Is LM3

Shifa Tameer-e-Millat University
LAB MANUAL FOR

INFORMATION SECURITY
Lab-3
Wireshark, Wireshark Filtering, Packet Analysis using Wireshark

Lab 3: Wireshark, Wireshark Filtering, Packet Analysis using Wireshark
CONTENTS
Introduction 4
GUI and Data 4
Loading PCAP Files 6
Traffic Sniffing 8
Packet Dissection 9
Packet Details 9
Packet Navigation 13
Packet Numbers 13
Go to Packet 14
Find Packets 15
Mark Packets 16
Packet Comments 17
Export Packets 18
Export Objects (Files) 19
Expert Info 20
Packet Filtering 21
Apply as Filter 22
Conversation filter 22
Colorize Conversation 23
Prepare as Filter 24
Apply as Column 25
Practice task 26
UDP Sniffed Data Analysis 26
The Basic HTTP GET/response interaction 28
The HTTP CONDITIONAL GET/response interaction 29
HTTP Authentication 30
Department of Computing STMU, Islamabad 2|Page

Capturing a bulk TCP transfer from your computer to a remote server 31

Lab Task 1: Identifying Traffic Sources 33
Lab Task 2: Port Analysis 35
Lab Task 3: Protocol Identification at the Application Layer 37
Lab Task 4: Protocol Communication Between Specific IPs 38
Lab Task 5: Detecting DoS or DDoS Attacks 40
Lab Task 6: Detecting Password Brute-Force Attacks using Wireshark 44

Lab 3: Wireshark, Wireshark Filtering, Packet Analysis using

Wireshark
INTRODUCTION
Wireshark is an open-source, cross-platform network packet analyzer tool capable of sniffing and investigating
live traffic and inspecting packet captures (PCAP). It is commonly used as one of the best packet analysis tools.
In this room, we will look at the basics of Wireshark and use it to perform fundamental packet analysis.
Wireshark is one of the most potent traffic analyser tools available in the wild. There are multiple purposes for
its use:
 Detecting and troubleshooting network problems, such as network load failure points and congestion.
 Detecting security anomalies, such as rogue hosts, abnormal port usage, and suspicious traffic.
 Investigating and learning protocol details, such as response codes and payload data.
Note: Wireshark is not an Intrusion Detection System (IDS). It only allows analysts to discover and investigate
the packets in depth. It also doesn't modify packets; it reads them. Hence, detecting any anomaly or network
problem highly relies on the analyst's knowledge and investigation skills.
GUI AND DATA
Wireshark GUI opens with a single all-in-one page, which helps users investigate the traffic in multiple ways. At
first glance, five sections stand out.

The below picture shows Wireshark's main window. The sections explained in the table are highlighted. Now
open the Wireshark and go through the walkthrough.

LOADING PCAP FILES
The above picture shows Wireshark's empty interface. The only available information is the recently processed
“http1.cap" file. Let's load that file and see Wireshark's detailed packet presentation. Note that you can also
use the "File" menu, dragging and dropping the file, or double-clicking on the file to load a pcap.


Now, we can see the processed filename, detailed number of packets and packet details. Packet details are
shown in three different panes, which allow us to discover them in different formats.
TRAFFIC SNIFFING
You can use the blue "shark button" to start network sniffing (capturing traffic), the red button will stop the
sniffing, and the green button will restart the sniffing process. The status bar will also provide the used sniffing
interface and the number of collected packets.

PACKET DISSECTION
Packet dissection is also known as protocol dissection, which investigates packet details by decoding available
protocols and fields. Wireshark supports a long list of protocols for dissection, and you can also write your
dissection scripts.
Note: This section covers how Wireshark uses OSI layers to break down packets and how to use these layers
for analysis. It is expected that you already have background knowledge of the OSI model and how it works.
PACKET DETAILS
You can click on a packet in the packet list pane to open its details (double-click will open details in a new
window). Packets consist of 5 to 7 layers based on the OSI model. We will go over all of them in an HTTP
packet from a sample capture. The picture below shows viewing packet number 27.

Each time you click a detail, it will highlight the corresponding part in the packet bytes pane.
Let's have a closer view of the details pane.
We can see seven distinct layers to the packet: frame/packet, source [MAC], source [IP], protocol, protocol
errors, application protocol, and application data. Below we will go over the layers in more detail.
The Frame (Layer 1): This will show you what frame/packet you are looking at and details specific to the
Physical layer of the OSI model.
Department of Computing STMU, Islamabad 10 | P a g e

Source [MAC] (Layer 2): This will show you the source and destination MAC Addresses; from the Data Link
layer of the OSI model.
Source [IP] (Layer 3): This will show you the source and destination IPv4 Addresses; from the Network layer of
the OSI model.

