TITLE: Analysing network statistics using wireshark.

SOFTWARE USED : Wireshark 1.10.1

THEORY:
Wireshark is a free and open source packet analyzer. It is used for network troubleshooting,
analysis, software and communications protocol development, and education. Originally
named Ethereal, the project was renamed Wireshark in May 2006 due to trademark issues.
Wireshark is cross-platform, using the Qt widget toolkit in current releases to implement its
user interface, and using pcap to capture packets; it runs on Linux, macOS, BSD, Solaris,
some other Unix-like operating systems, and Microsoft Windows. There is also a terminal-
based (non-GUI) version called TShark. Wireshark, and the other programs distributed with it
such as TShark, are free software, released under the terms of the GNU General Public
License.
Wireshark is a data capturing program that "understands" the structure (encapsulation) of
different networking protocols. It can parse and display the fields, along with their meanings
as specified by different networking protocols. Wireshark uses pcap to capture packets, so it
can only capture packets on the types of networks that pcap supports.
Data can be captured "from the wire" from a live network connection or read from
a file of already-captured packets.
Live data can be read from a number of types of networks, including Ethernet,
IEEE 802.11, PPP, and loopback.
Captured network data can be browsed via a GUI, or via the terminal (command
line) version of the utility, TShark.
Captured files can be programmatically edited or converted via command-line
switches to the "editcap" program.
Data display can be refined using a display filter.
Plug-ins can be created for dissecting new protocols.
VoIP calls in the captured traffic can be detected. If encoded in a compatible
encoding, the media flow can even be played.
Raw USB traffic can be captured.
Wireless connections can also be filtered as long as they traverse the monitored
Ethernet.
Various settings, timers, and filters can be set that ensure only triggered traffic
appear.

Colour coding:
The user typically sees packets highlighted in green, blue, and black. Wireshark uses colors
to help the user identify the types of traffic at a glance. By default, green is TCP traffic, dark
blue is DNS traffic, light blue is UDP traffic, and black identifies TCP packets with problems
for example, they could have been delivered out-of-order. Users can change existing rules
for coloring packets, add new rules, or remove rules.
Figure 1
Mib-2 group:

Figure 2

Entity OID Description

system mib-2 1 System description and
administrative information
interfaces mib-2 2 Interfaces of the entity and
associated information
at mib-2 3 Address translation between
IP and physical addresses
ip mib-2 4 Information on IP portocol
icmp mib-2 5 Information on ICMP
portocol
tcp mib-2 6 Information on TCP portocol
udp mib-2 7 Information on UDP Protocol
egp mib-2 8 Information on EGP Protocol
cmot mib-2 9 Placeholder for OSI protocol
transmission mib-2 10 Placeholder for transmission
information
snmp mib-2 11 Information on SNMP
Protocol
Object Groups: Objects that are related are grouped into object groups.This grouping is
different from the grouping of object types to construct an aggregate object type. Object
groups facilitate logical assignment of object identifiers. One of the criteria for choosing the
objects to be included in standards is that it is essential for either fault or configuration
management.Thus,if a group is implemented in a system by a vendor, all the components
are implemented, i.e. ,status is mandatory for all its components .

(i) IP group: (OID = {1.3.6.1.2.1.4})

The internet is based on IP protocol as the networking protocol. This group has
information on various parameters of the protocol. It also has a table that replaces the
address translation Table. Routers in the network periodically execute the routing
algorithm and update its routing table, which are defined as managed objects in this
group.
The IP group defines all the parameters needed for the node to handle network layer IP
protocol either as a host or as a router; implementation is mandatory.

Figure 3

ENTITY OID DESCRIPTION

ipForwarding ip 1 Node acting as a gateway or not
ipDefaultTTL ip 2 Time-to-Live field of IP header
ipInReceives ip 3 Total number of input datagrams
 received from interfaces, including
those in errors
ipInHdrErrors ip 4 Number of datagrams discarded due to
header errors
ipInAddrErrors ip 5 Number of datagrams discarded due to
address errors
ipForwDatagrams ip 6 Number of input datagrams attempted
to forward to the destination;
successfully forwarded datagrams for
source routing
ipInUnknownProtos ip 7 Number of locally addressed datagrams
received successfully but discarded due
to unsupported protocol
ipInDiscards ip 8 Number of input datagrams discarded
with no problems
ipInDelivers ip 9 Total number of input datagrams
successfully delivered to IP user
protocols
ipOutRequests ip 10 Total number of IP datagrams that local
IP user protocols supplied to IP
ipOutDiscards ip 11 Number of no-error IP datagrams
discarded with no problems
ipOutNoRoutes ip 12 Number of IP datagrams discarded
because no route can be found to
transmit them to the destination
ipReasmTimeOut ip 13 Maximum number of seconds that
received fragments are held while they
are awaiting reassembly
ipReasmReqds ip 14 Number of IP datagrams receives
needing reassembly
ipReasmOKs ip 15 Number of successfully reassembled
datagrams
ipReasmFails ip 16 Number of failures detected by the ip
reassembly algorithm ( not discarded
fragments)
ipFragOKs ip 17 Number of successfully fragmented
datagrams
ipFragFails ip 18 Number of ip datagrams not fragmented
due todo not fragment flag set
ipFragCreates ip 19 Number of datagram fragments
generated as result of fragmentations.
ipAddrTable ip 20 Table of IP addresses

ipRouteTable ip 21 IP routing table

ipNetToMediaTable ip 22 Table mapping IP addresses to physical

addresses
 ipRoutingDiscards ip 23 Number of routing entries discarded
even though they were valid

(ii) ICMP group: (OID = {1.3.6.1.2.1.5})

ICMP is a precursor of SNMP and a part of the TCP/IP group. It is included in MIB-I and
MIB-II and implementation is mandatory.The ICMP group contains statistics on ICMP
control messages of ICMP and is presented in the figure and table . The syntax of all
entities is read-only counter. For example, statistics on the number of ping requests
(ICMP echo requests) sent might be obtained from the counter reading of
icmpOutEchoes.

