Etudes 01- Wireshark

Required Components

• You need a computer with a recent Wireshark installation. In the development of this example, I used Wireshark 1.6.1, which as it happens, is the version present on Backtrack 5 R2.
• You also need the capture files developed for this etude. As WordPress apparently does not let you host arbitrary file types, I am hosting them on my campus server.

References

You can’t go wrong with

• Chris Sanders, 2011. Practical Packet Analysis, Second Edition, No Starch Press.(Publisher Site)

The Questions

1. Merge the capture files into a single file for subsequent analysis.
   1. How long is the time between the first and last packet?
2. How can you add additional columns to the packet display?
   1. Add a column to display the absolute date and time the packet was captured.
   2. When were these packets generated?
3. What are the protocol hierarchy statistics?
   1. How many Ethernet frames were sent?
   2. How many IP4 packets were sent?
   3. What fraction of the total packets sent were HTTP?
4. View the conversations
   1. How many TCP conversations took place?
5. View the endpoints.
   1. How many Ethernet endpoints were there?
   2. How many virtual machines were captured?
   3. How can you tell?
6. View the packet flow rate over time.
   1. At what time were packets being transferred most rapidly?
   2. Create a printable graph of the packet transfer rate. Use .png format.
7. View the IPv4 Conversations.
   1. Which three (IP) destinations sent the most data in bytes?
8. Use the HTTP Packet Counter to find out how many GET requests were sent.
9. Examine the DNS traffic
   1. What is the IP address of the local DNS Server?
   2. How many packets are DNS queries containing the name “sunspot”?
   3. What is the IP address for sunspot.net?
   4. What packet(s) contain this data?
10. A traceroute command was issued by one of the hosts.
    1. What filter could you use to identify the results?
    2. What IP address made the request?
    3. What is the IP address of the target?
11. A Twitter message was sent.
    1. How can you find all of the packets that were both HTTP and aimed to/from twitter.com?
    2. What is the IP address of the machine that sent the data?
    3. What was the content?
    4. What packet(s) contained that data?
12. The GMail service was used.
    1. What host tried to connect to gmail?
    2. To where was that host initially redirected?
    3. The host was then redirected again- where?
    4. Can you determine the account name used to connect to gmail? Explain.
13. An nmap scan was performed.
    1. The nmap scan began with a ping. What packet(s) are the initial nmap ping packet(s)?
    2. What is the source of the nmap scan?
    3. What is the target of the nmap scan?
    4. Roughly what time (clock-time, not elapsed time) did the scan take place?
14. A Metasploit attack was succesfully executed.
    1. By default, metasploit uses port 4444 for its shells. Is there any traffic that uses port 4444?
    2. Follow the TCP stream on port 4444. Is there useful data present in the stream?
    3. Is the meterpreter data encrypted by SSL?