Protocol (Layer 4): This will show you details of the protocol used (UDP/TCP) and source and destination
ports; from the Transport layer of the OSI model.
Protocol Errors: This continuation of the 4th layer shows specific segments from TCP that needed to be
reassembled.

Application Protocol (Layer 5): This will show details specific to the protocol used, such as HTTP, FTP, and
SMB. From the Application layer of the OSI model.
Application Data: This extension of the 5th layer can show the application-specific data.
PACKET NAVIGATION
PACKET NUMBERS
Wireshark calculates the number of investigated packets and assigns a unique number for each packet. This
helps the analysis process for big captures and makes it easy to go back to a specific point of an event.

GO TO PACKET
Packet numbers do not only help to count the total number of packets or make it easier to find/investigate
specific packets. This feature not only navigates between packets up and down; it also provides in-frame
packet tracking and finds the next packet in the particular part of the conversation. You can use the "Go"
menu and toolbar to view specific packets.

FIND PACKETS
Apart from packet number, Wireshark can find packets by packet content. You can use the "Edit --> Find
Packet" menu to make a search inside the packets for a particular event of interest. This helps analysts and
administrators to find specific intrusion patterns or failure traces.
There are two crucial points in finding packets. The first is knowing the input type. This functionality accepts
four types of inputs (Display filter, Hex, String and Regex). String and regex searches are the most commonly
used search types. Searches are case insensitive, but you can set the case sensitivity in your search by clicking
the radio button.
The second point is choosing the search field. You can conduct searches in the three panes (packet list, packet
details, and packet bytes), and it is important to know the available information in each pane to find the event

of interest. For example, if you try to find the information available in the packet details pane and conduct the
search in the packet list pane, Wireshark won't find it even if it exists.
MARK PACKETS
Marking packets is another helpful functionality for analysts. You can find/point to a specific packet for further
investigation by marking it. It helps analysts point to an event of interest or export particular packets from the
capture. You can use the "Edit" or the "right-click" menu to mark/unmark packets.
Marked packets will be shown in black regardless of the original colour representing the connection type.
Note that marked packet information is renewed every file session, so marked packets will be lost after closing
the capture file.

PACKET COMMENTS
Similar to packet marking, commenting is another helpful feature for analysts. You can add comments for
particular packets that will help the further investigation or remind and point out important/suspicious points
for other layer analysts. Unlike packet marking, the comments can stay within the capture file until the
operator removes them.

EXPORT PACKETS
Capture files can contain thousands of packets in a single file. As mentioned earlier, Wireshark is not an IDS, so
sometimes, it is necessary to separate specific packages from the file and dig deeper to resolve an incident.
This functionality helps analysts share the only suspicious packages (decided scope). Thus, redundant
information is not included in the analysis process. You can use the "File" menu to export packets.

EXPORT OBJECTS (FILES)
Wireshark can extract files transferred through the wire. For a security analyst, it is vital to discover shared
files and save them for further investigation. Exporting objects are available only for selected protocol's
streams (DICOM, HTTP, IMF, SMB and TFTP).

EXPERT INFO
Wireshark also detects specific states of protocols to help analysts easily spot possible anomalies and
problems. Note that these are only suggestions, and there is always a chance of having false
positives/negatives. Expert info can provide a group of categories in three different severities. Details are
shown in the table below.

Frequently encountered information groups are listed in the table below. You can refer to Wireshark's official
documentation for more information on the expert information entries.
You can use the "lower left bottom section" in the status bar or "Analyse --> Expert Information" menu to view
all available information entries via a dialogue box. It will show the packet number, summary, group protocol
and total occurrence.
PACKET FILTERING
Wireshark has a powerful filter engine that helps analysts to narrow down the traffic and focus on the event of
interest. Wireshark has two types of filtering approaches: capture and display filters. Capture filters are used
for "capturing" only the packets valid for the used filter. Display filters are used for "viewing" the packets valid
for the used filter. We will discuss these filters' differences and advanced usage in the next room. Now let's
focus on basic usage of the display filters, which will help analysts in the first place.

