NETinVM

Exercise: Capturing an HTTP session with Wireshark

Authors

Carlos Perez

Date
13 de noviembre de 2018

Contents

Objective

The goal of this exercise is to capture an HTTP session using Wireshark, thus showing how NETinVM can be used for teaching and learning.

Introduction

As an example of how NETinVM can be used for teaching and learning, this section will show how the network traffic of an HTTP connection could be generated, captured and analyzed within NETinVM Wireshark.

Once all virtual systems have been started within NETinVM by executing the 'netinvm_run_all' shell script, the procedure to follow is just as simple as if all systems were real. We will establish an HTTP connection from 'exta' to 'www.example.net' and we will capture and analyze that traffic using 'wireshark' running on 'base'.

Note

Note that 'base' has access both to the external network ('ext') and the screened subnet ('dmz') through its 'virbr-ext' and 'virbr-dmz' network interfaces, respectively. However, in order to be able to capture all the network traffic, each switch has a mirror port, named after its network ('mirror-ext' and 'mirror-dmz'). Thus, we will be able to capture the traffic on either network (or on both at the same time) since packets will travel from 'exta' to 'fw' through the external network and then from 'fw' to 'www.example.net' ('dmza') through the 'dmz' network, and back. For this exercise, we will assume that we are interested only in the traffic in the 'dmz' network, so mirror port 'mirror-dmz' will be used.

Preparation

In order to perform the exercise the NETinVM environment must be brought to life by peforming the following actions:

HTTP session capture

  1. First, start 'wireshark' on 'base' and set it to listen on the 'dmz' network (interface 'mirror-dmz')

    |netinvm| wireshark interfaces
  2. Then, request the home page of the web server running on 'www.example.net' by executing the following command in "exta":

    root@exta:~# wget www.example.net
  3. Finally, go back to 'wireshark', stop the capture and analyze the traffic at your leisure. The session captured in 'wireshark' will look similar to the following figure, which shows the HTTP session that was established between 'exta' (10.5.0.10) and 'www.example.net' (dmza, 10.5.1.10)

    |netinvm| wireshark capture