ICT 475 Final Project

Course: ICT 475 – Network and Traffic Analysis

Due Date: Monday January 18, 2020.
Presentation Date: Monday January 18, 2020.
Group: Three or less students per group only.
Result of plagiarism is F for both groups.

You must submit a report stating the problem statement, screen shots about
the output and very well explained results.
Read the book 503.2- Fundaments of Traffic Analysis Part II and solve the
following:
Part I
Use Sans/Exercises/Day2/wireshark-df.pcap as input for the following:
Exercise 1:
Find the packet record number(s) where a DNS query name contains the string
“gelnhighland”
Exercise 2:
Find all ARP request records. What filter did you use? How many are there?
Exercise 3:
Find the record number of any ICMP echo reply – ICMP type 0 – of any frame that
needed to be zero-padded at the end because it was less than the minimum
acceptable Ethernet length.
Exercise 4:
Find all DNS records. How many are there? Save those records to a new file called
“/tmp/dns.pcap”.
Part II
Use Sans/Exercises/Day2/tcpdump.pcap as input for the following:
Exercise 1:
Write a tcpdump filter to display those records with only the acknowledgment
flag set and no other flag bits set. This is the most exclusive type of filter. The
layout of tcp flag byte has been supplied below for assistance in figuring out the
filter mask value.
| CWR | ECE | URG | ACK || PSH | RST | SYN | FIN | 13th byte offset of tcp header

23 22 21 20 23 22 21 20

Exercise 2:
Read records from the input file using tcpdump and write a filter to display those
records with either the RST or ACK flags set and may have any other flag bits set.
This is the least exclusive type of filter.
Exercise 3:
Read records from the input file using tcpdump and write a filter to display those
records where all the RST, SYN, and FIN flags must be set and other flag bits may
be set. This follows the format of the less exclusive type of filter. For assistance, if
you were to check that both the ACK and RST values were set and other flags may
be set, the filter would be ‘tcp[13] & 0x14 = 0x14’.

Part III
Use Sans/Exercises/Day2/TCP.pcap as input for the following:
Note: Enable Wireshark TCP checksum validation. This is done as follows:
Edit  preferences
Expand the Protocols listing in the leftmost column at the bottom. Scroll down to
TCP and select it. Check the box next to “validate the TCP checksum id possible:”.
When you have completed this part, uncheck this setting.
Exercise 1:
Examine the embedded protocol checksum in the packet with a destination host of
192.168.2.109 and source port 2056. What is wrong with it? What will happen to
this packet?
Exercise 2:
What is suspicious about the two records identified with a source identified with a
source port of 4545? Concentrate your inspection on the TCP sequence numbers.
What appears to be wrong with them? What possible elusive behavior might this be
attempting? Why is payload on these records unusual? This exercise is probably
easier to figure out using tcpdump, but you can use Wireshatk if you prefer.
Exercise 3:
You will see some TCP activity from source host 10.254.1.8 in one set of
connections and another set of destination port 143. One set of connections is a series
of retries to a non-responding host/network. The other set of connections is actual
successful SYN connections to the destination IP. No other data is included other
than the SYN activity. Which set of connections is the retries and which is the
successful connections?
Exercise 4:
Look at the TCP session between hosts 192.168.1.217 and 192.168.1.103. There is
something unusual about the flag settings when payload is sent. Explain what went
wrong.
Exercise 5:
We are seeing a lot of SYN/ACK TCP segments from source host 68.178.232.100
to many of our destination 10.10.10.x hosts. Yet, a sensor that collects all outbound
traffic never saw the 10.10.10.x hosts sending outbound SYN’s. Can you explain
what is happening? Why would an attacker do this? What are some other signs that
traffic from the 10.10.10.x hosts was crafted?
Part IV
Use Sans/Exercises/Day3/wireshark3.pcap as input for the following:
Exercise 1:
Extract the web object from wireshark3.pcap and view it in your Epiphany web
browser. According to the extracted image, what did snort save?
Exercise 2:
Carve base64 encoded message from SMTP exchange between 10.10.10.10 and
10.10.10.25. What does it say?
Exercise 3:
Decode the conversation where there is an exchange to and from port 99. What
protocol does this traffic look like?

Good Luck