Presentation is loading. Please wait.

Presentation is loading. Please wait.

Traffic Analysis– Wireshark Simple Example

Published byAllyson Collins Modified over 6 years ago

Similar presentations

Presentation on theme: "Traffic Analysis– Wireshark Simple Example"— Presentation transcript:

1 Traffic Analysis– Wireshark Simple Example
CIS 6395, Incident Response Technologies Fall 2016, Dr. Cliff Zou

2 Acknowledgement The second wireshark example comes from programming project 2 in Dr. Dawn Song’s course “CS161: computer security” in Fall 2008:

3 Example #1: What traffic does Nmap generate?
“Nmap (Network Mapper) is a security scanner used to discover hosts and services on a computer network” Definition comes from Wikipedia.com Question: What traffic does it generate? How can we detect if someone is using Nmap?

4 Nmap Basic Usage Examples
Scan a single IP: nmap Scan a range of IPs nmap nmap /24 Scan a range of ports nmap -p Scan 100 most common ports (Fast) nmap -F Scan all ports nmap -p Nmap --script banner Setup TCP connection, get the first response text from the target

5 Testing on Kali Linux Your Kali Linux VM contains both nmap and Wireshark Use the wireshark to see what traffic does an nmap command sends out

6 Example #2: Wireshark trial
Q1: Youtube becomes Notube In your company network YouTube page could not be loaded when people tried to access YouTube. Analyze the web traffic in q1.pcap trace (in webCourse) to find out how the attacker disrupted your YouTube access. Find out the type of attack being launched? What were the victims’ IP addresses? How much downtime did this attack cause? Hint: search for failed connections, there are 4 victims.

7 Question 1 Answer The 4 victims IP: , , , The attack is TCP/RST attack by sending RST packets to youtube server whenever a victim sends TCP connection requests to youtube The attack duration time, about 2200 seconds.

8 Question 2 Q2: you sent a private message to your best friend on Facebook. But your message got also posted publicly on your friend’s wall, which means someone posted it impersonated as your friend. Examine the web traffic in q2.pcap (in webCourse) to find evidence of the attack used for the wall post. Find the secret wall post, the timestamp when it occurred and the cookie value (c_user) of the attacker. Hints: Check POST requests, cookie values

9 Question 2 Answer: There is one attacking IP: using the same user cookie value. The secret wall post was : “Be sure not to tell anyone this! But M.C. is actually lactose- intolerant”. with a time Sun, 17 Apr :30:02 GMT (based on server’s response message)

10 Question 3 There was a leakage of an exam file, so you pull out the data collected to analyze. Analyze the web accesses in the q3.pcap (in webCourse). Determine the type of attack used to access the file. What was the file name? How do you know it was successfully accessed?

11 Question 3 Answer: Directory traverse attack happened on getting password file, the other file is cheddar.pdf requested in several attempts. a single packet, # 41321, successfully obtained the pdf file.

Download ppt "Traffic Analysis– Wireshark Simple Example"

Similar presentations

TCP/IP Fundamentals A quick and easy way to understand TCP/IP v4.

TCP/IP Fundamentals A quick and easy way to understand TCP/IP v4.
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.
Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.

Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.
Scanning February 23, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
CS155: Computer and Network Security Programming Project 3 – Spring 2008 Craig Gentry, Naef Imam, Arnab Roy {cgentry, nimam, Thanks.

CS155: Computer and Network Security Programming Project 3 – Spring 2008 Craig Gentry, Naef Imam, Arnab Roy {cgentry, nimam, Thanks.
Port Scanning Yiqian Zhang CS 265 Project. What is Port Scanning? port scanning is equivalent to knocking on the walls to find all the doors and windows.

Port Scanning Yiqian Zhang CS 265 Project. What is Port Scanning? port scanning is equivalent to knocking on the walls to find all the doors and windows.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.
Penetration Testing.

Penetration Testing.
Port Scanning.

Port Scanning.
TCP/IP Web Design & Layout January 23, 2012. TCP/IP For Dummies  The guts and the rules of the Internet and World Wide Web. A set of protocols, services,

TCP/IP Web Design & Layout January 23, TCP/IP For Dummies  The guts and the rules of the Internet and World Wide Web. A set of protocols, services,
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau (20086034) Lee Shirly (20095815) Ong Ivy (20095040)

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.

Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
Ana Chanaba Robert Huylo

Ana Chanaba Robert Huylo
Syllabus outcomes 5.2.1 Describes and applies problem-solving processes when creating solutions. 5.2.2 Designs, produces and evaluates appropriate solutions.

Syllabus outcomes Describes and applies problem-solving processes when creating solutions Designs, produces and evaluates appropriate solutions.
Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.

Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.

ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
Midterm Exam Review Release questions via webcourse “assignment” around 10:30am, Thur. Oct. 20 th, due via webcourse at 10:30am next day Submit format:

Midterm Exam Review Release questions via webcourse “assignment” around 10:30am, Thur. Oct. 20 th, due via webcourse at 10:30am next day Submit format:
Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal © 2005, CCH INCORPORATED 4025 W. Peterson Ave.

Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal © 2005, CCH INCORPORATED 4025 W. Peterson Ave.
CIS 450 – Network Security Chapter 3 – Information Gathering.

CIS 450 – Network Security Chapter 3 – Information Gathering.

Similar presentations

Ads by Google