Filters are specific queries designed for protocols available in Wireshark's official protocol reference. While the
filters are only the option to investigate the event of interest, there are two different ways to filter traffic and
remove the noise from the capture file. The first one uses queries, and the second uses the right-click menu.
Wireshark provides a powerful GUI, and there is a golden rule for analysts who don't want to write queries for
basic tasks: "If you can click on it, you can filter and copy it".
APPLY AS FILTER
This is the most basic way of filtering traffic. While investigating a capture file, you can click on the field you
want to filter and use the "right-click menu" or "Analyse --> Apply as Filter" menu to filter the specific value.
Once you apply the filter, Wireshark will generate the required filter query, apply it, show the packets
according to your choice, and hide the unselected packets from the packet list pane. Note that the number of
total and displayed packets are always shown on the status bar.
CONVERSATION FILTER
When you use the "Apply as a Filter" option, you will filter only a single entity of the packet. This option is a
good way of investigating a particular value in packets. However, suppose you want to investigate a specific
packet number and all linked packets by focusing on IP addresses and port numbers. In that case, the
"Conversation Filter" option helps you view only the related packets and hide the rest of the packets easily.
You can use the"right-click menu" or "Analyse --> Conversation Filter" menu to filter conversations.
COLORIZE CONVERSATION
This option is similar to the "Conversation Filter" with one difference. It highlights the linked packets without
applying a display filter and decreasing the number of viewed packets. This option works with the "Coloring
Rules" option ad changes the packet colors without considering the previously applied colour rule. You can use
the "right-click menu" or "View --> Colorize Conversation" menu to colorize a linked packet in a single click.
Note that you can use the "View --> Colorize Conversation --> Reset Colorization" menu to undo this
operation.

PREPARE AS FILTER
Similar to "Apply as Filter", this option helps analysts create display filters using the "right-click"
menu. However, unlike the previous one, this model doesn't apply the filters after the choice. It
adds the required query to the pane and waits for the execution command (enter) or another
chosen filtering option by using the ".. and/or.." from the "right-click menu".

APPLY AS COLUMN
By default, the packet list pane provides basic information about each packet. You can use the "right-click
menu" or "Analyse --> Apply as Column" menu to add columns to the packet list pane. Once you click on a
value and apply it as a column, it will be visible on the packet list pane. This function helps analysts examine
the appearance of a specific value/field across the available packets in the capture file. You can enable/disable
the columns shown in the packet list pane by clicking on the top of the packet list pane.

PRACTICE TASK
UDP SNIFFED DATA ANALYSIS

1. Select one UDP packet from your trace. From this packet, determine how many fields there are in the
UDP header. Name these fields.
There are four UDP fields. Names of these fields are following.
1. Source Port
2. Destination Port
3. Length
4. Checksum

2. By consulting the displayed information in Wireshark’s packet content field for this packet, determine
the length (in bytes) of each of the UDP header fields.
3. The value in the Length field is the length of what? Verify your claim with your captured UDP packet.
It is the length of UDP header and Payload or application layer data in UDP segment.
4. What is the maximum number of bytes that can be included in a UDP payload? (Hint: the answer to this
question can be determined by your answer to 2. above)
A UDP segment size is depending on the size of length filed in UDP segment. Maximum number that can
store in length filed is 65535 and a UDP segment can have 65535 bytes of data with header. After
excluding header, it would be 65527
5. What is the largest possible source port number? (Hint: see the hint in 4.)
Possible largest port number is 65536

6. What is the protocol number for UDP? Give your answer in both hexadecimal and decimal notation. To
answer this question, you’ll need to look into the Protocol field of the IP datagram containing this UDP
segment (see Figure 4.13 in the text, and the discussion of IP header fields).
17 is protocol number for UPD.
7. Examine a pair of UDP packets in which your host sends the first UDP packet and the second UDP packet
is a reply to this first UDP packet. (Hint: for a second packet to be sent in response to a first packet, the
sender of the first packet should be the destination of the second packet). Describe the relationship
between the port numbers in the two packets.
Source Port is now destination port and Destination Port is now Source Port
THE BASIC HTTP GET/RESPONSE INTERACTION
Let’s begin our exploration of HTTP by downloading a very simple HTML file - one that is very short, and
contains no embedded objects. Do the following:
1. Start up your web browser.
2. Start up the Wireshark packet sniffer, as described in the Introductory lab (but don’t yet begin packet
capture). Enter “http” (just the letters, not the quotation marks) in the display-filter-specification window, so
that only captured HTTP messages will be displayed later in the packet-listing window. (We’re only
interested in the HTTP protocol here, and don’t want to see the clutter of all captured packets).
3. Wait a bit more than one minute (we’ll see why shortly), and then begin Wireshark packet capture.
4. Enter the following to your browser

