How long did it take to perform the attack? (2pts).We have 5 TCP sessions that were established between the attack and victim, keep in mind Wireshark TCP streams start at 0 so our streams go from 0 – 4 for a total of 5.
I like to use Wireshark -> Statistics -> Conversations -> TCP.How many TCP sessions are contained in the dump file? (2pts).Simple, I just use to locate the IP address.What can you find out about the attacking host (e.g., where is it located)? (2pts).This IP address is located in Philadelphia, unknown of it its a true source IP or not at this point. I just use Wireshark -> Statistics -> Endpoints -> IP.(Note that the IP address of the victim has been changed to hide the true location.) Analyze and answer the following questions: I do this because in the event I’m analyzing something or carve a binary out of the traffic I want to make sure my host operating system does not get infected.Ī network trace with attack data is provided. This pcap has 348 packets, The Honeynet Project has already carved it out of a much larger pcap for us.įirst, my setup, I’m doing this in a Kali 2.0 VM (Virtual Machine) with my network card disabled. You could run it through snort, bro or SiLK if you wanted and if this pcap was large, that’s exactly what I would do. What you use to look at traffic largely depends on what’s going on. Sometimes I’ll pull apart large a pcap, grab the TCP stream I want and look at it in Wireshark. For small pcaps I like to use Wireshark just because its easier to use. The traffic I’ve chosen is traffic from The Honeynet Project and is one of their challenges captures. This is an example of my workflow for examining malicious network traffic.
0 kommentar(er)
