Professional Documents
Culture Documents
Lab3 - 500086199 - JigeshSheoran - Digital Forensics
Lab3 - 500086199 - JigeshSheoran - Digital Forensics
DIGITAL FORENSICS LAB
LAB 3 Packet Analysis
BTECH-COMPUTER SCIENCE
ENGINEERING (HONS.)
CYBER SECURITY AND FORENSICS
BATCH: B2 (Hons.)
JIGESH SHEORAN
500086199
2
1. The only packets inside the pcap are ICMP packets and IP fragments of
ICMP packets
2. The ICMP packets contain interesting payload data
JIGESH SHEORAN
500086199
3
Now, we will remove the packets that do not have any content in them :
Verifying that payload in the ICMP Protocol are IP Packets themselves or not ?
JIGESH SHEORAN
500086199
4
JIGESH SHEORAN
500086199
5
JIGESH SHEORAN
500086199
6
We’ll now need Wireshark. For that we can either write a new pcap file containing
the actual IP traffic:
First we’ll need to mark the encrypted packets as SSL traffic: Rightclick ->
Decode As -> SSL . There’s a feature in wireshark for decrypting SSL traffic. It’s
JIGESH SHEORAN
500086199
7
somewhat hidden though: Preferences -> Protocols -> SSL -> RSA keys
list -> Key File . Now all that remains is to rightclick on one of the TLS packets
and “Follow [the] SSL Stream”:
----------------------------------------------------END------------------------------------------------------
JIGESH SHEORAN
500086199