http://gaia.cs.umass.edu/wireshark-labs/HTTP-wireshark-file1.html
Your browser should display the very simple, one-line HTML file.
5. Stop Wireshark packet capture.
By looking at the information in the HTTP GET and response messages, answer the following questions.
1. Is your browser running HTTP version 1.0 or 1.1? What version of HTTP is the server running?
2. What languages (if any) does your browser indicate that it can accept to the server?
3. What is the IP address of your computer? Of the gaia.cs.umass.edu server?
4. What is the status code returned from the server to your browser?
5. When was the HTML file that you are retrieving last modified at the server?
6. How many bytes of content are being returned to your browser?
7. By inspecting the raw data in the packet content window, do you see any headers within the data that
are not displayed in the packet-listing window? If so, name one.
THE HTTP CONDITIONAL GET/RESPONSE INTERACTION
By looking at the information in the HTTP GET and response messages, answer the following questions. When
answering the following questions, you should print out the GET and response messages and indicate where in
the message you’ve found the information that answers the following questions.
1. Is your browser running HTTP version 1.0 or 1.1? What version of HTTP is the server running?
2. What languages (if any) does your browser indicate that it can accept to the server?
3. What is the IP address of your computer? Of the gaia.cs.umass.edu server?
4. What is the status code returned from the server to your browser?
5. When was the HTML file that you are retrieving last modified at the server?
6. How many bytes of content are being returned to your browser?

7. By inspecting the raw data in the packet content window, do you see any headers within the data that
are not displayed in the packet-listing window? If so, name one.
HTTP AUTHENTICATION
let’s try visiting a web site that is password-protected and examine the sequence of HTTP message exchanged
for such a site. The URL http://gaia.cs.umass.edu/wireshark-labs/protected_pages/HTTP-wireshark-file5.html
is password protected. The username is “wireshark-students” (without the quotes), and the password is
“network” (again, without the quotes). So let’s access this “secure” password-protected site. Do the following:
• Make sure your browser’s cache is cleared, as discussed above, and close down your browser. Then, start up
your browser
• Start up the Wireshark packet sniffer
• Enter the following URL into your browser
http://gaia.cs.umass.edu/wireshark-labs/protected_pages/HTTP-wiresharkfile5.html
Type the requested user name and password into the pop up box.
• Stop Wireshark packet capture, and enter “http” in the display-filter-specification window, so that only
captured HTTP messages will be displayed later in the packet-listing window.
Answer the following questions:
1. What is the server’s response (status code and phrase) in response to the initial HTTP GET message
from your browser?
2. When your browser’s sends the HTTP GET message for the second time, what new field is included in
the HTTP GET message?
The username (wireshark-students) and password (network) that you entered are encoded in the string of
characters (d2lyZXNoYXJrLXN0dWRlbnRzOm5ldHdvcms=) following the “Authorization: Basic” header in the
client’s HTTP GET message. While it may appear that your username and password are encrypted, they are

simply encoded in a format known as Base64 format. The username and password are not encrypted! To see
this, go to http://www.motobit.com/util/base64-decoder-encoder.asp and enter the base64-encoded string
d2lyZXNoYXJrLXN0dWRlbnRz and decode. Voila! You have translated from Base64 encoding to ASCII encoding,
and thus should see your username! To view the password, enter the remainder of the string Om5ldHdvcms=
and press decode. Since anyone can download a tool like Wireshark and sniff packets (not just their own)
passing by their network adaptor, and anyone can translate from Base64 to ASCII (you just did it!), it should be
clear to you that simple passwords on WWW sites are not secure unless additional measures are taken.
CAPTURING A BULK TCP TRANSFER FROM YOUR COMPUTER TO A

