Here we are given a packet number and the easiest way to reach a packet in Wireshark is to navigate to Go->Go to Packet or simply user CTRL+G, this will open a small window where you can enter the packet number as shown below. Question 3:What domain is the user looking up in packet 15174? DNS server receives queries from other servers and then responds to other queries in the same fashion as shown in snippet above, you can easily figure out the ipv6 address of the DNS server. On scrolling down further, you will see IPV6 addresses of servers and extrapolating the above logic i.e. From this we can conclude that ipv4 address of DNS server is 192.168.1.10. To do this just type ‘DNS’ in the filter bar and you will see all the DNS traffic as shown below:įrom the above snippet we can see that 192.168.1.26 is sending a DNS query to 192.168.1.10 and then in the next line receiving response from 192.168.1.10. To solve this question lets again filter the traffic with DNS protocol. Further analysis will reveal the answer to question 1 Question 2: What is the IPv6 address of the DNS server used by 192.168.1.26? To do this, we will use FTP filter as shown below in the screenshot and this will filter out all other protocolsĪs we know that in FTP protocol data is not encrypted and from the screenshot we can clearly see the messages in clear text. To solve this we need to filter out the captured FTP traffic. I think this was the easiest question and if you are used to DFIR challenges, you must have encountered this before. After briefly analyzing this lets jump to the questions posted in the challenge.ĬyberDefenders- HoneyPot : WireShark PCAP Analysis From this you will get a decent idea of different protocols that were captured like in our case we can see FTP,FTP-Data, HTTP, TLS etc. Once you have opened the file in wireshark, navigate to Statistics->Protocol Hierarchy and you will see below window. So before proceeding ahead please make sure you have tried your level best.īefore jumping on to the questions lets quickly review the pcap file in wireshark. In this article I will refrain from posting any answers but after reading you can get decent idea of the approach. ChallengeĪs an analyst working for a security service provider, you have been tasked with analyzing a packet capture for a customer’s employee whose network activity has been monitored for a while -possible insiderĪs part of this challenge a pcap file is provided and based on it you have to answer 11 questions which get progressively difficult as you move ahead. This is a brief writeup of challenge posted on and you can find it here.
0 kommentar(er)
