Scribd
Upload
107 views

EGL202 - Lab - 4 - Network Traffic Analysis (Instructor) - Revisedv2

1) The document provides instructions for using Wireshark to analyze network traffic. It includes tasks on installing Wireshark, capturing traffic, applying filters, and investigating HTTP traffic. 2) When capturing ping traffic, the student is asked to identify the source Ethernet addresses and check if it matches their PC's MAC address. For HTTP traffic, the student logs into a website and uses Wireshark filters to find the username and password in clear text. 3) The last questions discuss that HTTP is insecure as traffic is not encrypted, and HTTPS should be used instead to secure the connection and prevent interception of sensitive information like credentials.

Uploaded by

xian hui
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
107 views

EGL202 - Lab - 4 - Network Traffic Analysis (Instructor) - Revisedv2

1) The document provides instructions for using Wireshark to analyze network traffic. It includes tasks on installing Wireshark, capturing traffic, applying filters, and investigating HTTP traffic. 2) When capturing ping traffic, the student is asked to identify the source Ethernet addresses and check if it matches their PC's MAC address. For HTTP traffic, the student logs into a website and uses Wireshark filters to find the username and password in clear text. 3) The last questions discuss that HTTP is insecure as traffic is not encrypted, and HTTPS should be used instead to secure the connection and prevent interception of sensitive information like credentials.

Uploaded by

xian hui
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 6

EGL202 Cyber Security Essentials

Lab 4 Network Traffic Analysis (Instructor)


Instructor Note: Red font color indicate text that appears in the instructor copy only.

A Objectives
 To revise the basic TCP/IP concepts
 To familiarise with a network traffic analyser and its role in security audit

Task 1: Network Traffic Analyser Installation

1) Install and start Wireshark (recommended version 3.2.3) and Npcap (recommended
version 0.9989). Reference: www.wireshark.org (Note: Wireshark used to be called
Ethereal).

Task 2: Network Traffic Capture

1) From Wireshark, select Capture> Options.

2) In the Input tab, select “Ethernet (if using wired connection) or Wi-Fi (if using wireless
connection)”

3) In the Options tab, under Stop Capture Automatically After… , check and input after
10000 packets.

4) Click Start. You should see many network packets. (Note: You may need to turn your PC’s
personal firewall such as Windows Defender to see the traffic.).

Task 3: Filters

1) Under “Apply a display filter”, key in ip.addr == x.x.x.x where x.x.x.x is your PC’s IP
address. (Hint: You can use “ipconfig” from the command prompt to find your PC’s IP
address.) You should now only see traffic flowing to and from your PC.

Question: Click on any IP packet with your PC’s IP address as the source. Write
down the corresponding Ethernet destination address. Which host on the
network does this Ethernet address belongs to?

Cyber Security Essentials Page 1 Effective date: 05 Mar 2021


<Answer may varies depending on where you surf>

Example:

Host: 172.16.222.101 <Answer may varies>

Dest: 23.220.203.27 (akamai)

<Ethernet MAC addresses will look like this. Example:>

Ethernet II, Src: IntelCor_16:37:da (a0:51:0b:16:37:da), Dst: Arcadyan_d2:c0:5e


(e4:3e:d7:d2:c0:5e)

2) Under “Apply a display filter”, key in icmp and restart the live capturing. From your PC,
ping the default gateway. (Hint: Use “ipconfig” if necessary.)

Question: From the capture of your ping, write down all the Ethernet addresses
detected. Next, issue “ipconfig/all” to check your PC’s MAC/hardware address. Is
ping request or ping reply packets’ Ethernet source address the same as your
PC’s MAC address?

<Answer may varies depending – use ipconfig /all to check gateway details>

172.16.222.101, 172.16.223.254

Yes, ping reply/packet has the same MAC address as the PC

3) Under “Apply a display filter”, key in tcp and restart the live capturing. Use your browser to
go to www.sg. Visit https://nslookup.io/ to identify the possible public IP addresses for
www.sg . Hint: It should be 45.60.101.124 or 45.60.11.124

Search for first occurrence of destination ip for www.sg . Right click the packet and click
(Follow> TCP Stream).

Cyber Security Essentials Page 2 Effective date: 05 Mar 2021


From the filtered session, are you able to identify the SYN, SYN-ACK, ACK 3-way TCP
handshake? Fill in the table below with the information.

>> Look for first occurrence of SYN, SYN-ACK and ACK packet for www.sg

Packet Sequence TCP Source TCP Flags


Number Port Destination SYN ACK FIN Reset
Port value value value value
549 0 50412 443 1 0 0 0
550 0 443 50412 1 1 0 0
551 1 50412 443 0 1 0 0

Question: When will the FIN and Reset Flags be used/non-zero?

FIN flags are used for TCP termination and Reset flags are used when there is an
abrupt closure of the session

Task 4: Investigating HTTP Traffic

Note: To stop and start your Wireshark traffic capture (Capture> Stop and Capture> Start).

Cyber Security Essentials Page 3 Effective date: 05 Mar 2021


1) Let’s start a fresh wireshark traffic capture. Launch your web browser and visit
http://vbsca.ca/login/login.asp

2) Key in a username and password. Let’s try: username: admin123 Password: pass123

3) Click Login on the page. You should see the following screen.

4) Stop your Wireshark traffic capture (Capture> Stop).

5) Let’s do a filter of the packets with “tcp contains admin123”

Question: From your capture, what is the IP address for the website vbsca.ca?

163.182.194.25 [student should get similar to the screenshot above]

Cyber Security Essentials Page 4 Effective date: 05 Mar 2021


6) Right click the packet and click (Follow> TCP Stream).

Question: From your capture, can you identify the user ID and password used? What
service details can you glean from the website?

Yes. User ID and password (admin123, pass123) are shown in the POST section.
Website is using HTTP port 80 and the Server is on Microsoft IIS 5.0 which is an
obsolete web server with many vulnerabilities.

Cyber Security Essentials Page 5 Effective date: 05 Mar 2021


Question: Do you think http is secure? Why? If no, what protocol should be used
to replace http?

HTTP is not secure, traffic is in clear and can be intercepted by cyber attacker. Use
HTTPS.

Cyber Security Essentials Page 6 Effective date: 05 Mar 2021

You might also like