REMOTE SERVER
Before beginning our exploration of TCP, we’ll need to use Wireshark to obtain a packet trace of the TCP
transfer of a file from your computer to a remote server. You’ll do so by accessing a Web page that will allow
you to enter the name of a file stored on your computer (which contains the ASCII text of Alice in
Wonderland), and then transfer the file to a Web server using the HTTP POST method. We’re using the POST
method rather than the GET method as we’d like to transfer a large amount of data from your computer to
another computer.
Do the following:
 Start up your web browser. Go the http://gaia.cs.umass.edu/wiresharklabs/alice.txt and retrieve an ASCII

copy of Alice in Wonderland. Store this file somewhere on your computer.
 Next go to http://gaia.cs.umass.edu/wireshark-labs/TCP-wireshark-file1.html.
 Use the Browse button in this form to enter the name of the file (full path name) on your computer
containing Alice in Wonderland (or do so manually). Don’t yet press the “Upload alice.txt file” button.
 Now start up Wireshark and begin packet capture (Capture->Start) and then press OK on the Wireshark
Packet Capture Options screen (we’ll not need to select any options here).
 Returning to your browser, press the “Upload alice.txt file” button to upload the file to the
gaia.cs.umass.edu server. Once the file has been uploaded, a short congratulations message will be
displayed in your browser window.
 Stop Wireshark packet capture.
 First, filter the packets displayed in the Wireshark window by entering “tcp”
What you should see is series of TCP and HTTP messages between your computer and gaia.cs.umass.edu. You
should see the initial three-way handshake containing a SYN message. You should see an HTTP POST message.
Wireshark you are using, you might see a series of “HTTP Continuation” messages being sent from your
computer to gaia.cs.umass.edu– this is Wireshark’s way of indicating that there are multiple TCP segments
being used to carry a single HTTP message. You should also see TCP ACK segments being returned from
gaia.cs.umass.edu to your computer. Answer the following questions:
1. What is the IP address and TCP port number used by the client computer (source) that is transferring the
file to gaia.cs.umass.edu? To answer this question, it’s probably easiest to select an HTTP message and
explore the details of the TCP packet used to carry this HTTP message, using the “details of the selected
packet header window” (refer to Figure 2 in the “Getting Started with Wireshark” Lab if you’re uncertain
about the Wireshark windows.
2. What is the IP address of gaia.cs.umass.edu? On what port number is it sending and receiving TCP
segments for this connection?
3. What is the sequence number of the TCP SYN segment that is used to initiate the TCP connection
between the client computer and gaia.cs.umass.edu? What is it in the segment that identifies the segment
as a SYN segment?
4. What is the sequence number of the SYNACK segment sent by gaia.cs.umass.edu to the client computer
in reply to the SYN? What is the value of the Acknowledgement field in the SYNACK segment? How did
gaia.cs.umass.edu determine that value? What is it in the segment that identifies the segment as a SYNACK
segment?
5. What is the sequence number of the TCP segment containing the HTTP POST command? Note that in
order to find the POST command, you’ll need to dig into the packet content field at the bottom of the
Wireshark window, looking for a segment with a “POST” within its DATA field.
6. What is the length of each of the first six TCP segments?

LAB TASK 1: IDENTIFYING TRAFFIC SOURCES
Objective:
The objective of this lab task is to utilize Wireshark to determine the source IP address of incoming traffic.
Procedure:
 Open Wireshark on your computer.

 Select the network interface in Wireshark from which you want to capture traffic.
 Once the capture begins, use various applications or browse the internet to generate traffic.
 Apply display filters in Wireshark to focus only on IP addresses. (Tip: "ip.src")
 Identify the IP addresses from which traffic is originating.
 Record your observations and findings in the lab report.
Questions:
1. Using Wireshark, what IP address(es) did you identify as the source(s) of incoming traffic?

2. Did you notice any patterns or specific types of traffic originating from certain IP addresses?
Here if you are seeing SSDP protocol it means Simple Service Discovery Protocol allows devices to discover
other published network devices and services and send and receive information between them. The Multicast
Domain Name System (mDNS) protocol, is a a zero-configuration and multi-platform service designed to
resolve host names to IP addresses within small networks that do not have a local DNS server.
3. How might identifying the source of incoming traffic be beneficial in network security or
troubleshooting scenarios?
Identifying the source of incoming traffic can be beneficial in network security by allowing administrators to
detect and block potentially malicious or unauthorized activity. It can also aid in troubleshooting network
issues by pinpointing the origin of problematic traffic and identifying potential sources of congestion or
performance issues.

