Professional Documents
Culture Documents
Is LM3
Is LM3
CONTENTS
Introduction 4
GUI and Data 4
Loading PCAP Files 6
Traffic Sniffing 8
Packet Dissection 9
Packet Details 9
Packet Navigation 13
Packet Numbers 13
Go to Packet 14
Find Packets 15
Mark Packets 16
Packet Comments 17
Export Packets 18
Export Objects (Files) 19
Expert Info 20
Packet Filtering 21
Apply as Filter 22
Conversation filter 22
Colorize Conversation 23
Prepare as Filter 24
Apply as Column 25
Practice task 26
UDP Sniffed Data Analysis 26
The Basic HTTP GET/response interaction 28
The HTTP CONDITIONAL GET/response interaction 29
HTTP Authentication 30
INTRODUCTION
Wireshark is an open-source, cross-platform network packet analyzer tool capable of sniffing and investigating
live traffic and inspecting packet captures (PCAP). It is commonly used as one of the best packet analysis tools.
In this room, we will look at the basics of Wireshark and use it to perform fundamental packet analysis.
Wireshark is one of the most potent traffic analyser tools available in the wild. There are multiple purposes for
its use:
Detecting and troubleshooting network problems, such as network load failure points and congestion.
Detecting security anomalies, such as rogue hosts, abnormal port usage, and suspicious traffic.
Investigating and learning protocol details, such as response codes and payload data.
Note: Wireshark is not an Intrusion Detection System (IDS). It only allows analysts to discover and investigate
the packets in depth. It also doesn't modify packets; it reads them. Hence, detecting any anomaly or network
problem highly relies on the analyst's knowledge and investigation skills.
Wireshark GUI opens with a single all-in-one page, which helps users investigate the traffic in multiple ways. At
first glance, five sections stand out.
The below picture shows Wireshark's main window. The sections explained in the table are highlighted. Now
open the Wireshark and go through the walkthrough.
The above picture shows Wireshark's empty interface. The only available information is the recently processed
“http1.cap" file. Let's load that file and see Wireshark's detailed packet presentation. Note that you can also
use the "File" menu, dragging and dropping the file, or double-clicking on the file to load a pcap.
Now, we can see the processed filename, detailed number of packets and packet details. Packet details are
shown in three different panes, which allow us to discover them in different formats.
TRAFFIC SNIFFING
You can use the blue "shark button" to start network sniffing (capturing traffic), the red button will stop the
sniffing, and the green button will restart the sniffing process. The status bar will also provide the used sniffing
interface and the number of collected packets.
PACKET DISSECTION
Packet dissection is also known as protocol dissection, which investigates packet details by decoding available
protocols and fields. Wireshark supports a long list of protocols for dissection, and you can also write your
dissection scripts.
Note: This section covers how Wireshark uses OSI layers to break down packets and how to use these layers
for analysis. It is expected that you already have background knowledge of the OSI model and how it works.
PACKET DETAILS
You can click on a packet in the packet list pane to open its details (double-click will open details in a new
window). Packets consist of 5 to 7 layers based on the OSI model. We will go over all of them in an HTTP
packet from a sample capture. The picture below shows viewing packet number 27.
Each time you click a detail, it will highlight the corresponding part in the packet bytes pane.
We can see seven distinct layers to the packet: frame/packet, source [MAC], source [IP], protocol, protocol
errors, application protocol, and application data. Below we will go over the layers in more detail.
The Frame (Layer 1): This will show you what frame/packet you are looking at and details specific to the
Physical layer of the OSI model.
Source [MAC] (Layer 2): This will show you the source and destination MAC Addresses; from the Data Link
layer of the OSI model.
Source [IP] (Layer 3): This will show you the source and destination IPv4 Addresses; from the Network layer of
the OSI model.
Protocol (Layer 4): This will show you details of the protocol used (UDP/TCP) and source and destination
ports; from the Transport layer of the OSI model.
Protocol Errors: This continuation of the 4th layer shows specific segments from TCP that needed to be
reassembled.
Application Protocol (Layer 5): This will show details specific to the protocol used, such as HTTP, FTP, and
SMB. From the Application layer of the OSI model.
Application Data: This extension of the 5th layer can show the application-specific data.
