Written
on
PCAP Analysis - P13’s Computer (Let's Defend)
Challenge Write-up (Easy)
Lessons Learned:
Picked up new techniques in analyzing packets: different filters, explored more about Statistics.
The Challenge:
We have captured this traffic from P13’s computer. Can you help him?
- In network communication, what are the IP addresses of the sender and receiver?
- Method: Use the frame filter, and “Follow TCP Stream”. Answer can be found in the first record.
- Answer: “192.168.235.137,192.168.235.131”
- P13 uploaded a file to the web server. What is the IP address of the server?
- Method: Use the “http” filter, specifically filters under this command will also work. Case in point: ‘http.request.method == “POST” && frame contains “upload”’. Note: Both can reveal the network traffic from the sender and the destination. Knowing P13’s IP address earlier, it is safe to conclude that it’s the source IP address. By process of elimination whatever IP address is in the destination column will be the answer.
- Answer: “192.168.1.7”
- What is the name of the file that was sent through the network?
- Method: Follow the TCP Stream in the filtered packet in Q2 and it will show the contents of this HTTP packet.
- Answer: “file”
- What is the name of the web server where the file was uploaded?
- Method: On the same TCP Stream in Q3, the details of the server was also included in the HTTP response from 192.168.1.7.
- Answer: “Apache”
- What directory was the file uploaded to?
- Method: Still the same stream, the answer was stated in plain-text.
- Answer: “Uploads”
- How long did it take the sender to send the encrypted file?
- Method: Use the Conversations stats. It’s under “Statistics > Conversations” menu. Find the source IP address of the web server and P13’s machine. Under the “Duration” column it will indicate the answer.
- Answer: “0.0073”