LAB TASK 2: PORT ANALYSIS

Objective:
The objective of this lab task is to use Wireshark to identify the specific port(s) through which traffic is arriving.
Procedure:

 Select the network interface in Wireshark from which you want to capture traffic.
 Begin capturing traffic and engage in various activities such as browsing or using applications to
generate traffic.
 Apply display filters in Wireshark to focus solely on port numbers. (Tip: "tcp.port" or "udp.port")
 Identify the port(s) through which traffic is arriving.
 Document your observations and findings in the lab report.
Questions:
4. Using Wireshark, which port(s) did you identify as the source(s) of incoming traffic?
ip.src == 192.168.1.100
5. Were there any specific protocols associated with the identified ports? If so, which ones?
In Wireshark, you can determine the protocols associated with identified ports by inspecting the packets and
examining the protocol field within the packet details. Additionally, you can use display filters to focus on
specific protocols associated with the identified ports.
This filter will display only TCP traffic with destination or source port 80, typically associated with HTTP.

To filter traffic based on a specific protocol, you can use a display filter like this:
To filter traffic based on both port and protocol, you can combine the filters like this:

6. How might understanding the port(s) through which traffic is arriving be useful in network
administration or security?
Network Troubleshooting: Identifying the ports involved in traffic can help troubleshoot network issues. For
example, if a specific application or service is experiencing connectivity problems, checking the ports
associated with it can narrow down the root cause.
Security Monitoring: Monitoring traffic on specific ports can help detect potential security threats or
unauthorized activities. For instance, unusual traffic on commonly exploited ports (e.g., port 22 for SSH or port
445 for SMB) could indicate a potential cyber attack or malware infection.
Access Control: Understanding which ports are being used can aid in implementing access control policies. By
monitoring and controlling access to certain ports, network administrators can enforce security measures to
prevent unauthorized access or data breaches.
Service Identification: Recognizing the ports associated with different network services or applications can
facilitate service identification and classification. This knowledge is crucial for maintaining an inventory of
services running on the network and ensuring their proper configuration and security.
Example:
Suppose a network administrator notices unusually high traffic on port 3389 (Remote Desktop Protocol - RDP),
which is typically used for remote desktop connections. Upon investigation, they discover that an
unauthorized user is attempting to establish RDP connections to several internal systems from an external IP
address. This indicates a potential brute-force attack or unauthorized access attempt.
LAB TASK 3: PROTOCOL IDENTIFICATION AT THE APPLICATION LAYER

Objective:
The objective of this lab task is to utilize Wireshark to determine which protocol's traffic is being transmitted
at the application layer.

Procedure:
 Launch Wireshark on your computer.

 Select the appropriate network interface for capturing traffic.
 Start the capture process and generate traffic by using various applications or browsing the internet.
 Apply display filters in Wireshark to focus on the application layer protocols. (Tip: "tcp.port" or
"udp.port")
 Analyse the captured packets to identify the protocols associated with the application layer traffic.
Questions:
7. Based on your analysis in Wireshark, which protocols were identified as transmitting traffic at the
application layer?
Command: tcp.port != 80 and udp.port != 53
Explanation: This command filters out traffic on TCP port 80 (HTTP) and UDP port 53 (DNS), leaving you with
other application layer protocols. You can modify the port numbers as needed to exclude additional common
protocols.
8. Did you notice any specific patterns or behaviours associated with certain protocols?
Command: http or dns
Explanation: These commands filter traffic specifically for HTTP (Hypertext Transfer Protocol) and DNS
(Domain Name System) protocols. You can replace http and dns with other protocols as per your observations.
LAB TASK 4: PROTOCOL COMMUNICATION BETWEEN SPECIFIC IPS

Objective:
The objective of this lab task is to utilize Wireshark to determine the communication protocol between
specific IP addresses.

Procedure:

 Select the network interface to capture traffic.
 Start the capture process and let it run for a while.
 Apply display filters in Wireshark to focus on traffic between specific source and destination IP
addresses. (Tip: "ip.src == [source IP] && ip.dst == [destination IP]")
 Analyse the captured packets to identify the protocol(s) being used for communication between the
specified IP addresses.
Questions:
9. Based on your analysis in Wireshark, what protocol(s) were identified in the communication
between the specified source and destination IP addresses?
For identifying communication between a specific source and destination IP address:

10. Did you observe any abnormalities or unexpected behaviour in the communication between these IP
addresses?
To observe abnormalities or unexpected behavior, you might need to examine various aspects of the packets.
Here are some filter commands for common abnormalities:
For TCP packets with the SYN flag set (indicating the start of a TCP connection):
tcp.flags.syn == 1
For ICMP packets (commonly used for network diagnostics and error reporting):
Icmp
For packets with errors:
frame.len < 64 // Example: Filter for packets smaller than 64 bytes
LAB TASK 5: DETECTING DOS OR DDOS ATTACKS

