Daniel G. Graham Ph.D

Oh is this homework fun. You will be hunting for an attacker and learning about WireShark all at the same time.

Wireshark is a tool for observing the messages exchanged between executing protocol entities, it works by using a packet sniffer to passively copy (“sniffs”) messages being sent from and received by your computer.

Getting Wireshark

In order to run Wireshark, you will need to have access to a computer that supports both Wireshark and the libpcap or WinPCap packet capture library. The libpcap software will be installed for you if it is not installed within your operating system when you install Wireshark.  See http://www.wireshark.org/download.html for a list of supported operating systems and download sites

Download and install the Wireshark software:

• Go to http://www.wireshark.org/download.html and download and install the Wireshark binary for your computer.

The Wireshark FAQ has a number of helpful hints and interesting tidbits of information, particularly if you have trouble installing or running Wireshark.

Video Over of WireShark

The great people at HackFive created a video on analyzing networking traces, using WireShark. It is a fun way to get started.

WireShark Cheat Sheet

Here is a  cheat sheet of all the wireshark filters

Finding the Hacker.

Oh no there has been an attack on our network.  Not to worry we have a network trace of the strange activity and you can find it here in this PCAP file (DanielJesseArp.pcap ).

Analyze the network traffic to determine what happened.

Helpful Hints.

The IP address ending 1.1 is the router. You can figure this out by looking at the DCHP exchange. Also, routers normally have the lowest IP in the subnet + 1.

To solve this problem, draw out what you think the network looks like. Include switches to connect everything.   Then focus on looking at the ARP packets. Think about what the arp tables look like for the machines on the network.

 

What to submit.

Answer the question below and submit your answers to collab.

Question:

1. What type of attack do you think occurred in the network?
2. What is the MAC address of the Victim’s Machine?
3. What is the IP address of the Victim Machine?
4. What is the MAC address of the Attacker’s Machine?
5. What IP -address was the Attacher’s Machine originally assigned?
6. What is the mac address of the router that was involved?
7. Write a description of the other things you think that you want to include in your security report.  Write a paragraph.