Network Services and Protocols Part II: How to Use Wireshark, Windows Firewall, and Advanced IP Scanner for Troubleshooting
What are we doing?
Part II of this lab consists of 4 exercises that first introduces us to packet capturing using a third party application called Wireshark, then guides us on how to block specific ports through Windows firewall, and finally introduces us to port scanning using a third party application called Advanced IP Scanner
Why would we want to do this?
Although the tools we used and learned in Part I of this lab are useful when troubleshooting our network, they can certainly feel limited when it comes to monitoring it. Third party applications like Wireshark and Advanced IP Scanner provide us with more advanced features that can provide us better insight when troubleshooting as well as provide excellent monitoring services.
Remember, this lab helps us better understand how we can better utilize the tools readily available for us to use, and often times it helps to increase our arsenal of skills when troubleshooting (and monitoring) our network.
Who would use this?
Personally, I feel everyone who uses a computer should be using these tools and shouldn’t be seen as an exclusive skill of IT hobbyists and professionals. These tools and processes are basic enough for a computer literate individual to grasp and understand. It’s important that a computer user learns how their computer is communicating and to whom, so they can better help with the troubleshooting process, if issues arise.
Thoughts?
With the popularity of applications like Wireshark, I’m rather surprised companies like Microsoft and Apple haven’t come out with their own proprietary application already built into their OS that provides the same services. I’m not insinuating they should, I’m just curious to know why not — is it for the same reasons applications like Malwarebytes keep holding strong?
Vendor
Practice Labs
Lab
1.5 — Network Services and Protocols Part II
Learning Outcomes
- Exercise 1 — Identify Default HTTP Port
- Exercise 2 — Identify Default HTTPS Port
- Exercise 3 — Contrast TCP and UDP Protocols
- Exercise 4 — Use a Port Scanner
After completing this lab, we will be able to:
- Start packet capture of packets exchanged using HTTP protocol
- Create HTTP traffic by accessing a website
- Verify Port 80 for HTTP
- Capture HTTPS traffic using Wireshark
- Verify HTTPS uses port 443 by default
- Contrast TCP and UDP Protocols
- Use Advanced IP Scanner tool to collect system information
- Use Advanced IP Scanner tool to remotely manage systems
CompTIA Network+ Exam Objectives
N10–007 1.1 — Explain the purposes and uses of ports and protocols:
- HTTP 80
- HTTPS 443
- UDP
- TCP
N10–007 5.2 — Given a scenario, use the appropriate tool (Software Tools, Port Scanner)
Exercise 1
Identify Default HTTP Port
Learning objective
Know how to capture http packets using Wireshark
Task 1 — Start Packet Capture
In this task, we will launch Wireshark and start capturing packets exchanged using http
If not already, install Wireshark with wincap and USBcap installed, and open the Wireshark application
Step 1: In the toolbar at the top of the Wireshark window, go to Capture and click on Options.
We’ll go ahead and select the checkbox next to the Ethernet interface for this lab.
Step 2: Click the Start button to start capturing data.
Step 3: Now, let’s go on our web browser and connect to http://comptia.org so that we can monitor the http packet activity on Wireshark.
Task 1 Complete!
Task 2 — Identify Port 80 for HTTP
Step 1: While the packet capture is on-going, input http in the Filter text-box
Notice that one of the HTTP data packets on the listing is highlighted in blue. Details of the highlighted packet are listed in the lower pane on the capture window.
Notice that the Source port is a random port number used by our computer PLABSA01 since we’re connected to a remote web server, but the destination port is listed as 80 (http), since we connected to http://comptia.org (which listens to TCP port 80).
Note: The packets carrying this less complex form of data use port 80. However, as the website access becomes more detailed and complex (like background applications or graphics) packets will begin to prefer using port 8080.
Step 2: Click the stop capture icon — the red square — on the toolbar at the top. This stops the on-going data capture.
Now we know how to capture http packet information using Wireshark.
Exercise 1 Complete!
Exercise 2
Identify Default HTTPS Port
Learning objective
Know how to start a new live packet capture using Wireshark
Task 1 — Restart Wireshark
Once data capture on Wireshark is stopped, it can be restarted to either continue capturing the same data stream or to start data capture on a new data stream.
