Lab : Network Based Evidence Analysis

This lab is intended to get you comfortable looking at network data in Wireshark and writing up what you find. The second part requires that you collect some of your own traffic and discuss the activity that you see.

In order to complete this lab, you will have to download Wireshark from wireshark.org. If you like, you are free to use any other packet capture tool, but the lecture provides guidance on how to use this tool to complete most parts of the lab.

In the first part of the lab you will have to download the twopcap files from Blackboard and address each of the questions below for the specific datasets. In part two, you are required to collect information from your own machine.

Please provide screenshots for your answers in part 2.

Part I: Analyzing PCAP files

1) hb.pcap

This packet capture is from the investigation of a machine (IP: 192.168.0.184) that is having slowness at startup and it is unknown what may be causing this slowness

• How many packets are there in the capture?

• What protocol is the most popular?

• When did the capture occur?

• Can we identify what the domain name that the computer is trying to connect to? What is the IP address for this domain?

2) fc.pcap

This packet capture is from the investigation of a server that has significant amounts of traffic directed at it at odd hours

• How many packets are there in the capture?

• What protocol is the most popular?

• When did the capture occur?

• What does this pcap represent?

• What username is attempting to login?

• Please identify at least fiveof the passwords that were attempted?

• Do you think that this activity should be alarming to a network administrator?

• What would be the next step if you were called in as part of an incident response team?

Part II: Collecting and analyzing your own traffic

Collect traffic using Wireshark for your computer for at least 60 minutes. This can be done by clicking on "Capture" and then "Start".

If you have multiple network interfaces, choose "interfaces" and choose the appropriate one. (If you have issues with this, please email me).

• Using summary and protocol hierarchy describe the traffic you collected

• How many packets did you collect?

• What are the top three protocols based on frequency?

• How long did the capture last?

• Using the "endpoints" feature discuss your traffic patterns

• Do you have any IPv6 traffic or is it all IPv4?

• If you have IPv6 traffic, what is the device that is using IPv6

• What is the distribution between TCP versus UDP packets?

• What is the most common endpoint IP?

• Does that IP resolve to a domain?

• Were you purposely doing something (surfing the web, checking email) or was this IP communicating in the background?

Attachment:- Data file.rar