EGL202 Lab 4 Network Traffic Analysis (Student)
EGL202 Lab 4 Network Traffic Analysis (Student)
A Objectives
To revise the basic TCP/IP concepts
To familiarise with a network traffic analyser and its role in security audit
2) Search for Wireshark, right mouse click, “Run as administrator” to start Wireshark as full
admin rights may be required to list network interfaces and capture packets.
2) In the Input tab, select “Ethernet (if using wired connection) or Wi-Fi (if using wireless
connection)”
3) In the Options tab, under Stop Capture Automatically After… , check and input after
10000 packets.
4) Click Start. You should see many network packets. (Note: You may need to turn your PC’s
personal firewall such as Windows Defender to see the traffic.).
Task 3: Filters
1) Under “Apply a display filter”, key in ip.addr == x.x.x.x where x.x.x.x is your PC’s IP
address. (Hint: You can use “ipconfig” from the command prompt to find your PC’s IP
address.) You should now only see traffic flowing to and from your PC.
2) Under “Apply a display filter”, key in icmp and restart the live capturing. From your PC,
ping the default gateway. (Hint: Use “ipconfig” if necessary.)
Question: From the capture of your ping, write down all the Ethernet addresses
detected. Next, issue “ipconfig/all” to check your PC’s MAC/hardware address. Is
ping request or ping reply packets’ Ethernet source address the same as your
PC’s MAC address?
3) Under “Apply a display filter”, key in tcp and restart the live capturing. Use your browser to
go to www.sg. Visit https://nslookup.io/ to identify the possible public IP addresses for
www.sg . Hint: It should be 45.60.101.124 or 45.60.11.124
Search for first occurrence of destination ip for www.sg . Right click the packet and click
(Follow> TCP Stream).
From the filtered session, are you able to identify the SYN, SYN-ACK, ACK 3-way TCP
handshake? Fill in the table below with the information.
Note: To stop and start your Wireshark traffic capture (Capture> Stop and Capture> Start).
1) Let’s start a fresh wireshark traffic capture. Launch your web browser and visit
http://vbsca.ca/login/login.asp
2) Key in a username and password. Let’s try: username: admin123 Password: pass123
3) Click Login on the page. You should see the following screen.
Question: From your capture, what is the IP address for the website vbsca.ca?
Question: From your capture, can you identify the user ID and password used?
What service details can you glean from the website?
Question: Do you think http is secure? Why? If no, what protocol should be used
to replace http?