WIRESHARK: PACKET OPERATIONS
STATISTICS | SUMMARY
Use the "Exercise.pcapng" file to answer the question. Investigate the resolved addresses. What is the IP address of the hostname starts with "bbc"?
WireShark > File > Open > Exercise.pcapng
WireShark > Statistics > Resolved Addresses > Hosts
Filter: bbc
* 199.232.24.81Use the "Exercise.pcapng" file to answer the question. What is the number of IPv4 conversations?
WireShark > File > Open > Exercise.pcapng
WireShark > Statistics > Conversations > IPv4
* 435Use the "Exercise.pcapng" file to answer the question. How many bytes (k) were transferred from the "Micro-St" MAC address?
WireShark > File > Open > Exercise.pcapng
WireShark > Statistics > Endpoints > Ethernet
Name Resolution: enabled
Addresses: Sort Ascending
* Micro-St 9a:f1:f5 7474kUse the "Exercise.pcapng" file to answer the question. What is the number of IP addresses linked with "Kansas City"?
WireShark > File > Open > Exercise.pcapng
WireShark > Statistics > Endpoints > IPv4
City: Sort Ascending
* 4Use the "Exercise.pcapng" file to answer the question. Which IP address is linked with "Blicnet" AS Organisation?
WireShark > File > Open > Exercise.pcapng
WireShark > Statistics > Endpoints > IPv4
AS Organization: Sort Ascending
* Blicnet d.o.o 188.246.82.7STATISTICS | PROTOCOL DETAILS
Use the "Exercise.pcapng" file to answer the question. What is the most used IPv4 destination address?
WireShark > File > Open > Exercise.pcapng
WireShark > Statistics > IPv4 Statistics > Destination and Ports
Count: Sort Descending
* 10.100.1.33 29387Use the "Exercise.pcapng" file to answer the question. What is the max service request-response time of the DNS packets?
WireShark > File > Open > Exercise.pcapng
WireShark > Statistics > DNS
==============================================================================================================================================
DNS:
Topic / Item Count Average Min val Max val Rate (ms) Percent Burst rate Burst start
----------------------------------------------------------------------------------------------------------------------------------------------
Total Packets 171 0.0000 100% 0.1600 568415439.987
...
Service Stats 0 0.0000 100% - -
request-response time (secs) 85 0.07 0.000075 0.467897 0.0000 0.0800 568415439.988
no. of unsolicited responses 0 0.0000 - -
no. of retransmissions 0 0.0000 - -
----------------------------------------------------------------------------------------------------------------------------------------------Use the "Exercise.pcapng" file to answer the question. What is the number of HTTP Requests accomplished by "rad[.]msn[.]com?
WireShark > File > Open > Exercise.pcapng
WireShark > Statistics > HTTP > Requests
rad.msn.com 39PACKET FILTERING | PROTOCOL FILTERS
Use the "Exercise.pcapng" file to answer the question. What is the number of IP packets?
WireShark > File > Open > Exercise.pcapng
Filter: ip
Packets: 81530 Displayed: 81420 (99.9%)Use the "Exercise.pcapng" file to answer the question. What is the number of packets with a "TTL value less than 10"?
WireShark > File > Open > Exercise.pcapng
WireShark > Analyze > Display Filter Expression
Search: Time to Live
Field Name: IPv4 > ip.ttl Time to Live
Relation: <
Value: 10
Filter: ip.ttl < 10
Packets: 81530 Displayed: 66 (0.1%)Use the "Exercise.pcapng" file to answer the question. What is the number of packets which uses "TCP port 4444"?
WireShark > File > Open > Exercise.pcapng
WireShark > Analyze > Display Filter Expression
Search: tcp.p
Field Name: TCP > tcp.port
Relation: ==
Value: 4444
Filter: tcp.port == 4444
Packets: 81530 Displayed: 632 (0.8%)Use the "Exercise.pcapng" file to answer the question. What is the number of "HTTP GET" requests sent to port "80"?
