1

 UNIVERSITY OF PETROLEUM AND ENERGY STUDIES

DEHRADUN

 
DIGITAL FORENSICS LAB
LAB 3 Packet Analysis

BTECH-COMPUTER SCIENCE
ENGINEERING (HONS.)
CYBER SECURITY AND FORENSICS 
BATCH: B2 (Hons.) 
 

Name: Jigesh Sheoran 

SAP ID: 500086199 
Enrolment No: R2142201569 

Looking at wireshark reveals two things:

JIGESH SHEORAN
500086199
 2

1. The only packets inside the pcap are ICMP packets and IP fragments of
ICMP packets
2. The ICMP packets contain interesting payload data

It seems not every packet has a payload through.

JIGESH SHEORAN
500086199
 3

Now, we will remove the packets that do not have any content in them :

Verifying that payload in the ICMP Protocol are IP Packets themselves or not ?

JIGESH SHEORAN
500086199
 4

This is an actual IP Packet, let’s extract it.

Quickly scanning the communication.

JIGESH SHEORAN
500086199
 5

Looking at the first few client packets (e.g.  client_packets[:10].hexdump() )

shows us that this is an HTTP GET request. Let’s dump the response body to a file.

Now, open a new shell and follow the following steps:

JIGESH SHEORAN
500086199
 6

We’ll now need Wireshark. For that we can either write a new pcap file containing
the actual IP traffic:

First we’ll need to mark the encrypted packets as SSL traffic:  Rightclick ->
Decode As -> SSL . There’s a feature in wireshark for decrypting SSL traffic. It’s

JIGESH SHEORAN
500086199
 7

somewhat hidden though:  Preferences -> Protocols -> SSL -> RSA keys
list -> Key File . Now all that remains is to rightclick on one of the TLS packets
and “Follow [the] SSL Stream”:

----------------------------------------------------END------------------------------------------------------

JIGESH SHEORAN
500086199