WIRESHARK: BASICS

TOOL OVERVIEW

Use the "Exercise.pcapng" file to answer the question. Read the "capture file comments". What is the flag?

WireShark > File > Open > Exercise.pcapng
WireShark > Statistics > Capture File Properties
 Capture File Comments: Flag: TryHackMe_Wireshark_Demo

Use the "Exercise.pcapng" file to answer the question. What is the total number of packets?

WireShark > File > Open > Exercise.pcapng
WireShark > Status Bar
 Packets: 58620

 * the status bar is located on the bottom of the GUI

Use the "Exercise.pcapng" file to answer the question. What is the SHA256 hash value of the capture file?

WireShark > File > Open > Exercise.pcapng
WireShark > Statistics > Capture File Properties
 FILE
  Hash (SHA256): f446de335565fb0b0ee5e5a3266703c778b2f3dfad7efeaeccb2da5641a6d6eb

PACKET DISSECTION

Use the "Exercise.pcapng" file to answer the question. View packet number 38. Which markup language is used under the HTTP protocol?

WireShark > File > Open > Exercise.pcapng
 Packet List > Packet Number 38
 Packet Details > right-click eXtensible Markup Language > Copy > Description
  * eXtensible Markup Language

Use the "Exercise.pcapng" file to answer the question. What is the arrival date of the packet? (Answer format: Month/Day/Year)

WireShark > File > Open > Exercise.pcapng
 Packet List > Packet Number 38
 Packet Details > Frame > right-click Arrival Time... > Copy > Value
  * May 13, 2004 10:17:12.158193000 UTC

Use the "Exercise.pcapng" file to answer the question. What is the TTL value?

WireShark > File > Open > Exercise.pcapng
 Packet List > Packet Number 38
 Packet Details > IPv4 > right-click Time To Live > Copy > Value
  * 47

Use the "Exercise.pcapng" file to answer the question. What is the TCP payload size?

WireShark > File > Open > Exercise.pcapng
 Packet List > Packet Number 38
 Packet Details > TCP > TCP Payload
  * 424

Use the "Exercise.pcapng" file to answer the question. What is the e-tag value?

WireShark > File > Open > Exercise.pcapng
 Packet List > Packet Number 38
 Packet Details > Hypertext Transfer Protocol > HTTP/1.1 200 OK\r\n > right-click ETag > Copy > Value
  * 9a01a-4696-7e354b00

Use the "Exercise.pcapng" file to answer the question. Search the "r4w" string in packet details. What is the name of artist 1?

WireShark > File > Open > Exercise.pcapng
WireShark > Edit > Find Packet
 Source: Packet Details
 Search Type: Narrow & Wide
 Case Sensitive: Disabled
 Input Type: String
 Input: r4w
 
 Line Based Test Data > right-click [truncated]... > Copy > Value
  - [truncated]Sed aliquam sem ut arcu.</p><p>painted by: <a href='artists.php?artist=1'>r4w8173</a></p><p><a href='#' onClick="window.open('./comment.php?pid=1','comment','width=500,height=400')">comment on this picture</a></p></div><div cl
 
 * ALT: can use CTRL+F

Use the "Exercise.pcapng" file to answer the question. Go to packet 12 and read the comments. What is the answer?

WireShark > File > Open > Exercise.pcapng
WireShark > Go > Go to Packet
 Packet Number: 12
 
 Packet Comments > right-click > Copy > Value
  - This_is_Not_a_Flag_This_is_Not_a_Flag_This_is_Not_a_Flag_This_is_Not_a_Flag_This_is_Not_a_Flag_This_is_Not_a_Flag
    Go to packet number 39765
    Look at the "packet details pane". Right-click on the JPEG section and "Export packet bytes". This is an alternative way of extracting data from a capture file. What is the MD5 hash value of extracted image?
    
