Take your TShark skills to the next level by implementing Wireshark functionalities in the CLI.
Lab link.
Task 2: Command-Line Wireshark Features I | Statistics I
2.1. Use the “write-demo.pcap” to answer the questions.
What is the byte value of the TCP protocol?
62
2.2. In which packet lengths row is our packet listed?
40-79
2.3. What is the summary of the expert info?
Connection establish request (SYN): server port 80
2.4. Use the “demo.pcapng” to answer the question.
List the communications. What is the IP address that exists in all IPv4 conversations?
Enter your answer in defanged format.
145[.]254[.]160[.]237
Task 3: Command-Line Wireshark Features II | Statistics II
3.1. Use the “demo.pcapng” to answer the questions.
Which IP address has 7 appearances?
Enter your answer in defanged format.
216[.]239[.]59[.]99
3.2. What is the “destination address percentage” of the previous IP address?
6.98%
3.3. Which IP address constitutes “2.33% of the destination addresses”?
Enter your answer in defanged format.
145[.]253[.]2[.]203
3.4. What is the average “Qname Len” value?
The term Qname Len refers to the length of the query name used for a DNS query. In DNS packets, the query name usually represents a domain name (for example, example.com). The length of this query name is reported as the Qname Len value.
29.00
Task 4: Command-Line Wireshark Features III | Streams, Objects and Credentials
4.1. Use the “demo.pcapng” to answer the questions.
Follow the “UDP stream 0”.
What is the “Node 0” value?
Enter your answer in defanged format.
145[.]254[.]160[.]237:3009
4.2. Follow the “HTTP stream 1”.
What is the “Referer” value?
Enter your answer in defanged format.
hxxp[://]www[.]ethereal[.]com/download[.]html
4.3. Use the “credentials.pcap” to answer the question.
What is the total number of detected credentials?
We count the lines with the nl command. 4 lines are overcounted and we should pay attention to them.
75
Task 5: Advanced Filtering Options | Contains, Matches and Fields
5.1. Use the “demo.pcapng” to answer questions.
What is the HTTP packet number that contains the keyword “CAFE”?
27
5.2. Filter the packets with “GET” and “POST” requests and extract the packet frame time.
What is the first time value found?
May 13, 2004 10:17:08.222534000 UTC
Task 6: Use Cases | Extract Information
6.1. Use the “hostnames.pcapng” to answer the questions.
What is the total number of unique hostnames?
30
6.2. What is the total appearance count of the “prus-pc” hostname?
12
6.3. Use the “dns-queries.pcap” to answer the question.
What is the total number of queries of the most common DNS query?
472
6.4. Use the “user-agents.pcap” to answer questions.
What is the total number of the detected “Wfuzz user agents”?
12
6.5. What is the “HTTP hostname” of the nmap scans?
Enter your answer in defanged format.
172[.]16[.]172[.]129
Hello, I am Aleyna Doğan. I work as a Sr. Cyber Threat Intelligence Analyst. In my blog, we write blog posts that my friends and I want to share. Have a good read.