WIRESHARK: PACKET OPERATIONS

STATISTICS | SUMMARY

Use the "Exercise.pcapng" file to answer the question. Investigate the resolved addresses. What is the IP address of the hostname starts with "bbc"?

WireShark > File > Open > Exercise.pcapng
WireShark > Statistics > Resolved Addresses > Hosts
 Filter: bbc
 
 * 199.232.24.81

Use the "Exercise.pcapng" file to answer the question. What is the number of IPv4 conversations?

WireShark > File > Open > Exercise.pcapng
WireShark > Statistics > Conversations > IPv4
 * 435

Use the "Exercise.pcapng" file to answer the question. How many bytes (k) were transferred from the "Micro-St" MAC address?

WireShark > File > Open > Exercise.pcapng
WireShark > Statistics > Endpoints > Ethernet
 Name Resolution: enabled
 Addresses: Sort Ascending
 
 * Micro-St 9a:f1:f5 7474k

Use the "Exercise.pcapng" file to answer the question. What is the number of IP addresses linked with "Kansas City"?

WireShark > File > Open > Exercise.pcapng
WireShark > Statistics > Endpoints > IPv4
 City: Sort Ascending
 
 * 4

Use the "Exercise.pcapng" file to answer the question. Which IP address is linked with "Blicnet" AS Organisation?

WireShark > File > Open > Exercise.pcapng
WireShark > Statistics > Endpoints > IPv4
 AS Organization: Sort Ascending
 
 * Blicnet d.o.o 188.246.82.7

STATISTICS | PROTOCOL DETAILS

Use the "Exercise.pcapng" file to answer the question. What is the most used IPv4 destination address?

WireShark > File > Open > Exercise.pcapng
WireShark > Statistics > IPv4 Statistics > Destination and Ports
 Count: Sort Descending
 
 * 10.100.1.33  29387

Use the "Exercise.pcapng" file to answer the question. What is the max service request-response time of the DNS packets?

WireShark > File > Open > Exercise.pcapng
WireShark > Statistics > DNS
 
==============================================================================================================================================
DNS:
Topic / Item                   Count         Average       Min val       Max val       Rate (ms)     Percent       Burst rate    Burst start  
----------------------------------------------------------------------------------------------------------------------------------------------
Total Packets                  171                                                     0.0000        100%          0.1600        568415439.987
...
Service Stats                  0                                                       0.0000        100%          -             -            
 request-response time (secs)  85            0.07          0.000075      0.467897      0.0000                      0.0800        568415439.988
 no. of unsolicited responses  0                                                       0.0000                      -             -            
 no. of retransmissions        0                                                       0.0000                      -             -            

----------------------------------------------------------------------------------------------------------------------------------------------

Use the "Exercise.pcapng" file to answer the question. What is the number of HTTP Requests accomplished by "rad[.]msn[.]com?

WireShark > File > Open > Exercise.pcapng
WireShark > Statistics > HTTP > Requests
 rad.msn.com 39

PACKET FILTERING | PROTOCOL FILTERS

Use the "Exercise.pcapng" file to answer the question. What is the number of IP packets?

WireShark > File > Open > Exercise.pcapng
 Filter: ip
 Packets: 81530 Displayed: 81420 (99.9%)

Use the "Exercise.pcapng" file to answer the question. What is the number of packets with a "TTL value less than 10"?

WireShark > File > Open > Exercise.pcapng
WireShark > Analyze > Display Filter Expression
 Search: Time to Live
  Field Name: IPv4 > ip.ttl Time to Live
  Relation: <
  Value: 10
  
  Filter: ip.ttl < 10
   Packets: 81530 Displayed: 66 (0.1%)

Use the "Exercise.pcapng" file to answer the question. What is the number of packets which uses "TCP port 4444"?

WireShark > File > Open > Exercise.pcapng
WireShark > Analyze > Display Filter Expression
 Search: tcp.p
  Field Name: TCP > tcp.port
  Relation: ==
  Value: 4444
   
  Filter: tcp.port == 4444
   Packets: 81530 Displayed: 632 (0.8%)

Use the "Exercise.pcapng" file to answer the question. What is the number of "HTTP GET" requests sent to port "80"?