In this task, we will restart Wireshark and capture a new data stream.
Step 1: In Wireshark, click the start new live capture icon (shark-fin) on the icon bar at the top to begin capturing packets.
Step 2: If you’re asked if you would like to save the captured data accumulated so far, click Continue without Saving, for this lab.
Task 1 Complete!
Task 2 — Capture HTTPS traffic using Wireshark
In this task, we’ll capture HTTPS traffic
Step 1: Now, let’s go on our web browser and connect to https://google.com
Note: By explicitly typing https at the beginning of the address, we are forcing the browser to use the HTTPS protocol.
Restore the Wireshark window. Notice data being captured.
In the Filter box, verify that http is typed in the text box.
Note: In Wireshark HTTP and HTTPS are the same when it comes to filtering the results.
Find the packet with Info CONNECT www.google.com:443
By expanding the Transmission Control Protocol section in the center pane, you can see that the destination port is 8080 and not 443. That’s because we’re using a proxy server. However, the connection still uses https as can be seen by the CONNECT request which indicates the use of 443 on Google’s server end of the conversation.
Note: The TLSv1.2 packets we see are used to transfer data in an encrypted form.
Click the stop capture icon — the red square icon — on the icon bar at the top to stop the on-going data capture.
Task 2 Complete!
Task 3 — Block-out HTTPS Access
In this task, we’ll block HTTPS traffic.
Step 1: right-click the network icon in our system tray on the lower righthand side of our taskbar and choose Open Network & Internet Settings.
Select the Ethernet option on the left column.
Select the Network and Sharing Center link.
Select the Windows Defender Firewall on the lower left pane.
Select the Advanced settings option from the left-side pane.
Step 2: Select Inbound Rules from the left-side pane.
List of inbound rules is displayed on the middle pane.
Right-click the Inbound Rules node and choose New Rule.
The New Inbound Rule Wizard is displayed.
Step 3: On the Rule Type page, select the Port radio button and click Next.
On the Protocol and Ports page, select the TCP radio button if not selected already.
Select the Specific local ports radio button and type the following in the text box:
80. 443, 8080
Step 4: On the Action page, select the Block the connection radio button and click Next.
On the Name page, specify the name of the rule as Block HTTPS 443 and click Finish.
Step 5: Select the Outbound Rules node, and do the same as we did in Inbound Rules
Task 3 Complete!
Task 4 — Verify HTTPS is Blocked
In this task, we’ll try to again access https websites with the port 443 now blocked.
Step 1: Let’s go on our web browser and try to connect to https://google.com
Notice that the website does not display. This confirms that the firewall effectively blocked access to the outside world.
Task 4 Complete!
Task 5 — Remove Firewall rules blocking HTTPS access
In this task, we’ll unblock port 443. If we can access https://google.com again, we can safely say that https protocol uses port 443.
Step 1: Reconnect to the Windows Defender Firewall with Advanced Security window.
Click the Inbound Rules node, again.
on the rules list on the middle pane, right-click the Block HTTPS 443 rule and select Delete.
Do the same for the created outbound rule, as well.
Step 2: Let’s go ahead and try to reconnect to https://google.com using our web browser
There! Now we know how to block and unblock certain ports, like 443!
Exercise 2 Complete!
Exercise 3
Contrast TCP and UDP Protocols
Learning Objective
Know the differences between TCP and UDP
Task 1 — Capture Packets
I feel like the best way to explain TCP and UDP is to start with a summary of their differences:
- Authentication is needed for Connection-Oriented Protocol Services, while Connectionless Protocol Services don’t require any authentication.
- Connection-Oriented Protocol Services make a connection and check whether a message is received and sends again if an error occurs, while Connectionless Protocol Services could care less.
- Connection-Oriented Protocol Services are more reliable than Connectionless Protocol Services, but not as fast and are often times larger in size.
- Connection-Oriented Protocol Services are stream based and Connectionless Protocol Services are message based (see excerpt below).¹
Before continuing, I want to throw in this excerpt from this -> Oracle doc <-that should help clarify the uses of TCP and UDP:
TCP is an example of a connection-oriented protocol. The process is much like a telephone call, where a virtual circuit is established — the caller must know the person’s telephone number and the phone must be answered — before the message can be delivered.
