Scribd
Upload
125 views

Lab 2 Network Traffic Analysis

This document provides instructions for a lab assignment on network traffic analysis. Students are asked to analyze PCAP files with Wireshark and TCPdump to identify network characteristics like IP addresses involved, packet types, and filtering. They are also asked to perform basic scanning with tools like Nmap and hping3.

Uploaded by

abdigaffarmaggan
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
125 views

Lab 2 Network Traffic Analysis

This document provides instructions for a lab assignment on network traffic analysis. Students are asked to analyze PCAP files with Wireshark and TCPdump to identify network characteristics like IP addresses involved, packet types, and filtering. They are also asked to perform basic scanning with tools like Nmap and hping3.

Uploaded by

abdigaffarmaggan
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

Program: CS

Course: Network and Perimeter Security


Lab 2: Network traffic analysis

Name: _

Copy the provided PCAP files in your Kali VM. Then, answer the questions below, capturing a
screenshot of the commands you used. Make sure the screenshot shows only relevant information,
not the whole Desktop.

Part A: Analyzing PCAP files with Wireshark

Wireshark tutorial 1: https://www.lifewire.com/wireshark-tutorial-4143298

Wireshark tutorial 2: https://www.howtogeek.com/104278/how-to-use-wireshark-to-capture-filter-


and-inspect-packets/

1. Open the file lab2-external.pcap with Wireshark. What kind of communication is it? Are all
hosts responding? Would it be normal traffic or suspicious?

The communication is the Internet Control Message Protocol ICMP or ICMP traffic.

The host is not responding.

It is suspicious traffic.

2. Could it be considered a DDoS attack? Why or why not?

It is not a DDoS attack because of single source IP address.

3. Show all echo reply packets. You can filter by IP, ICMP packet type or apply any filter of
your choice.
Program: CS
Course: Network and Perimeter Security
Lab 2: Network traffic analysis

4. Comparing the amount of echo request vs echo reply packets, you can deduce only a small
portion of hosts responded. Supposing the private IP addresses belong to class C networks,
what network segments were targeted?

Only small portions responded.

5. Open now the file lab2-internal.pcap with Wireshark. It represents the packets that went
through the firewall or router to the DMZ. Show the IPv4 statistics for source and
destination IP addresses.

6. What IP address seems more relevant because it responded to more ICMP requests than its
peers?

7. Use the ip.src_host filter to show all echo reply packets from this IP and verify the count is
the same as in the statistics.
Program: CS
Course: Network and Perimeter Security
Lab 2: Network traffic analysis

The count is the same 11.

Part B: Analyzing PCAP files with tcpdump

Tcpdump tutorial 1: https://danielmiessler.com/p/tcpdump/

Tcpdump tutorial 2: https://linuxize.com/post/tcpdump-command-in-linux/

8. Execute “tcpdump -r lab2-external.pcap -n host 172.16.115.30” to see the packets related


to this private IP address, whether requests or replies. Then, repeat it with the other PCAP
file. Show both and explain the results.

Here we are not sure if the request was sent.

9. Using a similar filter as the one above, show all hosts in this network segment that
responded to echo requests. Use the internal PCAP file.
Program: CS
Course: Network and Perimeter Security
Lab 2: Network traffic analysis

10. Using only tcpdump filters, that is, not piping with grep or similar, show that all packets in
the external PCAP file are only ICMP echo requests or replies.

No result and only ICMP was there.

11. Using only tcpdump filters, show the echo reply packets considering that the public IP
address would be a destination IP.

Part C: Performing basic scanning

IMPORTANT NOTE: Do not try scans without proper authorization, because it might be illicit.

12. Start capturing traffic with Wireshark on the NAT interface, the one you use in Kali to
browse the Internet, likely eth0. Then, execute the command “sudo nmap -T4 -n -sS -F
scanme.nmap.org” to scan the server at nmap.org, which is meant to be scanned. Stop the
traffic capture and paste a screenshot of Nmap’s results.
Program: CS
Course: Network and Perimeter Security
Lab 2: Network traffic analysis

13. If the previous step did not show some ports open and some filtered, discard the capture and
repeat the test. Working on a Wireshark traffic capture that contains at least one port open
and another filtered, show the packets related to the open port only.

Tip: you can use the filter tcp.port.

14. Is this a completed 3-way handshake? Explain why or why not.

It is not completed the 3-way handshake. Because the third way ACK did not happen.

15. Now, filter the packets for one of the ports that was filtered. What happened in the
communication? Why Nmap determined it is filtered?
Program: CS
Course: Network and Perimeter Security
Lab 2: Network traffic analysis

3-way handshake is not event completed here. Nmap determined is filtered

16. From the terminal, use the tool hping3 to send a flood of UDP packets to your home router.
You can instruct the tool to stop after 50, but you will likely need to manually cancel by
pressing Ctrl+C. What was the full command you used?

Note: type “man hping3” to get the man page with a list of parameters or check it online.

17. Use hping3 now to scan with TCP SYN the first 1024 ports of your home router. Show the
command and only the open ports in the table.

You might also like