Network Sniffing

Part 1

For this assignment, I will be sniffing traffic from my Kali Linux virtual machine using

Wireshark. When on the desktop for Kali, all you have to do to start Wireshark is right click on

any empty spot, go to applications, sniffing and spoofing, and then Wireshark will be the final

option. Use your password to gain permission and it is ready to go.

Once you have Wireshark open, filters will start being shown on the main page. At the

top, there is a tab for Capture, which can be selected to find Capture Filters. At this point,

though, I was able to select the functioning filter and start a capture on it. It showed traffic

flowing through in real time, more captures coming in as I continued to use the VM. As I was

only getting filters with SSDP, DHCP, ARP and MDNS protocols, I opened up a web browser

which immediately led to the creation of plenty of filters with TCP protocols, though I still

opened some pages to pull in more. I right clicked on a TCP filter and from the follow option,

started a TCP stream. All the information this revealed, however, was encoded. After backing

out, I then cleared the display filter next to the search bar and typed in my own filter of ‘tcp.port

== 80’ so that the only filter that would pop up would be those with a TCP protocol sending

traffic through port 80.

 Part 2

When looking for malware to download, I had to look for a different site since it was

impossible to use pcapr as they wouldn’t send any confirmation emails, so I went to a different

site at https://www.malware-traffic-analysis.net/. The website gave information on the things to

look for when checking traffic for infections as well as some filters to put in to help find them

easier. Some of the indicators of compromise include URLs, domain names, IP addresses,

protocols, and ports. http.request or ssl.handshake.type == 1 is used in the display filter to help

find these indicators. Within the pcap I downloaded, there were some indicators to this with

pings to URLs like eatingwell.com. There is also nearly endless spam of client hellos and other

GET filters.
 Log of Records

4/28 – 22:00 – Started wireshark

4/28 – 22:15 – Opened Capture Filter dialog box and canceled out after going through it a bit.

Note: I was not able to open the filter: No ARP and no DNS. I’m not sure if the filter dialog I

was supposed to take a picture of is actually the filter expression which appears next to it.
4/28 – 22:20 – Started a capture which showed traffic flying by as I continued working.

4/28 – 22:40 – Started a Follow TCP Stream. Revealed encoded data.

4/28 – 23:00 – Cleared display filter and added filter for tcp.port == 80
4/29 – 18:00 – Downloaded pcap file

4/29 – 18:10 – Opened file in wireshark

4/29 – 18:20 – Found indicators of infection with URLs and repeating filters