Etudes 01- Wireshark
Required Components
- You need a computer with a recent Wireshark installation. In the development of this example, I used Wireshark 1.6.1, which as it happens, is the version present on Backtrack 5 R2.
- You also need the capture files developed for this etude. As WordPress apparently does not let you host arbitrary file types, I am hosting them on my campus server.
References
You can’t go wrong with
- Chris Sanders, 2011. Practical Packet Analysis, Second Edition, No Starch Press.(Publisher Site)
The Questions
- Merge the capture files into a single file for subsequent analysis.
- How long is the time between the first and last packet?
- How can you add additional columns to the packet display?
- Add a column to display the absolute date and time the packet was captured.
- When were these packets generated?
- What are the protocol hierarchy statistics?
- How many Ethernet frames were sent?
- How many IP4 packets were sent?
- What fraction of the total packets sent were HTTP?
- View the conversations
- How many TCP conversations took place?
- View the endpoints.
- How many Ethernet endpoints were there?
- How many virtual machines were captured?
- How can you tell?
- View the packet flow rate over time.
- At what time were packets being transferred most rapidly?
- Create a printable graph of the packet transfer rate. Use .png format.
- View the IPv4 Conversations.
- Which three (IP) destinations sent the most data in bytes?
- Use the HTTP Packet Counter to find out how many GET requests were sent.
- Examine the DNS traffic
- What is the IP address of the local DNS Server?
- How many packets are DNS queries containing the name “sunspot”?
- What is the IP address for sunspot.net?
- What packet(s) contain this data?
- A traceroute command was issued by one of the hosts.
- What filter could you use to identify the results?
- What IP address made the request?
- What is the IP address of the target?
- A Twitter message was sent.
- How can you find all of the packets that were both HTTP and aimed to/from twitter.com?
- What is the IP address of the machine that sent the data?
- What was the content?
- What packet(s) contained that data?
- The GMail service was used.
- What host tried to connect to gmail?
- To where was that host initially redirected?
- The host was then redirected again- where?
- Can you determine the account name used to connect to gmail? Explain.
- An nmap scan was performed.
- The nmap scan began with a ping. What packet(s) are the initial nmap ping packet(s)?
- What is the source of the nmap scan?
- What is the target of the nmap scan?
- Roughly what time (clock-time, not elapsed time) did the scan take place?
- A Metasploit attack was succesfully executed.
- By default, metasploit uses port 4444 for its shells. Is there any traffic that uses port 4444?
- Follow the TCP stream on port 4444. Is there useful data present in the stream?
- Is the meterpreter data encrypted by SSL?
Comments (0)
Trackbacks (0)
Leave a comment
Trackback