Let's begin by peeking into a Wireshark (Ethereal) capture file http://www.milw0rm.com
Looking at this for the first time might be overwhelming. However, let's take that deep breath, examine the packet capture line by line and implement our knowledge in TCP/IP.
Packet 1: ARP Broadcast. We've attempted to send a packet to the Internet, and before our computer can actually send it, it needs to identify the default gateway on the local network. The default gateway IP address is configured on the requesting machine, but the default gateway MAC address is unknown. My
machine sends a broadcast to the whole network, asking “Who has 192.168.0.1?,
Tell 192.168.0.186”.
Packet 2: All computers on the local subnet receive this broadcast and check whether 192.168.0.1 belongs to them. Only 192.168.0.1 responds to this ARP broadcast and sends an ARP unicast reply to 192.168.0.186, informing it of the MAC address requested.
Packet 3: Now that our computer knows where to send its packets in order for them to reach the internet, we need to resolve the IP of www.milw0rm.com. Our computer sends a DNS query to the DNS server defined in our TCP/IP settings and asks the DNS server for the IP address of www.milw0rm.com.
Packet 4: The DNS server replies and tells our computer that the FQDN www.milw0rm.com is an alias for milw0rm.com.
Packet 5: Our computer insists on an answer and asks the DNS server, once again, for the IP address of milw0rm.com (notice, no www).
Packet 6: The DNS server replies and tells our computer that the IP address for milw0rm.com is 213.150.45.196.
Packet 7: Armed with this information, our computer attempts a 3 way handshake (remember that buzzword from TCP/IP?) with 213.150.45.196 on port 80 and sends a SYN request.
Packet 8: The web server responds with an ACK and sends a SYN to our machine.
Packet 9: We send a final ACK to the web server and complete the 3 way handshake.
Packet 10: Now that the handshake is complete our computer can start talking with the service using a specific protocol. Since we are using a web browser, our computer sends an HTTP GET request which retrieves the index page, and all linked images, to our browser.
Packets 11 – end: The main page of milw0rm.com, including all linked images, are loaded in our browser.
After analyzing this dump we can see that sniffers actually make sense and can provide us with detailed information about what goes on in our network.
(Continued)