PACKET NAVIGATION
PACKET NUMBERS
Wireshark calculates the number of investigated packets and assigns a unique number for each packet. This
helps the analysis process for big captures and makes it easy to go back to a specific point of an event.
GO TO PACKET
Packet numbers do not only help to count the total number of packets or make it easier to find/investigate
specific packets. This feature not only navigates between packets up and down; it also provides in-frame
packet tracking and finds the next packet in the particular part of the conversation. You can use the "Go"
menu and toolbar to view specific packets.
FIND PACKETS
Apart from packet number, Wireshark can find packets by packet content. You can use the "Edit --> Find
Packet" menu to make a search inside the packets for a particular event of interest. This helps analysts and
administrators to find specific intrusion patterns or failure traces.
There are two crucial points in finding packets. The first is knowing the input type. This functionality accepts
four types of inputs (Display filter, Hex, String and Regex). String and regex searches are the most commonly
used search types. Searches are case insensitive, but you can set the case sensitivity in your search by clicking
the radio button.
The second point is choosing the search field. You can conduct searches in the three panes (packet list, packet
details, and packet bytes), and it is important to know the available information in each pane to find the event
of interest. For example, if you try to find the information available in the packet details pane and conduct the
search in the packet list pane, Wireshark won't find it even if it exists.
MARK PACKETS
Marking packets is another helpful functionality for analysts. You can find/point to a specific packet for further
investigation by marking it. It helps analysts point to an event of interest or export particular packets from the
capture. You can use the "Edit" or the "right-click" menu to mark/unmark packets.
Marked packets will be shown in black regardless of the original colour representing the connection type.
Note that marked packet information is renewed every file session, so marked packets will be lost after closing
the capture file.
PACKET COMMENTS
Similar to packet marking, commenting is another helpful feature for analysts. You can add comments for
particular packets that will help the further investigation or remind and point out important/suspicious points
for other layer analysts. Unlike packet marking, the comments can stay within the capture file until the
operator removes them.
EXPORT PACKETS
Capture files can contain thousands of packets in a single file. As mentioned earlier, Wireshark is not an IDS, so
sometimes, it is necessary to separate specific packages from the file and dig deeper to resolve an incident.
This functionality helps analysts share the only suspicious packages (decided scope). Thus, redundant
information is not included in the analysis process. You can use the "File" menu to export packets.
Wireshark can extract files transferred through the wire. For a security analyst, it is vital to discover shared
files and save them for further investigation. Exporting objects are available only for selected protocol's
streams (DICOM, HTTP, IMF, SMB and TFTP).
EXPERT INFO
Wireshark also detects specific states of protocols to help analysts easily spot possible anomalies and
problems. Note that these are only suggestions, and there is always a chance of having false
positives/negatives. Expert info can provide a group of categories in three different severities. Details are
shown in the table below.
Frequently encountered information groups are listed in the table below. You can refer to Wireshark's official
documentation for more information on the expert information entries.
You can use the "lower left bottom section" in the status bar or "Analyse --> Expert Information" menu to view
all available information entries via a dialogue box. It will show the packet number, summary, group protocol
and total occurrence.
PACKET FILTERING
Wireshark has a powerful filter engine that helps analysts to narrow down the traffic and focus on the event of
interest. Wireshark has two types of filtering approaches: capture and display filters. Capture filters are used
for "capturing" only the packets valid for the used filter. Display filters are used for "viewing" the packets valid
for the used filter. We will discuss these filters' differences and advanced usage in the next room. Now let's
focus on basic usage of the display filters, which will help analysts in the first place.
Filters are specific queries designed for protocols available in Wireshark's official protocol reference. While the
filters are only the option to investigate the event of interest, there are two different ways to filter traffic and
remove the noise from the capture file. The first one uses queries, and the second uses the right-click menu.
Wireshark provides a powerful GUI, and there is a golden rule for analysts who don't want to write queries for
basic tasks: "If you can click on it, you can filter and copy it".
APPLY AS FILTER
This is the most basic way of filtering traffic. While investigating a capture file, you can click on the field you
want to filter and use the "right-click menu" or "Analyse --> Apply as Filter" menu to filter the specific value.
Once you apply the filter, Wireshark will generate the required filter query, apply it, show the packets
according to your choice, and hide the unselected packets from the packet list pane. Note that the number of
total and displayed packets are always shown on the status bar.