Objective:
The objective of this lab task is to utilize Wireshark to detect whether a Denial of Service (DoS) or Distributed
Denial of Service (DDoS) attack has occurred.
Procedure:

 Select the appropriate network interface for capturing traffic.
 Start the capture process and let it run for a while.
 Apply display filters in Wireshark to focus on potential signs of DoS or DDoS attacks. (Tip: Look for
unusual patterns such as high volume of traffic from multiple sources, unusual protocol behavior, or
excessive connection attempts.)
 Analyze the captured packets to identify any suspicious activity that might indicate a DoS or DDoS
attack.

Questions:
11. Based on your analysis in Wireshark, did you detect any signs of a DoS or DDoS attack? If yes,
describe the indicators you observed.
12. What types of traffic patterns or behaviors did you identify as potential signs of a DoS or DDoS
attack?
The following command can SYN flood attacks, In a SYN flood attack, the attacker floods the target system
with a large number of TCP SYN packets (with the SYN flag set) but does not complete the TCP handshake by
sending the expected ACK packets. This overwhelms the target system with half-open connections, consuming
its resources and making it unable to respond to legitimate connection requests.
By analyzing traffic using the tcp.flags.syn == 1 and tcp.flag.ack == 1 filter, you can observe TCP connections in
the process of being established. If you notice a disproportionately high number of SYN packets compared to
SYN-ACK packets, it could indicate a SYN flood attack.
How To Detect A SYN Flood Attack With Wireshark:
sudo apt-get install hping3
hping3 -c 15000 -d 120 -S -w 64 -p 80 --flood --rand-source 192.168.1.159 (We’re sending 15000 packets (-c
15000) at a size of 120 bytes (-d 120) each. We’re specifying that the SYN Flag (-S) should be enabled, with a
TCP window size of 64 (-w 64). To direct the attack to our victum’s HTTP web server we specify port 80 (-p 80)
and use the --flood flag to send packets as fast as possible.)

As you can see, there’s a high volume of SYN packets with very little variance in time. Each SYN packet shows
it’s from a different source IP address with a destination port 80 (HTTP), identical length of 120 and window
size (64). When we filter with tcp.flags.syn == 1 and tcp.flags.ack == 1 we can see that the number of
SYN/ACKs is comparatively very small. A sure sign of a TCP SYN attack.

We can also view Wireshark’s graphs for a visual representation of the uptick in traffic. The I/O graph can be
found via the Statistics>I/O Graph menu. It shows a massive spike in overall packets from near 0 to up to 2400
packets a second.

By removing our filter and opening the protocol hierarchy statistics, we can also see that there has been an
unusually high volume of TCP packets:
LAB TASK 6: DETECTING PASSWORD BRUTE-FORCE ATTACKS USING

WIRESHARK
Objective:
The objective of this lab task is to utilize Wireshark to detect whether a Password Brute-Force Attack has
occurred during login attempts using OWASP's application.
Procedure:

 Start capturing traffic on the network interface.
 Use OWASP for login attempts, deliberately entering incorrect passwords multiple times.
 Continue capturing traffic while performing login attempts.

 Apply display filters in Wireshark to focus on HTTP traffic related to login attempts.
 Analyze the captured packets to identify patterns indicative of password brute-force attacks, such as
repeated failed login attempts.
Questions:
13. Based on your analysis in Wireshark, did you detect any signs of a Password Brute-Force Attack
during the login attempts on OWASP? If yes, describe the indicators you observed.
Answer: Yes, signs of a Password Brute-Force Attack were detected during the login attempts on OWASP.
Wireshark captured multiple HTTP requests with failed login attempts, each followed by another attempt with
a different password. This pattern of repeated failed login attempts suggests an automated or manual attempt
to guess the correct password through brute-force.
14. What types of traffic patterns or behaviors did you identify as potential signs of a Password Brute-
Force Attack?
Answer: The traffic patterns indicative of a Password Brute-Force Attack include:
 Sequential or repeated login attempts with different passwords within a short time frame.
 Increased frequency of failed login attempts compared to successful ones.
 Unusual or abnormal login patterns, such as numerous login attempts from the same IP address.
15. How can network administrators mitigate or respond to Password Brute-Force Attacks based on the
information obtained from packet analysis in Wireshark?
Answer: Network administrators can mitigate or respond to Password Brute-Force Attacks by:
 Implementing account lockout mechanisms that temporarily disable accounts after a certain number
of failed login attempts.
 Enforcing strong password policies to deter attackers from successfully guessing passwords.
 Monitoring network traffic and system logs for signs of suspicious login activity, such as a high volume
of failed login attempts.
 Using intrusion detection/prevention systems (IDS/IPS) to detect and block malicious login attempts in
real-time.
 Educating users about the risks of weak passwords and the importance of using unique, complex
passwords for different accounts.



