Task 1(warm up)
- Download the following pcap file:(http://nsl.cs.waseda.ac.jp/~mori/data/warmup.pcap)
- For the following tasks, you can use tcpdump and GNU command-line tools such as cat, wc, sort, uniq, grep, awk, and etc. If you want, you can also use your favorite script language such as Python, Ruby, Perl, or whatever. You are NOT allowed to use wireshark here.
1.1 count the number of total frames
- Using the WireShark software:
result is 100,000 - Using the wireshark command on CentOS: tshark
yum install -y wireshark
tshark -r warmup.pcap | wc -l
result is 100,000
- using capinfos
capinfos warmup.pcap | grep "Number of packets"| tr -d " " | cut -d ":" -f 2
- Using tcpdump
tcpdump -r test.cap 2>/dev/null| wc -l
failed!!!???
1.2 count the number of IPv4 packets
- Using the WireShark software:
95860
1.3 count the number of IPv6 packets
- Using the WireShark software:
4171
1.4 count the number of IPv4/tcp packets
- Using the WireShark software:
73343
1.5 count the number of IPv4/udp packets
- Using the WireShark software:
6347
1.6 count the number of distinct source IPv4 addresses:
- Using the WireShark software
6299
1.7 count the number of distinct destination IPv4 addresses
- Using the WireShark software
15839
1.8 list the top-10 source IP addresses that appeared the most.
- Using the Wireshark software
203.50.118.210 74.157.109.74 17.157.75.206 163.162.85.250 162.98.176.7
31.242.205.139 23.32.18.78 104.167.125.139 203.50.109.231 203.50.109.226
1.9 list the top-10 destination IP addresses appeared the most
- Using the Wireshark software
202.139.239.243 202.133.50.192 203.50.118.210 203.50.100.162 13.181.101.53
163.162.250.91 202.139.239.29 202.133.18.189 163.162.113.121 163.162.15.96
Task 2
- download the following file: (http://nsl.cs.waseda.ac.jp/~mori/data/first2015.pcap)
- Note: this pcap file is a part of the dataset used in the following training event: (https://www.first.org/resources/papers/conf2015/first_2015_-_hjelmvik-erik-_hands-on_network_forensics_20150604.pdf)
2.1 extract the query names from DNS query packets
- Python pyshark
mycompany.com', 'pop.gmx.com', 'password-ned-xp.pwned.se', 'password-ned-xp', 'safebrowsing.google.com', 'safebrowsing-cache.google.com', 'clients2.google.com', '_ftp._tcp.local', 'clients4.google.com', 'client.dropbox.com', '_ipp._tcp.local', 'navigator-bs.gmx.com', 'accounts.google.com', '_ipps._tcp.local', '16-0.19-a3000081.20081.1644.1e39.2f4a.210.0.lsfzcu3cfr5h1cip6rdsa7h5uj.avts.mcafee.com', 'a-0.19-a3000081.0.1644.1e39.2f4a.210.0.6fnn1j35k3nnmigna2v11i9swj.avts.mcafee.com', 'a-0.19-a3000081.0.1644.1e39.2f4a.210.0.5qzbq178cpcpkz3ash969p4vtb.avts.mcafee.com', 'a-0.19-a3000081.0.1644.1e39.2f4a.210.0.5qwgzz8ezez1mwk72db4mfbk7t.avts.mcafee.com', 'a-0.19-a3000081.0.1644.1e39.2f4a.210.0.q5geq2e7kll2zfk2mrugnuh14q.avts.mcafee.com', 'a-0.19-a30000c1.d040083.1644.1e39.2f4a.210.0.94rhhfkzeebvlhkzt644av1snj.avts.mcafee.com', 'a-0.19-a3000081.0.1644.1e39.2f4a.210.0.n16ddjdlrwenfmj61er2jgkb6b.avts.mcafee.com', 'c.14-0.19-a3000081.8010081.1644.1e39.2f4a.210.0.dae44v4q334j48qqwp95jaad5t.avts.mcafee.com', 'a-0.19-a3000081.0.1644.1e39.2f4a.210.0.9euk3unrrrp7k71c4r3c4mkv2t.avts.mcafee.com', 'a-0.19-a3000081.0.1644.1e39.2f4a.210.0.tdnt4a1hciwwwq61tm1ef4b3kb.avts.mcafee.com', 'c-0.19-a3000071.40481.1644.1e39.2f4a.210.0.du5czgeg5ng1hjphkd7j21qhdi.avts.mcafee.com', '16-0.19-a3000071.10081.1644.1e39.2f4a.210.0.vtb7pr9gljq31vf9tvfllftapq.avts.mcafee.com', 'a-0.19-a3000071.d020082.1644.1e39.2f4a.210.0.25nahcdech5gsrv9ecemf2lbkt.avts.mcafee.com', 