CONVERSATION FILTER
When you use the "Apply as a Filter" option, you will filter only a single entity of the packet. This option is a
good way of investigating a particular value in packets. However, suppose you want to investigate a specific
packet number and all linked packets by focusing on IP addresses and port numbers. In that case, the
Department of Computing STMU, Islamabad 22 | P a g e
Lab 3: Wireshark, Wireshark Filtering, Packet Analysis using Wireshark
"Conversation Filter" option helps you view only the related packets and hide the rest of the packets easily.
You can use the"right-click menu" or "Analyse --> Conversation Filter" menu to filter conversations.
COLORIZE CONVERSATION
This option is similar to the "Conversation Filter" with one difference. It highlights the linked packets without
applying a display filter and decreasing the number of viewed packets. This option works with the "Coloring
Rules" option ad changes the packet colors without considering the previously applied colour rule. You can use
the "right-click menu" or "View --> Colorize Conversation" menu to colorize a linked packet in a single click.
Note that you can use the "View --> Colorize Conversation --> Reset Colorization" menu to undo this
operation.
PREPARE AS FILTER
Similar to "Apply as Filter", this option helps analysts create display filters using the "right-click"
menu. However, unlike the previous one, this model doesn't apply the filters after the choice. It
adds the required query to the pane and waits for the execution command (enter) or another
chosen filtering option by using the ".. and/or.." from the "right-click menu".
APPLY AS COLUMN
By default, the packet list pane provides basic information about each packet. You can use the "right-click
menu" or "Analyse --> Apply as Column" menu to add columns to the packet list pane. Once you click on a
value and apply it as a column, it will be visible on the packet list pane. This function helps analysts examine
the appearance of a specific value/field across the available packets in the capture file. You can enable/disable
the columns shown in the packet list pane by clicking on the top of the packet list pane.
PRACTICE TASK
There are four UDP fields. Names of these fields are following.
1. Source Port
2. Destination Port
3. Length
4. Checksum
2. By consulting the displayed information in Wireshark’s packet content field for this packet, determine
the length (in bytes) of each of the UDP header fields.
3. The value in the Length field is the length of what? Verify your claim with your captured UDP packet.
It is the length of UDP header and Payload or application layer data in UDP segment.
4. What is the maximum number of bytes that can be included in a UDP payload? (Hint: the answer to this
question can be determined by your answer to 2. above)
A UDP segment size is depending on the size of length filed in UDP segment. Maximum number that can
store in length filed is 65535 and a UDP segment can have 65535 bytes of data with header. After
excluding header, it would be 65527
5. What is the largest possible source port number? (Hint: see the hint in 4.)
6. What is the protocol number for UDP? Give your answer in both hexadecimal and decimal notation. To
answer this question, you’ll need to look into the Protocol field of the IP datagram containing this UDP
segment (see Figure 4.13 in the text, and the discussion of IP header fields).
7. Examine a pair of UDP packets in which your host sends the first UDP packet and the second UDP packet
is a reply to this first UDP packet. (Hint: for a second packet to be sent in response to a first packet, the
sender of the first packet should be the destination of the second packet). Describe the relationship
between the port numbers in the two packets.
Source Port is now destination port and Destination Port is now Source Port
Let’s begin our exploration of HTTP by downloading a very simple HTML file - one that is very short, and
contains no embedded objects. Do the following:
2. Start up the Wireshark packet sniffer, as described in the Introductory lab (but don’t yet begin packet
capture). Enter “http” (just the letters, not the quotation marks) in the display-filter-specification window, so
that only captured HTTP messages will be displayed later in the packet-listing window. (We’re only
interested in the HTTP protocol here, and don’t want to see the clutter of all captured packets).
3. Wait a bit more than one minute (we’ll see why shortly), and then begin Wireshark packet capture.
http://gaia.cs.umass.edu/wireshark-labs/HTTP-wireshark-file1.html
Your browser should display the very simple, one-line HTML file.
By looking at the information in the HTTP GET and response messages, answer the following questions.
1. Is your browser running HTTP version 1.0 or 1.1? What version of HTTP is the server running?
2. What languages (if any) does your browser indicate that it can accept to the server?
4. What is the status code returned from the server to your browser?
5. When was the HTML file that you are retrieving last modified at the server?
7. By inspecting the raw data in the packet content window, do you see any headers within the data that
are not displayed in the packet-listing window? If so, name one.
