BTJA (Blue Team Junior Analyst) Wireshark Activity PCAP 1 Walkthrough!
My walkthrough of analyzing PCAP 1 of the Wireshark Challenge from Security Blue Team Junior Analyst Pathway.
In this article we have been going to test our Wireshark skill by analyzing a pcap 1 file and will answer the following questions.
- Which protocol was used over port 3942?
. Statistics >Endpoints >UDP tab
. See port 3942 associated with IP 192.168.1.6.
. Right-click > Apply as Filter > Selected.
Now go to main screen of the Wireshark and get protocol name.
Answer: SSDP
2. What is the IP address of the host that was pinged twice?
To get the IP Address we will use icmp(protocol for ping utility) filter in display filter and will get back with results.
Answer: 8.8.4.4 pinged twice by 192.168.1.7
3. How many DNS query response packets were captured?
To get the DNS query response packets captured we will apply the dns filter in display filter and select the first packet that says, “standard query response.” and then go the packet details pane and open the details about Flags. The first flag says “Message is a response”; right-click this and select Apply as Filter > Selected.
Display filter get set automatically on top and at the bottom, see the number of displayed packets with the filter applied.
Anwer: 90
4. What is the IP address of the host which sent the greatest number of bytes?
To get the host which has sent the greatest number of bytes by clicking Statistics > Endpoints > IPv4 > click Tx Bytes (transmit bytes) to display the results in descending order. Rx Packets are received by a device, while Tx Packets are transmitted by a device.
Answer: 115.178.9.18
Conclusion:
Looking in Endpoints was very helpful in finding the information needed to answer the questions and remember that if you can click on something, then you can apply it as a filter as we have learned a little about digging into DNS packets.