Identify HTTP POST Requests: Brute-force attacks often involve repeated login attempts, which are usually
carried out via HTTP POST requests.
Focus on Login Endpoint: Since the attack is targeting the login page, filter the traffic to focus specifically on
requests to the login endpoint.


Is LM3

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Is LM3

Uploaded by

Copyright:

Available Formats

Shifa Tameer-e-Millat University

LAB MANUAL FOR

Wireshark, Wireshark Filtering, Packet Analysis using Wireshark

Department of Computing STMU, Islamabad 2|Page

Capturing a bulk TCP transfer from your computer to a remote server 31

Department of Computing STMU, Islamabad 3|Page

Lab 3: Wireshark, Wireshark Filtering, Packet Analysis using

GUI AND DATA

Department of Computing STMU, Islamabad 4|Page

Department of Computing STMU, Islamabad 5|Page

LOADING PCAP FILES

Department of Computing STMU, Islamabad 6|Page

Department of Computing STMU, Islamabad 7|Page

Department of Computing STMU, Islamabad 8|Page

Department of Computing STMU, Islamabad 9|Page

Let's have a closer view of the details pane.

Department of Computing STMU, Islamabad 10 | P a g e

Department of Computing STMU, Islamabad 11 | P a g e

Department of Computing STMU, Islamabad 12 | P a g e

Department of Computing STMU, Islamabad 13 | P a g e

Department of Computing STMU, Islamabad 14 | P a g e

Department of Computing STMU, Islamabad 15 | P a g e

Department of Computing STMU, Islamabad 16 | P a g e

Department of Computing STMU, Islamabad 17 | P a g e

Department of Computing STMU, Islamabad 18 | P a g e

EXPORT OBJECTS (FILES)

Department of Computing STMU, Islamabad 19 | P a g e

Department of Computing STMU, Islamabad 20 | P a g e

Department of Computing STMU, Islamabad 21 | P a g e

Department of Computing STMU, Islamabad 23 | P a g e

Department of Computing STMU, Islamabad 24 | P a g e

Department of Computing STMU, Islamabad 25 | P a g e

UDP SNIFFED DATA ANALYSIS

Department of Computing STMU, Islamabad 26 | P a g e

Possible largest port number is 65536

Department of Computing STMU, Islamabad 27 | P a g e

17 is protocol number for UPD.

THE BASIC HTTP GET/RESPONSE INTERACTION

1. Start up your web browser.

4. Enter the following to your browser

Department of Computing STMU, Islamabad 28 | P a g e

5. Stop Wireshark packet capture.

3. What is the IP address of your computer? Of the gaia.cs.umass.edu server?

6. How many bytes of content are being returned to your browser?

THE HTTP CONDITIONAL GET/RESPONSE INTERACTION

Department of Computing STMU, Islamabad 29 | P a g e

• Start up the Wireshark packet sniffer

• Enter the following URL into your browser

Answer the following questions:

Department of Computing STMU, Islamabad 30 | P a g e

CAPTURING A BULK TCP TRANSFER FROM YOUR COMPUTER TO A

 Start up your web browser. Go the http://gaia.cs.umass.edu/wiresharklabs/alice.txt and retrieve an ASCII

6. What is the length of each of the first six TCP segments?

Department of Computing STMU, Islamabad 32 | P a g e

LAB TASK 1: IDENTIFYING TRAFFIC SOURCES

 Open Wireshark on your computer.

Department of Computing STMU, Islamabad 33 | P a g e

Department of Computing STMU, Islamabad 34 | P a g e

LAB TASK 2: PORT ANALYSIS

 Open Wireshark on your computer.

Department of Computing STMU, Islamabad 35 | P a g e

Department of Computing STMU, Islamabad 36 | P a g e

LAB TASK 3: PROTOCOL IDENTIFICATION AT THE APPLICATION LAYER