WireShark > File > Open > Exercise.pcapng
WireShark > Analyze > Display Filter Expression
 Search: http
  Field Name: HTTP > http.request.method
  Relation: ==
  Value: GET
   
  Filter: http.request.method == "GET" && tcp.port == 80
   Packets: 81530 Displayed: 527 (0.6%)

Use the "Exercise.pcapng" file to answer the question. What is the number of "type A DNS Queries"?

WireShark > File > Open > Exercise.pcapng
WireShark > Analyze > Display Filter Expression
 Search: dns
  Field Name: DNS > dns.qry.type
  Relation: ==
  Value: 1
  Predefined Values: A (Host Address)
   
  Filter: dns.qry.type == 1 && dns.flags.response == 1
   Packets: 81530 Displayed: 51 (0.1%)

ADVANCED FILTERING

Use the "Exercise.pcapng" file to answer the question. Find all Microsoft IIS servers. What is the number of packets that did not originate from "port 80"?

WireShark > File > Open > Exercise.pcapng
WireShark > Analyze > Display Filter Expression
 Search: server
  Field Name: HTTP > http.server
  Relation: contains
  Value: iis
   
  Filter: http.server contains "iis"
  
  * revise and improve the original filter
  
WireShark > Filter Bar
 Filter: lower(http.server) contains "iis" && not tcp.port == 80
   Packets: 81530 Displayed: 21 (0.0%)

Use the "Exercise.pcapng" file to answer the question. Find all Microsoft IIS servers. What is the number of packets that have "version 7.5"?

WireShark > File > Open > Exercise.pcapng
WireShark > Analyze > Display Filter Expression
 Search: server
  Field Name: HTTP > http.server
  Relation: matches
  Value: iis/7.5
   
  Filter: http.server matches "iis/7.5"

  * Packets: 81530 Displayed: 71 (0.1%)

Use the "Exercise.pcapng" file to answer the question. What is the total number of packets that use ports 3333, 4444 or 9999?

WireShark > File > Open > Exercise.pcapng
WireShark > Analyze > Display Filter Expression
 Search: tcp.port
  Field Name: TCP > tcp.port
  Relation: in
  Value: 3333 4444 9999
   
  Filter: tcp.port in {3333 4444 9999}

  * Packets: 81530 Displayed: 2235 (2.7%)

Use the "Exercise.pcapng" file to answer the question. What is the number of packets with "even TTL numbers"?

WireShark > File > Open > Exercise.pcapng
WireShark > Analyze > Display Filter Expression
 Search: time to live
  Field Name: IPv4 > ip.ttl
  Relation: is present
  Value: n/a
   
  Filter: ip.ttl
  
  * revise and improve the original filter

WireShark > Filter Bar
 Filter: string(ip.ttl) matches "[02468]$"
   Packets: 81530 Displayed: 77289 (94.8%)
   
  * for odd numbers use "[13579]"

Use the "Exercise.pcapng" file to answer the question. Change the profile to "Checksum Control". What is the number of "Bad TCP Checksum" packets?

WireShark > Status Bar > right-click Profile Menu > switch to > checksum control
WireShark > Analyze > Display Filter Expression
 Search: checksum
  Field Name: TCP > tcp.checksum_bad.expert
  Relation: is present
  Value: n/a
   
  Filter: tcp.checksum_bad.expert

 * This new profile is customised to detect checksum errors. 
    - Bad TCP checksums are shown in red and black colours.
    
 * Packets: 81530 Displayed: 34185 (41.9%)

Use the "Exercise.pcapng" file to answer the question. Use the existing filtering button to filter the traffic. What is the number of displayed packets?

WireShark > Status Bar > right-click Profile Menu > switch to > checksum control
WireShark > Analyze > Display Filter Expression
 Search: checksum
  Field Name: TCP > tcp.checksum_bad.expert
  Relation: is present
  Value: n/a
   
  Filter: tcp.checksum_bad.expert

 * This new profile is customised to detect checksum errors. 
    - Bad TCP checksums are shown in red and black colours.
    
WireShark > gif/jpeg with http-200 button
 * this "gif/jpeg with http-200" button is part of the checksum profile
   and is located on the right-hand side of the filter bar
   
 * Packets: 81530 Displayed: 261 (0.3%)

PreviousWIRESHARK: BASICS NextWIRESHARK: TRAFFIC ANALYSIS

Last updated 9 months ago