By looking at the information in the HTTP GET and response messages, answer the following questions. When
answering the following questions, you should print out the GET and response messages and indicate where in
the message you’ve found the information that answers the following questions.
1. Is your browser running HTTP version 1.0 or 1.1? What version of HTTP is the server running?
2. What languages (if any) does your browser indicate that it can accept to the server?
3. What is the IP address of your computer? Of the gaia.cs.umass.edu server?
4. What is the status code returned from the server to your browser?
5. When was the HTML file that you are retrieving last modified at the server?
6. How many bytes of content are being returned to your browser?
7. By inspecting the raw data in the packet content window, do you see any headers within the data that
are not displayed in the packet-listing window? If so, name one.
HTTP AUTHENTICATION
let’s try visiting a web site that is password-protected and examine the sequence of HTTP message exchanged
for such a site. The URL http://gaia.cs.umass.edu/wireshark-labs/protected_pages/HTTP-wireshark-file5.html
is password protected. The username is “wireshark-students” (without the quotes), and the password is
“network” (again, without the quotes). So let’s access this “secure” password-protected site. Do the following:
• Make sure your browser’s cache is cleared, as discussed above, and close down your browser. Then, start up
your browser
http://gaia.cs.umass.edu/wireshark-labs/protected_pages/HTTP-wiresharkfile5.html
Type the requested user name and password into the pop up box.
• Stop Wireshark packet capture, and enter “http” in the display-filter-specification window, so that only
captured HTTP messages will be displayed later in the packet-listing window.
1. What is the server’s response (status code and phrase) in response to the initial HTTP GET message
from your browser?
2. When your browser’s sends the HTTP GET message for the second time, what new field is included in
the HTTP GET message?
The username (wireshark-students) and password (network) that you entered are encoded in the string of
characters (d2lyZXNoYXJrLXN0dWRlbnRzOm5ldHdvcms=) following the “Authorization: Basic” header in the
client’s HTTP GET message. While it may appear that your username and password are encrypted, they are
simply encoded in a format known as Base64 format. The username and password are not encrypted! To see
this, go to http://www.motobit.com/util/base64-decoder-encoder.asp and enter the base64-encoded string
d2lyZXNoYXJrLXN0dWRlbnRz and decode. Voila! You have translated from Base64 encoding to ASCII encoding,
and thus should see your username! To view the password, enter the remainder of the string Om5ldHdvcms=
and press decode. Since anyone can download a tool like Wireshark and sniff packets (not just their own)
passing by their network adaptor, and anyone can translate from Base64 to ASCII (you just did it!), it should be
clear to you that simple passwords on WWW sites are not secure unless additional measures are taken.
Do the following:
First, filter the packets displayed in the Wireshark window by entering “tcp”
What you should see is series of TCP and HTTP messages between your computer and gaia.cs.umass.edu. You
should see the initial three-way handshake containing a SYN message. You should see an HTTP POST message.
Wireshark you are using, you might see a series of “HTTP Continuation” messages being sent from your
computer to gaia.cs.umass.edu– this is Wireshark’s way of indicating that there are multiple TCP segments
being used to carry a single HTTP message. You should also see TCP ACK segments being returned from
gaia.cs.umass.edu to your computer. Answer the following questions:
1. What is the IP address and TCP port number used by the client computer (source) that is transferring the
file to gaia.cs.umass.edu? To answer this question, it’s probably easiest to select an HTTP message and
explore the details of the TCP packet used to carry this HTTP message, using the “details of the selected
packet header window” (refer to Figure 2 in the “Getting Started with Wireshark” Lab if you’re uncertain
about the Wireshark windows.
2. What is the IP address of gaia.cs.umass.edu? On what port number is it sending and receiving TCP
segments for this connection?
3. What is the sequence number of the TCP SYN segment that is used to initiate the TCP connection
between the client computer and gaia.cs.umass.edu? What is it in the segment that identifies the segment
as a SYN segment?
4. What is the sequence number of the SYNACK segment sent by gaia.cs.umass.edu to the client computer
in reply to the SYN? What is the value of the Acknowledgement field in the SYNACK segment? How did
gaia.cs.umass.edu determine that value? What is it in the segment that identifies the segment as a SYNACK
segment?
