devices. This is particularly useful when analyzing complex traffic patterns, as human-readable hostnames are often more informative than raw IP addresses (Liu et al., 2019).

In terms of network topology, a network switch and a hub differ significantly. A hub is a simple device that broadcasts incoming traffic to all connected ports, creating a shared communication medium where all devices see all traffic. Conversely, a switch is a smarter device that forwards traffic solely to the destination device based on MAC addresses, effectively creating point-to-point links. Modern networks predominantly use switches because they improve efficiency and security, whereas hubs are largely obsolete (Tanenbaum & Wetherall, 2011). Switched networks limit the network traffic visible to Wireshark because traffic is not broadcasted across all ports; instead, Wireshark can only capture traffic passing through the network segment to which it is attached, making traffic analysis more targeted and less noisy.

Regarding IP addressing, TCP/IP uses IP addresses to identify devices, with port numbers distinguishing multiple services on a host. Well-known port numbers are standardized; for example, FTP's control service uses port 21, FTP data uses port 20, HTTP uses port 80, NTP uses port 123, and SSH uses port 22 (Comer, 2018). Other protocols include DNS (port 53), DHCP (ports 67 and 68), SMTP (port 25), IMAP (port 143), and HTTPS (port 443). These protocols serve essential functions such as name resolution, time synchronization, secure remote access, mail transfer, and secure web browsing, underpinning many network operations (Stevens, 2015).

Part 2: Capture Filters and Syntax

Wireshark uses Berkeley Packet Filter (BPF) syntax to define capture filters. BPF primitives are the basic components that specify traffic patterns based on qualifiers such as host, port, or protocol. For example, primitive expressions like host 192.168.1.10 or tcp port 80 specify particular traffic types. Qualifiers include host, net, and port, each with specific syntactic options and use cases.

Qualifiers help specify traffic based on the protocol layer:

Type qualifiers: host for individual IP addresses, net for network ranges, and port for port numbers.
Dir qualifiers: indicate source (src) or destination (dst) addresses, e.g., src host or dst port.
Proto qualifiers: specify protocols like tcp, udp, icmp, etc.

Logical operators—AND (&&), OR (||), and NOT (!)—combine primitives to refine traffic capture criteria. For instance, src host 192.168.1.5 && tcp port 80 captures traffic from a specific host on port 80, while dst host 10.0.0.1 || dst host 10.0.0.2 captures traffic destined for either of two addresses. When used appropriately, these operators enable precise filtering, reducing noise and focusing on relevant data (Liu et al., 2019).

Example capture filters include:

host 192.168.1.10: captures all traffic involving 192.168.1.10.
tcp port 80: captures all TCP traffic on port 80 (HTTP).
udp src port 53: captures DNS responses sent from DNS servers.
net 192.168.0.0/24: captures all traffic within the subnet.
icmp: captures all ICMP traffic (Ping, Router Discovery).
dst host google.com: captures traffic directed to Google.
src port 22: captures SSH client-originated traffic.
port 67 || port 68: captures DHCP traffic.
host 10.1.1.1 && udp: captures UDP traffic involving 10.1.1.1.
not broadcast and not multicast: excludes broadcast/multicast packets.

Logical operators

The three logical operators are AND (&&), OR (||), and NOT (!). AND requires both conditions to be true, e.g., host 192.168.1.10 && tcp port 80, which filters traffic involving a specific host on a specific TCP port. OR captures traffic satisfying at least one condition, e.g., host 192.168.1.10 || host 10.0.0.5. NOT excludes specific traffic, e.g., not broadcast filters out broadcast packets. Combining these operators allows for sophisticated traffic selection, essential for precise network analysis.

Implementing BPF Capture Filters

Applying capture filters effectively requires understanding both syntax and the network environment. For instance, to capture all traffic between your machine and Google in response to a query, you might use: host google.com. After setting this filter, you initiate traffic generation, such as searching for "caviar" on Google, and analyze the resulting packets. Ensuring the correct interface is selected maximizes the capture’s relevance.

To capture traffic between your computer and another machine, the filters can be as specific as IP or MAC address based:

Using IP: host 192.168.1.15
Using MAC: ether src 00:0a:95:9d:68:16

Capturing only ICMP traffic, such as ping responses, involves a filter like: icmp and host 192.168.1.15. Excluding broadcast traffic can be done with not broadcast. To capture all traffic from a range of addresses but exclude broadcast, you could use: net 192.168.1.0/24 and not broadcast. These filters allow focused analysis of specific traffic types, improving troubleshooting efficiency.

Filtering by Port Numbers

To analyze DNS traffic, the filter is: udp port 53,

detecting DNS queries and responses. Restricting to DNS queries only from your machine, the filter is: ip src port 53. DHCP traffic in either direction is filtered with: port 67 || port 68. These filters are invaluable in diagnosing network issues related to name resolution and address assignment, as they isolate the relevant protocol exchanges (Stevens, 2015).

Advanced Filter Syntax: Detecting Specific Packet Content

Advanced BPF syntax supports pattern matching within packets. For example, tcp[13] & 4 == 4 inspects the TCP header's 14th byte, checking the TCP flags. The value 4 corresponds to the Reset (RST) flag. Explaining this simply: the filter looks at a specific location within the packet—for TCP, the flags byte—and tests whether a particular bit (the RST flag) is set. This capability allows analysts to filter packets based on specific payload content, enhancing forensic analysis and intrusion detection (Liu et al., 2019).

Conclusion

Mastering Wireshark capture filters and understanding the underlying syntax significantly empower network professionals to diagnose issues, monitor traffic, and enhance security. By effectively utilizing qualifiers, logical operators, and advanced syntax, analysts can pinpoint precise traffic flows amidst large datasets. Hands-on experience with creating, applying, and analyzing filters deepens understanding, enabling efficient and accurate network troubleshooting and security assessments.

References

Comer, D. E. (2018). _Internetworking with TCP/IP_ (6th ed.). Pearson.
Kurose, J. F., & Ross, K. W. (2017). _Computer Networking: A Top-Down Approach_ (7th ed.). Pearson.
Liu, H., Zhang, Q., & Wang, Y. (2019). Deep packet inspection techniques for network security. _IEEE Communications Surveys & Tutorials_, 21(4), 3622-3643.
Tanenbaum, A. S., & Wetherall, D. J. (2011). _Computer Networks_ (5th ed.). Pearson.
Stevens, W. R. (2015). _TCP/IP Illustrated, Volume 1: The Protocols_. Addison-Wesley.

« Previous Next »

Hire Dr Jack for Homework & Academic Writing Help

Need personalised help with your homework, assignments, research papers, or dissertations? I would be happy to work with you one-to-one and support you from start to finish.

100% human-written work (no AI used) – if you ever detect AI content, I offer a full refund, no questions asked.
Zero plagiarism – I deliver original work, and if any plagiarism is found, you receive a 100% refund.
On-time delivery – your work is always completed within the agreed timeframe.
Available 24/7 – you can reach out whenever it is convenient for you.
Fixed Rate – $20 Per Page (Nothing Extra for Urgent, Title/Reference Page , Revision and many more.).

To discuss your requirements, please email me at drjack9650@gmail.com . I will respond as soon as possible.