WireShark > Go > Go to Packet
 Packet Number: 39765
 Packet Details > right-click JPEG File Interchange Format > Export Packet Bytes
  Name: exportedJPGData

root@thm:~$ md5sum exportedJPGData 
 911cd574a42865a956ccde2d04495ebf  /home/ubuntu/Desktop/exportedJPGData

Use the "Exercise.pcapng" file to answer the question. There is a ".txt" file inside the capture file. Find the file and read it; what is the alien's name?

WireShark > File > Open > Exercise.pcapng
WireShark > File > Export Objects > HTTP > Sort Filename
 4267  10.10.47.123:9696  text/plain  5454 bytes  note.txt
 
root@thm:~$ cat note.txt
 packetmaster
 
 * select objects from the list

Use the "Exercise.pcapng" file to answer the question. Look at the expert info section. What is the number of warnings?

WireShark > File > Open > Exercise.pcapng
 status bar > click the globe on the lower left-hand side
  - Warning 643 HTTP: Illegal characters found in header name Protocol HTTP 1636

PACKET FILTERING

Use the "Exercise.pcapng" file to answer the question. Go to packet number 4. Right-click on the "Hypertext Transfer Protocol" and apply it as a filter. Now, look at the filter pane. What is the filter query?

WireShark > File > Open > Exercise.pcapng
WireShark > Packet List > Go > Go to Packet
 packet: 4

WireShark > Packet Details > right-click HTTP > Apply as Filter > Selected
 filter pane: http

Use the "Exercise.pcapng" file to answer the question. Go to packet number 4. Right-click on the "Hypertext Transfer Protocol" and apply it as a filter. What is the number of displayed packets?

WireShark > File > Open > Exercise.pcapng
WireShark > Packet List > Go > Go to Packet
 packet: 4

WireShark > Packet Details > right-click HTTP > Apply as Filter > Selected
 status bar: Packets: 58620 - Displayed: 1089 (1.9%)

Use the "Exercise.pcapng" file to answer the question. Go to packet number 33790 and follow the stream. What is the total number of artists?

WireShark > File > Open > Exercise.pcapng
WireShark > Packet List > Go > Go to Packet
 packet: 33790

WireShark > Packet List > right-click selected packet > Follow > HTTP Stream
 Find: artist
  <div class='story'><a href='artists.php?artist=1'><h3>r4w8173</h3></a><p><a href='#' onClick="window.open('./comment.php?aid=1','comment','width=500,height=400')">comment on this artist</a></p></div><div class='story'><a href='artists.php?artist=2'><h3>Blad3</h3></a><p><a href='#' onClick="window.open('./comment.php?aid=2','comment','width=500,height=400')">comment on this artist</a></p></div><div class='story'><a href='artists.php?artist=3'><h3>lyzae</h3></a><p><a href='#' onClick="window.open('./comment.php?aid=3','comment','width=500,height=400')">comment on this artist</a></p></div>

Use the "Exercise.pcapng" file to answer the question. Go to packet number 33790 and follow the stream. What is the name of the second artist?

WireShark > File > Open > Exercise.pcapng
WireShark > Packet List > Go > Go to Packet
 packet: 33790

WireShark > Packet List > right-click selected packet > Follow > HTTP Stream
 Find: artist
  <div class='story'><a href='artists.php?artist=1'><h3>r4w8173</h3></a><p><a href='#' onClick="window.open('./comment.php?aid=1','comment','width=500,height=400')">comment on this artist</a></p></div><div class='story'><a href='artists.php?artist=2'><h3>Blad3</h3></a><p><a href='#' onClick="window.open('./comment.php?aid=2','comment','width=500,height=400')">comment on this artist</a></p></div><div class='story'><a href='artists.php?artist=3'><h3>lyzae</h3></a><p><a href='#' onClick="window.open('./comment.php?aid=3','comment','width=500,height=400')">comment on this artist</a></p></div>

PreviousBRIM NextWIRESHARK: PACKET OPERATIONS

Last updated 10 months ago

TOOL OVERVIEW

PACKET DISSECTION

PACKET NAVIGATION

PACKET FILTERING