This is a walkthrough of my work on the TryHackMe lab (https://tryhackme.com/r/room/wiresharkpacketoperations)
This lab is designed to build upon the skills learned in the Wireshark basics lab. In this continuation the focus is placed on packet-level details with statistics, filters, operations, and functions.- Wireshark
- Linux Ubuntu
- Statistics | Summary
This task used various tools in the statistics menu to investigate trends in the packet capture by things such as endpoints, conversations, and protocols.
I navigated to the resolved addresses under the statistics menu
Within the resolved addresses I searched for bbc to find the hostname that begins with bbc, and found its IP address
Next, to find the number of IPv4 conversations, I navigated to the conversations window under the statistics menu. I can see from the numbers associated to the different tabs along the top that there are 435 IPv4 conversations.
The next question asks for the number of bytes transfered from the "Micro-St" MAC address, which I found by navigating to the conversations window, and then enabling name resolution so that the MAC addresses associated to known manufacturers would have the manufacturer's name displayed in place of their unique identifier.
Then I searched for the number of IP addresses linked with Kansas City by navigating to the endpoints window, and then clicked on the IPv4 tab. I scrolled through the list focusing on the city column until I found 4 IP addresses with Kansas City listed as their location.
Lastly, for this section, I stayed in the endpoints window but scrolled horizontally to find the AS Organization column. I searched for the "Blicnet" organization and discovered that it has the IP address 188.246.82.7
- Statistics | Protocol Details
The next section focuses on observing trends through the IPv4 and IPv6 Statistics menus.
First I found the most used IPv4 destination address by navigating to the IPv4 statistics menu, then to the source and destination addresses.
Once in the source and destination addresses window, I collapsed the source IPv4 addresses and expanded the destination IPv4 addresses. Then I sorted them by count descending so that the destination address with the most connections would be listed first.
Next, I investigated the DNS activity using the DNS menu under statistics. The DNS window shows both minimum and maximum values for each topic. I sorted the topics alphabetically and scrolled down to the service stats to find the request-response time max value.
Finally, I used the load distribution to find the number of successful HTTP requests by rad[.]msn[.]com
- Packet Filtering
In task 4, packet filtering principles, I learned that filters can be used both during the capture phase and at the display level. One must be careful when using capture filters because misuse of filters can result in important packets related to the incident not being captured at all, and so TryHackMe recommended to start with capturing without filters and then filtering the packet capture later in the display. There is a syntax used to write filters in Wireshark comparison and logical operators, and the filtering principles task teaches how to use that syntax. Following this instruction phase I put that knowledge to work in the packet filtering | protocol filters task.
It started simple with the filter "ip" to find the number of Internet Protocol packets in the capture. We can see at the bottom of the page that this filter applies to 99.9% of the packets, resulting in a total of 81420 ip packets.
Next, I used the comparison operator less than to filter based upon the time to live value of ip packets and find the number of packets where the ttl is less than 10.
Then I filtered by tcp port 4444 using the equal to operator.
The next filter gets slightly more complicated. I needed to use the '&&' operator to combine two filters. The first filter selects all of the http packets based upon their request method, selecting only the get requests, and the and operator further narrows that selection to those requests that had a tcp destination port of 80.
Lastly, I used the knowlege that I could create a filter by selecting it in the "Display Filter Expression" menu to find the filter for DNS type A queries.
It turned out that the filter was simply dns.a, but since I didn't know that initially, I was able to find that information. As a result I was able to discover 51 DNS type A queries.
- Advanced Filtering
In this last section I stretched my filtering skills by adding terms like "matches", "contains" and "string" to really refine the filter options.
First, I searched for the http servers that contained "Microsoft" to find the Microsoft-IIS servers and added the does not equal comparison filter to exclude any that had a source port of 80.
Then I narrowed in on only the Microsoft-IIS servers which were version 7.5 by adding a "matches" filter.
Next, to search for any packets that used one of a number of tcp ports, I used the "in" filter and a set containing the ports to include.
To filter only the packets with even valued time to live, I first had to convert those values into a string using the "string" filter, then match the last number to a set of even numbers.
In the last two questions I used a previously created "Checksum Control" profile. I, once again, used the "Display Filter Expression" menu to find the filter for bad checksum values.
This allowed me to see only the packets with bad checksum values, which had a black custom highlight color associated with the Checksum Control profile.
Lastly, I clicked on the bookmarked filter button to the right of the filter bar to find the number of packets with http response code 200 that also contained gif or jpeg image content.
