LAB ASSESSMENT - 2

Subject: Information Security Analysis and Audit

Slot: L11-L12
Name: RIYA KUMAR Reg. No: 19BCE2694

Date: 17/08/2021 LAB CLASS 3

BASIC OPERATIONS OF WIRESHARK

Wireshark is a network packet analyser that seeks to capture network packets and present the packet
data in as much detail as possible.

Uses of Wireshark:

• Network administrators use it to troubleshoot network problems

• Network security engineers use it to examine security problems
• QA engineers use it to verify network applications
• Developers use it to debug protocol implementations
• People use it to learn network protocol

Wireshark can capture packets from our Wi-Fi network and let us examine the contents of these
packets.
Filtering the ARP packets

The Address Resolution Protocol is used to dynamically discover the mapping between a layer 3
(protocol) and a layer 2 (hardware) address. A typical use is the mapping of an IP address (e.g.,
192.168.0.10) to the underlying Ethernet address (e.g., 01:02:03:04:05:06). You will often see ARP
packets at the beginning of a conversation, as ARP is the way these addresses are discovered

Data Flow Diagram

The data flow diagram shows the relation between the source and the destination along with entire
three handshake acknowledgement process.
Colour Rules for Wireshark

The packets captured are displayed with the following colour code based on the protocol:

Attacking Images on Insecure Websites

While browsing through insecure websites, anyone with access to your internet can see the
webpages and even extract the packets on information including the images. To extract these
images, one can follow the given steps using Wireshark:

Step 1: Open Wireshark application and start capturing packets through Wi-fi network
Step 2: Open the browser and browse through any insecure website that contains images

Here we will be using dalberghetti.com and danscourses.com for this purpose. Once the websites
open up in the browser, we scroll through the entire sites in order to receive packets containing
images.
Step 3: Once we have browsed through the websites, we will go to the Wireshark application and
stop capturing the packets.

Step 4: After the packets have been captured, Filter the captured data by using the filter tab. The
data needs to be filtered in order to view only those packets that are captured through the “http”
protocol.
Step 5: Once the packets are filtered by the “http” protocol, we need to scroll down the list and
look for file types such as JPEG, GIF, or PNG. Once we find a packet with any of these extensions
(JPEG here), we select that packet by clicking on it.

Step 6: After selecting that particular packet, we will go to the second window area and right click
on Hypertext Transfer Protocol. Next, we select the Export Packet Bytes from the pop-up menu.
Step 7: We export the Packet Bytes and save it with “.jpg” extension.

Step 8: Next, we scroll down the packet list and find all the packets having these extensions and
export them to our desktop by repeating steps 6 and 7. Here, after going through the list, we are
able to export 3 images.
Step 9: On opening these images, we are able to see the images that the user browsed through
while operating the insecure website. Below is an example of the image can we rebuilt from the
packets captured.

CONCLUSION:

We can conclude by saying that if someone had access to our network and was listening to the
packet activity on the network, they could easily pull the images and the information we have been
viewing using the Wireshark application. However, this is not possible in case of a secure website the
encrypts the data that is sent via these packets.
Date: 24/08/2021 LAB CLASS 4

WIRESHАRK FILTERS
In this activity, we will try various filters that can be applied to view the captured packets in Wireshark
according to our needs. Firstly, we will open the Wireshark software and start capturing packets
through the Wi-fi. Next, we are going to browse through any insecure website in order to capture
packets. After capturing the packets, we can filter and view the packets by typing our filter query in
the “Apply a display filter” bar.
1. Filter traffic on specific IP address

This will display all traffic for the IP entered, source or destination.

ip.addr == 239.255.255.250

2. Filter by source address

This will only show traffic where the source IP address is the given IP address.

ip.src == 52.112.41.185
3. Filter by destination address

Displays only traffic for the matching destination IP.

ip.dst == 52.112.41.185

4. Filter by IP subnet

Displays all traffic for the entered subnet, this will match on source or destination. Use CIDR format
for subnet display filter.
ip.addr == 192.168.29.1/24
If you want to filter on а IP source subnet, use ip.src==subnet.
If you want to filter on IP destination subnet, use ip.dst==subnet.
5. Filter traffic based on protocol

To filter for а specific protocol just type in the name of the protocol. For example, to display all DNS
traffic just type DNS in the filter box.

dns

arp
http

icmp
6. Exclude IP address

If you want to filter out an IP address so it’s not displayed use this filter.

!ip.addr == 192.168.29.1

7. Show traffic between two workstations or subnet

This first one will show only traffic between the two subnets.

ip.addr == 52.112.41.185/24 and ip.addr == 192.168.29.65/24

This will show only traffic between the two specifics.

ip.addr == 192.168.29.1 and ip.addr == 239.255.255.250

8. Filter by MАC address

Use this filter if you only want to see traffic for а specific MАC address.

eth.addr == 68:14:01:a0:7b:22
9. Filter on TCP port

Used to filter on TCP Port.

tcp.port == 443

Or filter on TCP port source.

tcp.srcport == 443
Or filter on TCP port destination.

tcp.dstport == 443

10. Find user agent

Its а good idea to understand what user agents are being used on your network, malicious traffic can
often use unusual agent strings. To search for а user agent we can use this.

http.user_agent contains Chrome

We can replace Chrome with the user agent string we want to search for.
We can also filter multiple user agents in a single query

!http.user_agent contains Chrome || http.user_agent contains Firefox

11. Filter background network noise

There are several protocols that can be very noisy, it sometimes helps to filter this out so you can
focus on other traffic.

!(udp or arp or dns)

This will filter out UDP, ARP and DNS traffic.

12. Filter on port and IP Address

We can use this if we want to see traffic from а certain IP on а specific port.

tcp.port == 443 && ip.addr == 192.168.29.65

This will show only port 443 that has IP 192.168.29.65.

13. Filter for all http get request

We can use this filter to view only the http get requests.

http.request
14. Filter for http get and response

We can use this filter to view only the http get and post requests.

http.request or http.response

15. Filter on three way handshake

The three way handshake is often used to calculate the network round trip time. This filter will
display ill the SYN, SYN АCK and SYN packets that should match the three way handshake.

tcp.flаgs.syn==1 or (tcp.seq==1 аnd tcp.аck==1 аnd tcp.len==0 аnd tcp.аnаlysis.initiаl_rtt)

16. Find executable or other file types

This filter is used to see if the user has downloaded any .exe or .pdf file types. We can replace “pdf”
with any file extension that we want to filter for.
frame contains “pdf”

17. Search traffic based on а keyword

This displays all TCP packets that contain the word Facebook. Just replace the word with want you
want to search for.
tcp contains facebook
The only problem with the above filter is it’s limited to TCP packets only. To include all protocols, we
use this filter.
frame contains facebook

18. Detecting SYN Floods (Possible DDoS attacks)

DDos аttаcks can be done in а variety of ways, а large number of TCP connections is one of them. To
look for а large number of tcp connection attempts, we use this filter.
tcp.flags.syn == 1 and tcp.flags.ack == 0
This will filter for the start of new TCP connections. If we see constant new connections to the same
destination IP, it could be а SYN or DDoS attack.