EGL202 Cyber Security Essentials

Lab 4 Network Traffic Analysis

A Objectives
 To revise the basic TCP/IP concepts
 To familiarise with a network traffic analyser and its role in security audit

Task 1: Network Traffic Analyser Installation

1) Install Wireshark (recommended version 3.2.3 or higher) and Npcap (recommended

version 0.9989 or higher). Reference: www.wireshark.org (Note: Wireshark used to be
called Ethereal).

2) Search for Wireshark, right mouse click, “Run as administrator” to start Wireshark as full
admin rights may be required to list network interfaces and capture packets.

Task 2: Network Traffic Capture

1) From Wireshark, select Capture> Options.

2) In the Input tab, select “Ethernet (if using wired connection) or Wi-Fi (if using wireless
connection)”

3) In the Options tab, under Stop Capture Automatically After… , check and input after
10000 packets.

4) Click Start. You should see many network packets. (Note: You may need to turn your PC’s
personal firewall such as Windows Defender to see the traffic.).

Task 3: Filters

1) Under “Apply a display filter”, key in ip.addr == x.x.x.x where x.x.x.x is your PC’s IP
address. (Hint: You can use “ipconfig” from the command prompt to find your PC’s IP
address.) You should now only see traffic flowing to and from your PC.

Cyber Security Essentials Page 1 Effective date: 05 Mar 2021

 Question: Click on any IP packet with your PC’s IP address as the source. Write
down the corresponding Ethernet destination address. Which host on the
network does this Ethernet address belongs to?

2) Under “Apply a display filter”, key in icmp and restart the live capturing. From your PC,
ping the default gateway. (Hint: Use “ipconfig” if necessary.)

Question: From the capture of your ping, write down all the Ethernet addresses
detected. Next, issue “ipconfig/all” to check your PC’s MAC/hardware address. Is
ping request or ping reply packets’ Ethernet source address the same as your
PC’s MAC address?

3) Under “Apply a display filter”, key in tcp and restart the live capturing. Use your browser to
go to www.sg. Visit https://nslookup.io/ to identify the possible public IP addresses for
www.sg . Hint: It should be 45.60.101.124 or 45.60.11.124

Search for first occurrence of destination ip for www.sg . Right click the packet and click
(Follow> TCP Stream).

From the filtered session, are you able to identify the SYN, SYN-ACK, ACK 3-way TCP
handshake? Fill in the table below with the information.

Cyber Security Essentials Page 2 Effective date: 05 Mar 2021

 Packet Sequence TCP Source TCP Flags
Number Port Destination SYN ACK FIN Reset
Port value value value value
549 0 50412 443 1 0 0 0
550 0 443

Question: When will the FIN and Reset Flags be used/non-zero?

Task 4: Investigating HTTP Traffic

Note: To stop and start your Wireshark traffic capture (Capture> Stop and Capture> Start).

1) Let’s start a fresh wireshark traffic capture. Launch your web browser and visit
http://vbsca.ca/login/login.asp

2) Key in a username and password. Let’s try: username: admin123 Password: pass123

3) Click Login on the page. You should see the following screen.

Cyber Security Essentials Page 3 Effective date: 05 Mar 2021

4) Stop your Wireshark traffic capture (Capture> Stop).

5) Let’s do a filter of the packets with “tcp contains admin123”

Question: From your capture, what is the IP address for the website vbsca.ca?

6) Right click the packet and click (Follow> TCP Stream).

Question: From your capture, can you identify the user ID and password used?
What service details can you glean from the website?

Question: Do you think http is secure? Why? If no, what protocol should be used
to replace http?

Cyber Security Essentials Page 4 Effective date: 05 Mar 2021

Cyber Security Essentials Page 5 Effective date: 05 Mar 2021