'c-0.19-a3000081.70481.1644.1e39.2f4a.210.0.clq6shkdqf4qk2l2h7f23zrbdj.avts.mcafee.com', 'wpad.pwned.se', 'wpad', 'watson.microsoft.com', 'c-0.19-a7000008.8a70083.1644.1e39.2f4a.210.0.sp4llip8fbzphb22g2r6w8iu1j.avts.mcafee.com', 'go.microsoft.com', 'ctldl.windowsupdate.com', 'dmd.metaservices.microsoft.com', 'a-0.19-a3000081.9110081.1644.1e39.2f4a.210.0.5wauzj8kclu1up9r1vmvdufkaj.avts.mcafee.com', 'c-0.19-a3000081.50481.1644.1e39.2f4a.210.0.tzbz944k79p2izgrrwssktv4p6.avts.mcafee.com', 'c-0.19-a3000008.60081.1644.1e39.2f4a.210.0.iu67rk8f86junz2fmh7vk62c2b.avts.mcafee.com', 'compatexchange.trafficmanager.net', 'ocsp.msocsp.com', 'watson2.microsoft.com', 'notify8.dropbox.com', 'clients1.google.com', 'client-lb.dropbox.com', 'tools.google.com', 'redirector.gvt1.com', 'r6---sn-uxap5nvoxg5-5goe.gvt1.com', 'clients3.google.com', 'apis.google.com', 'mail.google.com', 'ssl.gstatic.com', 'www.google.com', 'www.google.se', 'www.googleapis.com', 'www.gstatic.com', 'translate.googleapis.com', 'mtalk.google.com', 'accounts.youtube.com', 'clients2.googleusercontent.com', 'zkygedkpyzdll.pwned.se', 'ltynerolirvuzj.pwned.se', 'ghurdoi.pwned.se', 'zkygedkpyzdll', 'ltynerolirvuzj', 'ghurdoi', 'changelogs.ubuntu.com', '3c-bs.gmx.com', 'isatap.pwned.se', 'Dell-Dator32', 'services.addons.mozilla.org', 'ocsp.digicert.com', 'versioncheck-bg.addons.mozilla.org', 'gfe.nvidia.com', 'addons.mozilla.org', 'blocklist.addons.mozilla.org', 'www.hipchat.com', 'ad.doubleclick.net', 'www.skybluecanvas.com', 'www.php.net', 'www.zend.com', 'php.net', 'ajax.googleapis.com', 'edit.php.net', 'bugs.php.net', 'example.com', 'www.example.com', 'softontherocks.blogspot.com', 'msdn.microsoft.com', '146.49.195.217.in-addr.arpa', 'versioncheck.addons.mozilla.org', 'fhr.data.mozilla.com', 'aus4.mozilla.org', 'lc.mcafee.com', 'update.nai.com', 'mirrorlist.centos.org', 'ftp.acc.umu.se', 'ftp.heanet.ie', 'mirror.23media.de', 'mirror.omnilance.com', 'ftp-stud.hs-esslingen.de', 'ftp.uni-bayreuth.de', 'mirror.serverbeheren.nl', 'ftp.nluug.nl', 'ftp.uni-kl.de', 'mirror.i3d.net', 'mirrors.nic.cz', 'mirror.de.leaseweb.net', 'fedora.uib.no', 'mirror.vutbr.cz', 'ftp.colocall.net', 'mirror.oss.maxcdn.com', 'fedora.tu-chemnitz.de', 'mirror.switch.ch', 'ftp.fi.muni.cz', 'ftp.linux.cz', 'ftp.upjs.sk', 'mirrors.neterra.net', 'mirror.nonstop.co.il', 'www.mirrorservice.org', 'ftp.mirrorservice.org', 'mirror.karneval.cz', 'anorien.csc.warwick.ac.uk', 'ftp.crc.dk', 'mirrors.telianet.dk', 'mirror.nl.leaseweb.net', 'mirror.duomenucentras.lt', 'ftp.wrz.de', 'ftp.icm.edu.pl', 'mirrors.uni-ruse.bg', 'vesta.informatik.rwth-aachen.de', 'mirror.euserv.net', 'mirror.proserve.nl', 'epel.mirrors.ovh.net', 'mirrors.n-ix.net', 'mirror.uv.es', 'mirror.datacenter.by', 'mir01.syntis.net', 'mirror-fr2.bbln.org', 'fedora.ip-connect.vn.ua', 'mirror-fr1.bbln.org', 'mirror.imt-systems.com', 'www.fedora.is', 'ftp.fedora.is', 'mirrors.ircam.fr', 'mirror.dgn.net.tr', 'mirror.bytemark.co.uk', 'ftp.astral.ro', 'ftp.linux.org.tr', 'mirror.vit.com.tr', 'mirror.vorboss.net', 'mirrors.coreix.net', 'epel.check-update.co.uk', 'ftp.pbone.net', 'mirror.slu.cz', 'fr2.rpmfind.net', 'repo.boun.edu.tr', 'ftp.cc.uoc.gr', 'mirror.yandex.ru', 'mirrors.ukfast.co.uk', 'mirror.fraunhofer.de', 'fedora-epel.skarta.net', 'mirror.kinamo.be', 'mirror.bacloud.com', 'mirror.pmf.kg.ac.rs', 'epel.besthosting.ua', 'mirror.digitalnova.at', 'be.mirror.eurid.eu', 'ftp.uma.es', 'mirror.ibcp.fr', 'centos.vianett.no'
2.2 list the top-10 query names that appeared the most in the DNS request packets.