Figure 4

Entity OID Description

icmpInMsgs icmp 1 Total number of ICMP
messages received by the
entity including the
icmpInErrors
icmpInErrors icmp 2 Number of ICMP messages
received by the entity with
ICMP-specific errors
icmpInDestUnreachs icmp 3 Number of ICMP Destination
Unreachable messages
received
icmpInTimeExcds icmp 4 Number of ICMP Time
Exceeded messages
received
icmpInParmProbs icmp 5 Number of ICMP Parameter
Problem messages received
icmpInSrcQuenches icmp 6 Number of ICMP Source
Quench messages received
icmpInRedirects icmp 7 Number of ICMP Redirect
messages received
icmpInEchos icmp 8 Number of ICMP Echo
(request) messages
received
icmpInEchoReps icmp 9 Number of ICMP Echo reply
messages received
icmpInTimestamps icmp 10 Number of ICMP Timestamp
(request) messages
received
icmpInTimestampReps icmp 11 Number of ICMP Timestamp
reply messages received
icmpInAddrMasks icmp 12 Number of ICMP Address
Mask Request messages
received
icmpInAddrMaskReps icmp 13 Number of ICMP Address
Mask Reply messages
received
icmpOutMsgs icmp 14 Total number of ICMP
messages attempted to be
sent by this entity.
IcmpOutErrors icmp 15 Number of good ICMP
messages not sent, does
not include the ones with
errors
icmpOutDestUnreachs icmp 16 Number of ICMP Destination
Unreachable messages sent
icmpOutTimeExcds icmp 17 Number of ICMP Time
Exceeded messages sent
icmpOutParmProbs icmp 18 Number of ICMP Parameter
Problem messages sent
icmpOutSrcQuenchs icmp 19 Number of ICMP Source
Quench messages sent
icmpOutRedirects icmp 20 Number of ICMP Redirect
messages sent
icmpOutEchos icmp 21 Number of ICMP Echo
(request) messages sent
icmpOutEchoReps icmp 22 Number of ICMP Echo reply
messages sent
icmpOutTimestamps icmp 23 Number of ICMP timestamp
(request) messages sent
icmpOutTimestampReps icmp 24 Number of ICMP Timestamp
reply messages sent
icmpOutAddrMasks icmp 25 Number of ICMP Address
Mask Request messages
sent
icmpOutAddrMaskReps icmp 26 Number of ICMP Address
Mask Reply messages sent
 Table 2

(iii) TCP group: (OID = {1.3.6.1.2.1.6})

The transport layer of the Internet defines TCP for a connection-oriented service and
UDP for connectionless circuit. The TCP group contains entities that are associated with
the connection oriented TCP. They are present only as long as the particular connection
persists.

Entity OID Description

tcpRtoAlgorithm tcp 1 Timeout Algorithm for retransmission of
octet
tcpRtoMin tcp 2 Minimum value for timeout in milliseconds
for retransmission
tcpRtoMax tcp 3 Maximum value for timeout in milliseconds
for retransmission
tcpMaxConn tcp 4 Maximum number of tcp connections
tcpActiveOpens tcp 5 Number of active connections made
CLOSED to SYN-SENT state
tcpPassiveOpens tcp 6 Number of passive connections made
LISTEN to SYN-RCVD state
 tcpAttemptFails tcp 7 Number of failed attempts to make
connections
tcpEstabResets tcp 8 Number of resets done to either CLOSED
or LISTEN state
tcpCurrEstab tcp 9 Number of connections for which the
current state is either ESTABLISHED or
CLOSED-WAIT
tcpInSegs tcp 10 Total number of segments received
including errors
tcpOutSegs tcp 11 Total number of segments sent excluding
retransmission
tcpRetransSegs tcp 12 Total number of segments retransmitted
tcpConnTable tcp 13 TCO Connection table
tcpInErrs tcp 14 Total number of segments received in
error.
tcpOutRsts tcp 15 Number of segments sent containing RST
flag

(iv) UDP group: (OID = {1.3.6.1.2.1.7})

UDP group contains information associated with the connectionless transport protocol.
Its implementation is mandatory
Result:

Conclusion:
Using wireshark, we can analyze the network traffic.
By browsing diffrerent sites on the internet, we can observe the different protocols
available in wireshark. The diferrent protocols observed were:
TCP, ICMP, UDP, IP.
Each protocol describes the state of the transmitted and received segments.
TCP RST describes the number of segments sent containing RST flag with OID number
TCP15.
ICMPv6 (Port unreachable) describes the number of ICMP Destination Unreachable
messages received.
UDP (1) describes the total number of datagrams delivered to the user.
IPv6 (4) describes the number of datagrams discarded due to header errors.