Professional Documents
Culture Documents
Seropian Nikolas Networksniffing
Seropian Nikolas Networksniffing
Part 1
For this assignment, I will be sniffing traffic from my Kali Linux virtual machine using
Wireshark. When on the desktop for Kali, all you have to do to start Wireshark is right click on
any empty spot, go to applications, sniffing and spoofing, and then Wireshark will be the final
Once you have Wireshark open, filters will start being shown on the main page. At the
top, there is a tab for Capture, which can be selected to find Capture Filters. At this point,
though, I was able to select the functioning filter and start a capture on it. It showed traffic
flowing through in real time, more captures coming in as I continued to use the VM. As I was
only getting filters with SSDP, DHCP, ARP and MDNS protocols, I opened up a web browser
which immediately led to the creation of plenty of filters with TCP protocols, though I still
opened some pages to pull in more. I right clicked on a TCP filter and from the follow option,
started a TCP stream. All the information this revealed, however, was encoded. After backing
out, I then cleared the display filter next to the search bar and typed in my own filter of ‘tcp.port
== 80’ so that the only filter that would pop up would be those with a TCP protocol sending
When looking for malware to download, I had to look for a different site since it was
impossible to use pcapr as they wouldn’t send any confirmation emails, so I went to a different
look for when checking traffic for infections as well as some filters to put in to help find them
easier. Some of the indicators of compromise include URLs, domain names, IP addresses,
protocols, and ports. http.request or ssl.handshake.type == 1 is used in the display filter to help
find these indicators. Within the pcap I downloaded, there were some indicators to this with
pings to URLs like eatingwell.com. There is also nearly endless spam of client hellos and other
GET filters.
Log of Records
Note: I was not able to open the filter: No ARP and no DNS. I’m not sure if the filter dialog I
was supposed to take a picture of is actually the filter expression which appears next to it.
4/28 – 22:20 – Started a capture which showed traffic flying by as I continued working.
4/29 – 18:20 – Found indicators of infection with URLs and repeating filters