- Python pyshark
mycompany.com safebrowsing-cache.google.com pop.gmx.com safebrowsing.google.com www.google.com
password-ned-xp password-ned-xp.pwned.se mail.google.com clients4.google.com navigator-bs.gmx.com
2.3 what was the IP address of the server named "mycompany.com" ?
- wireshark
192.168.0.2
3. Task 3
- use the pcap file downloaded at task 2.
- hint: POP3 users TCP port number 110 (plain text).
3.1 identify the POP3 password registered for user with the e-mail address of ned.pwned.se@gmx.com.
- wireshark
pop.request.command == "PASS"
3.2 what was the subject of e-mail message the user with email address of ned.pwned.se@gmx.com received from the pop server on 19:32:36 with the command of "RETR 15".
- wireshark
tcp.port == 110 and pop
Subject: HipChat power tips for power users
3.3 what was the name of the pop3 server used by ned.pwned.se@gmx.com?
- wireshark
homer.pwned.se@gmx.com
212.227.17.187
Task 4
- use the pcap file downloaded at task 2.
python pyshark
4.1 list all the HTTP user-agent appeared in the HTTP flows (remove duplicates).
Microsoft-Windows/6.1 UPnP/1.0
Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.4.0
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:33.0) Gecko/20100101 Firefox/33.0
Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0
McAfee Agent
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
urlgrabber/3.10 yum/3.4.3
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Microsoft-CryptoAPI/6.1
MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2251.0 Safari/537.36
Morfeus Fucking Scanner
netscan.gtisc.gatech.edu
Python-urllib/3.4
WicaAgent
4.2 what was the HTTP user-agent that appeared most?
Microsoft-Windows/6.1 UPnP/1.0
Appeared 290 times
4.3 present the URL accessed from a client with HTTP user-agent of "Python-urllib/3.4".
http.user_agent == "Python-urllib/3.4"
(http://changlogs.ubuntu.com/meta-release)
4.4 what is drawn in the file named fr.jpg?
(http.user_agent) && (http.request.method == "GET")
The catalog of a websit
(http://www.pwned.se/skyblue/fr.jpg)
Task 5
- use the pcap file downloaded at task 2.
- hint: TLS uses TCP port 443.
5.1 identify the largest TCP flow that users TLS and present its 5-tuple, i.e., src IP address, dst IP address, protocol, src port, and dst port.
- wireshark statistics and tcp.port = 443
src IP = 192.168.0.54 port = 51197
dst IP = 216.58.209.101 port = 443
protocol = tcp
5.2 identify the name of the server in the flow detected above.
5.3 list all the hostnames of the servers that used SSL/TLS (hint: use the SNI field).
Task 6
- use the pcap file downloaded at task 1.
- perform the periodical packet sampling; i.e., for each block containing 100 packets, sample the first packet.
- perform the random packet sampling, i.e., sample each packet with the probability of 0.01.
6.1 count the number of total TCP packets for original data, periodically sampled data, and randomly sampled data
Origin data: 77317 TCP packets
Periodically sampled data: 803 TCP packets(total 970 packets)
Randomly sampled data: 742 TCP packets(total 982 packets)
6.2 count the number of distinct source IP addresses for original data, periodically sampled data, and randomly sampled data
Origin data: 15839 distinct source IP addresses
Periodically sampled data: 200distinct source IP addresses(total 970 packets)
Randomly sampled data: 141distinct source IP addresses(total 982 packets)
6.3 discuss the difference between (1) and (2).
The random sample method has more similar features with origin data.