Examples of services that use connection-oriented transport services are telnet, rlogin, and ftp.
UDP is a connectionless protocol. It is known as a datagram protocol because it is analogous to sending a letter where you don’t acknowledge receipt.
Examples of applications that use connectionless transport services are broadcasting and tftp. Early implementations of NFS used UDP, whereas newer implementations prefer to use TCP.²
Give this article a read, as well, before moving to Step 1:
Difference between Connection-Oriented and Connectionless Service
Also, use this handy interactive reference⁴ for which ports use TCP and/or UDP. For this lab, we’ll go ahead and sample that reference:
Step 1: From the Wireshark window, enter tcp in the Filter text box.
Only the data packets implementing TCP protocol are now being displayed.
Note that there are several application protocols that use TCP such as HTTP and FTP for example. Any such protocols are also included and labeled as such in the list of captured packets since they use TCP.
Step 2: Select a TCP packet from the list displayed. The second pane shows details of the selected packet.
Expand the Transmission Control Protocol section in the second pane.
Notice the Source port (49810) and the Destination port (8080). From our Exercise 2 tasks, we can confirm that TCP is using port 443.
Task 2 Complete!
Task 3 — Identify UDP Packets
Step 1: In the Filter box, enter udp.
Note that UDP is used by several application layer protocols such as DHCP and DNS. Such protocols are also included in this filtered list since they use UDP.
Again, notice the change in the color-coding of the data packets. Only the data packets implementing UDP protocol are now being displayed.
Step 2: Select a UDP packet from the list displayed. For example, select a DHCP packet.
Expand the link User Datagram Protocol section in the middle pane.
Notice that the Source port is 68 and the Destination port is 67. Knowing from our interactive reference, we can confirm that UDP uses ports 68 and 67.
Exercise 3 Complete!
Exercise 4
Using a Port Scanner
Learning Objective
Know how to scan for open ports on the network using Advanced IP Scanner
A port scanner is a software tool used for probing into local or remote systems to find out open TCP/UDP ports and collect system information such as operating system type installed on the computer. This is used by system administrators to validate the security policy of firewalls and by hackers to determine the open ports on a computer that can be possibly exploited.³
Port scanners are much more than just a piece of software that pings many devices at once. It has many more capabilities, some of which we’ll play with here.
Task 1 — Use Advanced IP Scanner to scan the network
In this task, we’ll use Advanced IP Scanner to scan our network, and explore the application’s features.
Step 1: For this lab, make sure we are connected to the PLABWIN10 device, and double click the Advanced IP Scanner icon on the desktop.
Note that in the address range field, a default range of IP address is already defined.
Step 2: From this range, remove the 169.254.0.1–169.254.255.254 network ID range.
The remaining network ID range is 192.168.0.1–254.
Click Scan.
After a few seconds, the Advanced IP Scanner lists the devices within the range of 192.168.0.1–192.168.0.254 addresses discovered on our network.
Note: the scan result identifies the IP address, the machine name, the manufacturer, and the MAC (media access control) address of each device.
Step 3: When the scan is successfully completed, expand the listed PLABDC01 host.
Notice that the scanner has also discovered two shared folders on the device. The Advanced IP Scanner can detect shared folders on the network.
Step 4: Right-click the listed PLABDC01, select Tools and then select Ping.
This opens a Command Prompt window, and sets up a ping session from PLABWIN10 to PLABDC01.
Notice that the ping command is executed and replies from the pinged server (PLABDC01)
Note: The pings will continue until you either cancel them by using ‘ctrl+c’ or by closing the Command Prompt window.
Step 5: Right-click PLABDC01 and select Advanced > Shutdown.
On the Shutdown options dialog box, select the Reboot checkbox.
Click Shutdown.
Now we know how to get started using Advanced IP Scanner
Exercise 4 Complete!
Part II of this lab is complete and continues to help bridge our knowledge for further exploration into Part III
[1] Internet and Web Technology 2020
[2] Connection-Oriented and Connectionless Protocols 2010
[3] Practice Labs 1.5 Part II 2021
[4] List of TCP and UDP port numbers
https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