WireShark > File > Open > Exercise.pcapng
WireShark > Analyze > Display Filter Expression
Search: http
Field Name: HTTP > http.request.method
Relation: ==
Value: GET
Filter: http.request.method == "GET" && tcp.port == 80
Packets: 81530 Displayed: 527 (0.6%)Use the "Exercise.pcapng" file to answer the question. What is the number of "type A DNS Queries"?
WireShark > File > Open > Exercise.pcapng
WireShark > Analyze > Display Filter Expression
Search: dns
Field Name: DNS > dns.qry.type
Relation: ==
Value: 1
Predefined Values: A (Host Address)
Filter: dns.qry.type == 1 && dns.flags.response == 1
Packets: 81530 Displayed: 51 (0.1%)ADVANCED FILTERING
Use the "Exercise.pcapng" file to answer the question. Find all Microsoft IIS servers. What is the number of packets that did not originate from "port 80"?
WireShark > File > Open > Exercise.pcapng
WireShark > Analyze > Display Filter Expression
Search: server
Field Name: HTTP > http.server
Relation: contains
Value: iis
Filter: http.server contains "iis"
* revise and improve the original filter
WireShark > Filter Bar
Filter: lower(http.server) contains "iis" && not tcp.port == 80
Packets: 81530 Displayed: 21 (0.0%)Use the "Exercise.pcapng" file to answer the question. Find all Microsoft IIS servers. What is the number of packets that have "version 7.5"?
WireShark > File > Open > Exercise.pcapng
WireShark > Analyze > Display Filter Expression
Search: server
Field Name: HTTP > http.server
Relation: matches
Value: iis/7.5
Filter: http.server matches "iis/7.5"
* Packets: 81530 Displayed: 71 (0.1%)Use the "Exercise.pcapng" file to answer the question. What is the total number of packets that use ports 3333, 4444 or 9999?
WireShark > File > Open > Exercise.pcapng
WireShark > Analyze > Display Filter Expression
Search: tcp.port
Field Name: TCP > tcp.port
Relation: in
Value: 3333 4444 9999
Filter: tcp.port in {3333 4444 9999}
* Packets: 81530 Displayed: 2235 (2.7%)Use the "Exercise.pcapng" file to answer the question. What is the number of packets with "even TTL numbers"?
WireShark > File > Open > Exercise.pcapng
WireShark > Analyze > Display Filter Expression
Search: time to live
Field Name: IPv4 > ip.ttl
Relation: is present
Value: n/a
Filter: ip.ttl
* revise and improve the original filter
WireShark > Filter Bar
Filter: string(ip.ttl) matches "[02468]$"
Packets: 81530 Displayed: 77289 (94.8%)
* for odd numbers use "[13579]"Use the "Exercise.pcapng" file to answer the question. Change the profile to "Checksum Control". What is the number of "Bad TCP Checksum" packets?
WireShark > Status Bar > right-click Profile Menu > switch to > checksum control
WireShark > Analyze > Display Filter Expression
Search: checksum
Field Name: TCP > tcp.checksum_bad.expert
Relation: is present
Value: n/a
Filter: tcp.checksum_bad.expert
* This new profile is customised to detect checksum errors.
- Bad TCP checksums are shown in red and black colours.
* Packets: 81530 Displayed: 34185 (41.9%)Use the "Exercise.pcapng" file to answer the question. Use the existing filtering button to filter the traffic. What is the number of displayed packets?
WireShark > Status Bar > right-click Profile Menu > switch to > checksum control
WireShark > Analyze > Display Filter Expression
Search: checksum
Field Name: TCP > tcp.checksum_bad.expert
Relation: is present
Value: n/a
Filter: tcp.checksum_bad.expert
* This new profile is customised to detect checksum errors.
- Bad TCP checksums are shown in red and black colours.
WireShark > gif/jpeg with http-200 button
* this "gif/jpeg with http-200" button is part of the checksum profile
and is located on the right-hand side of the filter bar
* Packets: 81530 Displayed: 261 (0.3%)Last updated