5. What is the sequence number of the TCP segment containing the HTTP POST command? Note that in
order to find the POST command, you’ll need to dig into the packet content field at the bottom of the
Wireshark window, looking for a segment with a “POST” within its DATA field.
Objective:
The objective of this lab task is to utilize Wireshark to determine the source IP address of incoming traffic.
Procedure:
Questions:
1. Using Wireshark, what IP address(es) did you identify as the source(s) of incoming traffic?
2. Did you notice any patterns or specific types of traffic originating from certain IP addresses?
Here if you are seeing SSDP protocol it means Simple Service Discovery Protocol allows devices to discover
other published network devices and services and send and receive information between them. The Multicast
Domain Name System (mDNS) protocol, is a a zero-configuration and multi-platform service designed to
resolve host names to IP addresses within small networks that do not have a local DNS server.
3. How might identifying the source of incoming traffic be beneficial in network security or
troubleshooting scenarios?
Identifying the source of incoming traffic can be beneficial in network security by allowing administrators to
detect and block potentially malicious or unauthorized activity. It can also aid in troubleshooting network
issues by pinpointing the origin of problematic traffic and identifying potential sources of congestion or
performance issues.
The objective of this lab task is to use Wireshark to identify the specific port(s) through which traffic is arriving.
Procedure:
Questions:
4. Using Wireshark, which port(s) did you identify as the source(s) of incoming traffic?
ip.src == 192.168.1.100
5. Were there any specific protocols associated with the identified ports? If so, which ones?
In Wireshark, you can determine the protocols associated with identified ports by inspecting the packets and
examining the protocol field within the packet details. Additionally, you can use display filters to focus on
specific protocols associated with the identified ports.
This filter will display only TCP traffic with destination or source port 80, typically associated with HTTP.
To filter traffic based on a specific protocol, you can use a display filter like this:
To filter traffic based on both port and protocol, you can combine the filters like this:
6. How might understanding the port(s) through which traffic is arriving be useful in network
administration or security?
Network Troubleshooting: Identifying the ports involved in traffic can help troubleshoot network issues. For
example, if a specific application or service is experiencing connectivity problems, checking the ports
associated with it can narrow down the root cause.
Security Monitoring: Monitoring traffic on specific ports can help detect potential security threats or
unauthorized activities. For instance, unusual traffic on commonly exploited ports (e.g., port 22 for SSH or port
445 for SMB) could indicate a potential cyber attack or malware infection.
Access Control: Understanding which ports are being used can aid in implementing access control policies. By
monitoring and controlling access to certain ports, network administrators can enforce security measures to
prevent unauthorized access or data breaches.
Service Identification: Recognizing the ports associated with different network services or applications can
facilitate service identification and classification. This knowledge is crucial for maintaining an inventory of
services running on the network and ensuring their proper configuration and security.
Example:
Suppose a network administrator notices unusually high traffic on port 3389 (Remote Desktop Protocol - RDP),
which is typically used for remote desktop connections. Upon investigation, they discover that an
unauthorized user is attempting to establish RDP connections to several internal systems from an external IP
address. This indicates a potential brute-force attack or unauthorized access attempt.
The objective of this lab task is to utilize Wireshark to determine which protocol's traffic is being transmitted
at the application layer.
Procedure:
Questions:
7. Based on your analysis in Wireshark, which protocols were identified as transmitting traffic at the
application layer?
Explanation: This command filters out traffic on TCP port 80 (HTTP) and UDP port 53 (DNS), leaving you with
other application layer protocols. You can modify the port numbers as needed to exclude additional common
protocols.
8. Did you notice any specific patterns or behaviours associated with certain protocols?
Explanation: These commands filter traffic specifically for HTTP (Hypertext Transfer Protocol) and DNS
(Domain Name System) protocols. You can replace http and dns with other protocols as per your observations.
The objective of this lab task is to utilize Wireshark to determine the communication protocol between
specific IP addresses.
Procedure:
Questions:
9. Based on your analysis in Wireshark, what protocol(s) were identified in the communication
between the specified source and destination IP addresses?
10. Did you observe any abnormalities or unexpected behaviour in the communication between these IP
addresses?
To observe abnormalities or unexpected behavior, you might need to examine various aspects of the packets.
