Wireshark for Computer Security: Analyzing ARP Spoofing and DHCP in CSCI 180

Introduction to Wireshark in Computer Security

Wireshark is the world's foremost network protocol analyzer. It lets you see what's happening on your network at a microscopic level. In the CSCI 180 – Computer Security course, students use Wireshark to dissect real-world attacks like ARP spoofing and DHCP assignment. This tutorial walks through key concepts from the assignment, helping you understand how to spot malicious activity in packet captures.

Understanding DHCP in Packet Captures

Dynamic Host Configuration Protocol (DHCP) automatically assigns IP addresses to devices on a network. In the p1.pcap file, you'll find DHCP packets that reveal the server's IP address. Look for DHCP Offer or DHCP ACK messages; the source IP of those packets is the DHCP server. For example, with MAC 08:00:27:8F:4C:61, you can filter by dhcp and check the Your (client) IP field to see the assigned address.

Identifying Assigned IPs by MAC

To find which IP corresponds to a given MAC, use the filter eth.addr == 08:00:27:8F:4C:61 and look for DHCP ACK packets. The IP address assigned appears in the Your (client) IP field. Not all devices may get their IP via DHCP; some might use static IPs. If you see no DHCP transaction for a MAC, the device likely has a static IP. For instance, if a device's IP is not found in any DHCP message, it was not assigned by DHCP.

SYN Packets and Port Scanning

A series of SYN packets between frames 120–2121 and 2241–4250 indicate a port scan. The purpose of these SYN packets is to discover open ports on the destination. The first batch might reveal which ports are open (by receiving SYN-ACK replies), while the second batch could be scanning for different ports or using different flags. The type of packet returned to the source is a SYN-ACK (if the port is open) or RST (if closed). This is classic behavior of a reconnaissance tool like Nmap.

ARP Protocol and ARP Spoofing

ARP (Address Resolution Protocol) maps IP addresses to MAC addresses. In frames 4365–4368, a device sends an ARP Request asking for the MAC of a target IP. The reply contains the MAC. This is normal ARP operation. However, between frames 4371–4382, a device floods the LAN with ARP replies without any request. This is suspicious because valid ARP replies should only be sent in response to a request. These unsolicited replies are characteristic of an ARP spoofing attack. The attacker sends fake ARP replies to associate their MAC with the gateway's IP, causing the victim to send traffic to the attacker instead of the real gateway. In the capture, the affected client's IP and MAC can be identified by looking at the target IP in the spoofed replies. The attacker's MAC is the source MAC of those replies.

Intercepting HTTP Traffic

One client downloaded a document via HTTP. The attacker, after ARP spoofing, becomes a man-in-the-middle. The attacker can see all unencrypted traffic, including the HTTP GET request and the server's response. The attacker may forward the response to the victim but also save a copy. The document's media type (e.g., application/pdf) appears in the Content-Type header. The victim has no indication the file was intercepted because the attacker transparently forwards packets. To retrieve the actual file, you can use Wireshark's Follow TCP Stream and export the raw data, then save it with the appropriate extension. The document's metadata (publication month/year and title) can be viewed after opening the file.

SSL Stripping Attack in p2.pcap

Part B involves a man-in-the-middle attack using sslstrip. The attacker uses ARP spoofing to intercept traffic and then downgrades HTTPS to HTTP. In packet #3, you see the first ARP spoof packet. The attacker's MAC is the source MAC of that packet. The attacker impersonates the gateway's IP (the target IP in the ARP reply). The victim's IP is the IP that the attacker wants to fool, which appears as the target protocol address in the ARP packet. The attacker's actual IP can be found by looking for packets from the attacker's MAC to a DHCP server or by analyzing the IP in the ARP packet's sender IP field (but careful: the sender IP in the spoofed reply is the impersonated IP, not the attacker's real IP). To find the attacker's real IP, look at the source IP of the ARP spoof packet itself – it's often set to the gateway's IP, but the true IP can be deduced from other traffic (e.g., an ARP request from the attacker's MAC to find the gateway's MAC).

Victim's Google Search

Between packets 11–168, the victim uses Google Instant search. The final query is in packet 162. Search for http.request.uri contains "q=" to find the GET request. The search string appears after q= in the URI. For example, it might be q=computer+security+tutorial.

HTTPS and the Second Website

The victim visits a website that enforces HSTS. After Google, the victim navigates to a second site. Use the filter ssl.handshake.type == 2 to find SSL handshake messages. Look around those frames for an HTTP GET request to identify the domain. The HTTPS session between packets 1303–1322 is between the attacker and the website, because the attacker has established a separate SSL connection to the server while the victim talks to the attacker over plain HTTP (due to sslstrip).

Victim's Credentials

Packet 3284 contains a plaintext HTTP POST. Look for username and password fields in the HTML form data. For example, username=student&password=secret123. This demonstrates the danger of SSL stripping: the victim thinks they are on HTTPS, but the attacker downgrades the connection, capturing credentials in plaintext.

Conclusion

Wireshark is an essential tool for understanding network security threats like ARP spoofing and SSL stripping. By analyzing packet captures, you can see exactly how attacks unfold and learn to defend against them. Practice with the p1.pcap and p2.pcap files to master these concepts for your CSCI 180 assignment.