Wireshark: Introduction to Wireshark

1) What is the difference between resolved and unresolved ports on the Wireshark display setup?
Answer: Resolved ports display the name of the well-known service that runs on that port,
whereas unresolved ports just display the number.
Resolved ports are known to display the corresponding name of the port number since it is well
known. However, unresolved ports do not display the name, and instead, displays the raw port
number
“Name resolution in Wireshark tries to convert some of the numerical addresses picked up into a
more user-friendly format. Wireshark will ask the operating system to convert a TCP or UDP
port to its well-known name (e.g. 80 to HTTP).”
2) What is the correct syntax to use on Wireshark for showing only SMTP and ICMP traffic?
Answer: tcp.port eq 25 or icmp
Since the default port for SMTP is 25, we need to filter by tcp.port = 25. Since we also need to
show the ICMP traffic, we simply type the name and or it for a union of the two sets
3) Using wireshark_setup.pcapng, filter the packets to view only HTTP requests. What is the
source IP address shown on the last packet?
Answer: 172.21.2.217

4) Within that same packet, what is the time shown? Your answer must be in YYYY-MM-DD
HH:MM:SS format adjusted for UTC.
Answer: 2017-12-12 13:04:10

5) What is the destination IP address of the last packet?

Answer: 34.232.90.203
In this task, I learned the basic use of wireshark, filtering, and examining packets via wireshark.
Though not difficult, it was a great way to introduce wireshark and capturing/analyzing the
packets.

Packet Analysis: Packet Capture Basics:

1) What is the server name sought in the first DNS request that is issued by the client?
Answer: www.bing.com
2) What is the first IP address returned in the DNS response for the domain in Q1?
Answer: 204.79.197.200

3) What is the browser user agent string that issued the search request?
Answer: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0
Iceweasel/38.7.1

4) What web server engine is running the website?

Answer: Microsoft-IIS/8.5
5) When exporting HTTP content from the capture and looking at
'imgingest-5015644562731850884.png', what is the text that appears on that image?
Answer: The image “Password Hacking” with an image of a key is shown
6) How many different IPv4 conversations are there in this capture file?
Answer: 89

7) What was the user searching for on the download.cnet.com website? (Enter your answer as
two separate words, e.g., catching fish.)
Answer: Hacking Tools
In this task, we dived deeper into the captured packets. We learned about DNS queries, applying
different filters, and examining the details each packet held, including server names, source and
destination IP addresses, and even analyzing captured images.
Packet Analysis: Using tcpdump:
1) Which option can you pass to tcpdump to write captured packets out to a file?
Answer: -w

2) Using tcpdump, list all the available interfaces. What number is `nflog` listed as?
Answer: 5

3) Which option can be passed to tcpdump to display the ASCII and hex representation of the
packet contents?
Answer: -xx

Full manual obtained with command: man tcpdump

4) Using tcpdump, read the packets from tcpdump.pcap and filter packets to include IP address
88.221.88.59 only. What is the time shown on the final packet? (HH:MM:SS)
Answer: 07:32:57
Host is 88.221.88.59, as specified in the question

5) Using tcpdump, read the packets from tcpdump.pcap and filter packets to include IP address
184.107.41.72 and port 80 only. Write these packets to a new file and MD5sum that file. What is
the MD5sum shown?
Answer: 8e4b92724d9034a49cf10f6b147ac482

In this task, we learned what tcpdump is: a command-line tool used to capture and analyze
network traffic. Throughout this task, we learned how to filter through, display, and analyze
packets based on conditions. Without access to wireshark, we must use this command-line tool to
analyze network packets. Therefore, is a tool necessary and important to know.

Wireshark: Displaying Filters - Diving In

1) Apply a filter that displays all SMTP traffic containing the text “Subject: ”. What is the first
name of the recipient of that email?
Answer: Sarah

2) Change the filter so it now displays all SMTP response traffic matching the text ".co.uk".
What is the frame number of this packet?
Answer: 9932
3) Remove the existing filter. Now, apply a filter that displays all packets from UDP source ports
53, 59015, and 63518. How many packets are then displayed?
Answer: 60 (Bottom right corner of ss)
4) Take the following slice expression (frame[-4:4] == 0.1.2.3).At which offset does the slice
begin?
Answer: -4

In the first row it says [a:b] starts at offset a. Thus, frame[-4:4] starts at offset -4.

5) Take the following slice expression (frame[:4] == 0.1.2.3). At which offset does the slice
begin?
Answer: 0
In the fourth row, it states that [:b] means you start at offset 0. Thus, frame[:4] starts at offset 0.

In this task, we went back to using Wireshark. This meant that we were using the GUI, and so
tcpdump was not needed. What was prominent about this task was using logical operators to
check against conditions. This allows us to better filter through packets, troubleshoot, and have a
quick and easy way to identify any problems (if any arise).

Packet Analysis: BPF Syntax

1) What does BPF stand for?
Answer: Berkeley Packet Filter

2) wlan.addr == c5:52:7e:95:6:8d && wlan.fc.type_subtype == 0x02. How many primitives are

in this expression?
Answer: 2
The first <<qualifier>> represents the field you wish to validate. The second <<qualifier>>
represents the logical operator, and the <<id>> represents what you want to check against. All
three components make up a single primitive. In the given expression, there are two
<<qualifier>>, two <<qualifier>>, and two <<id>>, so there are two primitives

3)
Apply a filter to display all packets on port 80 with the source IP of 10.0.50.227. What is the
length of the second GET request?
Answer: 385. The highlighted part in the second ss shows the length. The first ss shows the
syntax to filter

4) Apply a filter to display all UDP packets on port 57190. What is the timestamp of the final
packet?
Answer: 11:54:43. First ss shows the timestamp. Second ss shows the command to display
according to filter
5)Apply a filter which reads all traffic apart from DNS and TCP, and output this to a file. What is
the md5sum of this file?
Answer: b942d25b012745422c1719ac26419da6

In this task, filter out unwanted packet copies from entering user space on BSD Unix Systems
via BPF. Originally, it is used as a capture tool, but can be used in a Linux terminal through
command line tools such as tcpdump.By understanding how to compose proper and/or complex
commands by applying and combining the filters/flags correctly, one can easily break down
network traffic and analyze the network traffic.