Here are some filter commands for common abnormalities:
For TCP packets with the SYN flag set (indicating the start of a TCP connection):
tcp.flags.syn == 1
For ICMP packets (commonly used for network diagnostics and error reporting):
Icmp
The objective of this lab task is to utilize Wireshark to detect whether a Denial of Service (DoS) or Distributed
Denial of Service (DDoS) attack has occurred.
Procedure:
Questions:
11. Based on your analysis in Wireshark, did you detect any signs of a DoS or DDoS attack? If yes,
describe the indicators you observed.
12. What types of traffic patterns or behaviors did you identify as potential signs of a DoS or DDoS
attack?
The following command can SYN flood attacks, In a SYN flood attack, the attacker floods the target system
with a large number of TCP SYN packets (with the SYN flag set) but does not complete the TCP handshake by
sending the expected ACK packets. This overwhelms the target system with half-open connections, consuming
its resources and making it unable to respond to legitimate connection requests.
By analyzing traffic using the tcp.flags.syn == 1 and tcp.flag.ack == 1 filter, you can observe TCP connections in
the process of being established. If you notice a disproportionately high number of SYN packets compared to
SYN-ACK packets, it could indicate a SYN flood attack.
hping3 -c 15000 -d 120 -S -w 64 -p 80 --flood --rand-source 192.168.1.159 (We’re sending 15000 packets (-c
15000) at a size of 120 bytes (-d 120) each. We’re specifying that the SYN Flag (-S) should be enabled, with a
TCP window size of 64 (-w 64). To direct the attack to our victum’s HTTP web server we specify port 80 (-p 80)
and use the --flood flag to send packets as fast as possible.)
As you can see, there’s a high volume of SYN packets with very little variance in time. Each SYN packet shows
it’s from a different source IP address with a destination port 80 (HTTP), identical length of 120 and window
size (64). When we filter with tcp.flags.syn == 1 and tcp.flags.ack == 1 we can see that the number of
SYN/ACKs is comparatively very small. A sure sign of a TCP SYN attack.
We can also view Wireshark’s graphs for a visual representation of the uptick in traffic. The I/O graph can be
found via the Statistics>I/O Graph menu. It shows a massive spike in overall packets from near 0 to up to 2400
packets a second.
By removing our filter and opening the protocol hierarchy statistics, we can also see that there has been an
unusually high volume of TCP packets:
The objective of this lab task is to utilize Wireshark to detect whether a Password Brute-Force Attack has
occurred during login attempts using OWASP's application.
Procedure:
Apply display filters in Wireshark to focus on HTTP traffic related to login attempts.
Analyze the captured packets to identify patterns indicative of password brute-force attacks, such as
repeated failed login attempts.
Record your observations and findings in the lab report.
Questions:
13. Based on your analysis in Wireshark, did you detect any signs of a Password Brute-Force Attack
during the login attempts on OWASP? If yes, describe the indicators you observed.
Answer: Yes, signs of a Password Brute-Force Attack were detected during the login attempts on OWASP.
Wireshark captured multiple HTTP requests with failed login attempts, each followed by another attempt with
a different password. This pattern of repeated failed login attempts suggests an automated or manual attempt
to guess the correct password through brute-force.
14. What types of traffic patterns or behaviors did you identify as potential signs of a Password Brute-
Force Attack?
Sequential or repeated login attempts with different passwords within a short time frame.
Increased frequency of failed login attempts compared to successful ones.
Unusual or abnormal login patterns, such as numerous login attempts from the same IP address.
15. How can network administrators mitigate or respond to Password Brute-Force Attacks based on the
information obtained from packet analysis in Wireshark?
Answer: Network administrators can mitigate or respond to Password Brute-Force Attacks by:
Implementing account lockout mechanisms that temporarily disable accounts after a certain number
of failed login attempts.
Enforcing strong password policies to deter attackers from successfully guessing passwords.
Monitoring network traffic and system logs for signs of suspicious login activity, such as a high volume
of failed login attempts.
Using intrusion detection/prevention systems (IDS/IPS) to detect and block malicious login attempts in
real-time.
Educating users about the risks of weak passwords and the importance of using unique, complex
passwords for different accounts.
Identify HTTP POST Requests: Brute-force attacks often involve repeated login attempts, which are usually
carried out via HTTP POST requests.
Focus on Login Endpoint: Since the attack is targeting the login page, filter the traffic to focus specifically on
requests to the login endpoint.