Lab 5.3.

2- Teacher Notes Packet Analysis with

Wireshark
Present the PPT and students will work on the Kali VM to follow along as you present on the screen.
• Explain and demonstrate how to use the Wireshark application for network traffic analysis.
• Walkthrough for analysis of Pcap1 to understand the 3 information panes in Wireshark.
• Now distribute the lab handout - students analyze 4 additional pcaps to find answers for the worksheet.

Slide 1 – Intro Slide

Slide 2 – Wireshark overview

Refer back to the ARP with Wireshark lab in Lesson 4.2.1. Remind students that Wireshark is the brand
name for an application that captures packets as they are going in and out of a computer. This type of
application is properly known as a protocol analyzer, but most people call it a packet sniffer. Because it
can be used to eavesdrop on a network, some people may view it as a hacking tool but this is incorrect.
Wireshark is a well-respected and commonly used tool for troubleshooting network packet delivery.

Slide 3 – Follow Along Exercise with Pcap1

The students should now be logged into the Cyber Range and opened the Kali VM. Use the instructions
on this slide to click start Wireshark and open the Pcap1.pcap file. (You should demo this on your
computer as well). We will use this file to learn about the different sections of Wireshark.

Slide 4 – Wireshark Screen View

Point out to the students that there should be three sections viewable, separated by a grey separators.
Tell them to hover over the separators until an arrow comes up that allows them to move the separator.
Use this feature to arrange their Wireshark screen to look like the one above. Before continuing to the
next slide, make sure each student can clearly see the Packet List, the Packet details and the Packet Bytes
section on their screen.

Slide 5 – Wireshark Sections

Here is an explanation of what can be seen in each section. For each section, read the description above
and then go to your own Wireshark display and point out the items. For instance, on your Wireshark
screen point to the Packet List section column that shows the destination IP address and the protocol.
Then go into the Packet Details section and point to the MAC address or port info. Finally, in the Packet
Bytes section point to the hexadecimal data and the ASCII text data. On the next slide the students will
be given instructions on how to look at specific packets, so on this slide we just want to establish what
the three sections are for.

NOTE that there are two file extensions for packet captures - .pcap or .pcapng

Slide 6 – Packet List Section

The students should follow along in their own Wireshark while you do this in your Wireshark screen for
display.

GALANTECH with

1
GARDEN STATE CYBER
Copyright © 2024 Cyber Innovation Center
All Rights Reserved. Not for Distribution.
First let’s use the Packet List section to gather information. In this example, PC at 192.168.100.101 wants to
communicate with the PC at 192.168.100.102. We will walk through the steps to make that happen.

1. Click on Packet #1 and point out the Source IP address of 192.168.100.101 and the destination IP
address of 192.168.100.102

2. Look at packets 2 & 3 – you will see that an ARP broadcast is sent out so that the source PC can get
the MAC address for the CP at 192.168.100.102.

3. Go to packets 12, 13 and 14 - then look all the way to the right – you will see the SYN, SYN, ACK and
ACK packets that indicates the three way handshake.

Once all of this is completed, the communication between the two computers begins.

Slide 7 – Details Sections

Now let’s move to the Details Section.

1. Click on Packet 1 – in the Details Section, click on the arrow next to “Ethernet II” – this will open up
that section so that we can find the Source and Destination MAC addresses

2. Click on the arrow next to “Transmission Control Protocol” – this will open up that section so that we
can find the protocol and ports being used in this packet.

Note that we primarily concentrate on the destination protocol and port. The source port number is
usually chosen at random from one of the non-assigned ports, while the destination port is the default
one assigned to the protocol being used. So, in this example the destination port is 80 because we are
using http.

Slide 8 – Bytes Section & Follow TCP Stream

The Bytes section may look like a bunch of computer hex garbage, but in fact it can be an easy way to find
plain text in our packets captures. Take your mouse and click packet one. Now, keeping your eye on the text
part of the Bytes section, use your down arrow to scroll through packets. You will start to notice some real
words – in fact, you should be able to find someone’s username and password! (Packets 47 and 50)

BUT that is not an efficient way of reading the text from packets, especially when the text is broken up
across a lot of packet segments. So the much easier way – is to right click on any packet in the message and
select Follow TCP Stream. And amazingly, Wireshark will put the whole message together for you to read!

Tip: in the pictured Stream Content, the items in red = text that the user has typed in.

Slide 9 – Clearing the Filter

This is an important point to make because forgetting to clear the filter is a common mistake that trips up
Wireshark users. Emphasize that if they see the green highlighted bar, that means a filter is applied. Click
on the grey X to clear the filter.

GALANTECH with

2
GARDEN STATE CYBER
Copyright © 2024 Cyber Innovation Center
All Rights Reserved. Not for Distribution.
Slide 10 – Finding Info in Wireshark - Search
There are several ways in Wireshark to look for information inside packets. The first is to use the Search
function which is most useful when looking for a word. Wireshark (and computers) recognize words as a
string of characters so you must select String to find words or ASCII characters.

Slide 11 – Finding Info in Wireshark – Statistics

The second method is to narrow down which packets contain data. Since Wireshark captures all digital
activity going across the network, a lot of packets contain just packet info such as the 3-way handshake
(SYN, SYN/ACK, ACK) or ARP or errors. By using the Statistics feature it’s possible to filter the capture to
only packets that contain data such as text, URLS, images, etc.

Slide 12 – Finding Info in Wireshark – Extract Objects

The third method is to review the objects that were moved when accessing websites such as images
or text files. There will be a LOT of icons and logos to sift through but if a file was opened during
the website visit, then it will be available for you to extract. You can even save it to your desktop and
investigate it further with other tools.

GALANTECH with

3
GARDEN STATE CYBER
Copyright © 2024 Cyber Innovation Center
All Rights Reserved. Not for Distribution.