StudyDaddy Computer Science Forensic Assignment. Two labs due sunday 11:59.

Forensic Assignment. Two labs due sunday 11:59.

ITN 262

LAB # 3 Traffic analysis using packet sniffers

Part 1: Traffic analysis with Wireshark

You have already downloaded and installed Wireshark in your LAB 1 and learnt how to read Wireshark output.

In this lab we will capture raw traffic from the network interface card. Run the Wireshark, and under the 'Capture' Menu, go to Options. Under “Display Options", make sure that "Update list of packets in real time" and “Automatic scrolling in live capture" are both checked. Under the "Capture" menu, choose "Interfaces". (Remember to use the correct interface)

  1. Open up a browser and go to http://urbexforums.com ( if this site does not work please go to http://latestdot.com/ )

  2. Register with the site, create your own login (yourName_itn262 For ex: mine is sdas_itn262) and password (password). Please do not use a preferred password

  3. Click on start in Wireshark to start capturing traffic.

  4. Sign in at the right side of the page with a username (yourName_itn262 ) and password – (password )

  5. After the page loads up, stop the capture by clicking on "stop" under the ‘Capture’ menu.

  6. Provide a screen shot of your Wireshark capture so that see you have visited to http://urbexforums.com/ you can use filter to find http packets.

Part 1 a. :(5)

1. Take a look at the Captured traffic in Wireshark. . Now you want to search for the username and password that were entered when you logged in. You will be looking at the bottom section where it displays the raw data. To make this easier, click on one of the green-colored captured packets. Then click on the 'Analyze' menu, and choose 'Follow TCP Stream'. Perform a find for the username and password.

What did you find? Provide a screen shot for the data where it shows the username and password.

Part 1 b: (5)

2. Now you need to perform another packet capture. Go to mynova under nvcc.edu. Then start your capture.


  1. Click on start in Wireshark to start capturing traffic.

  2. Sign in to your vccs email at the right side of the page with your username.

  3. After the page loads up, stop the capture by clicking on "stop" under the ‘Capture’ menu.

  4. Provide a screen shot of your Wireshark capture so that see you have visited vccs email.

Go back and perform another 'Follow TCP stream' from under the 'Analyze' menu.

Can you find your username or password? Why or why not. Explain your answer briefly and provide appropriate screen shot.

LAb 3 :Part 2: Traffic analysis with tcpdump

You have already used Wireshark for traffic Analysis, let’s use another powerful network packet TCP/IP sniffer, tcpdump, and its basic usage

Please follow the instructions below and complete each task. Use screen shots to demonstrate that you have done every task. In addition to the screen captures, if require please provide brief explanation to explain your result.

We already discussed in class how packets are captured in promiscuous mode. The network card of a computer drops packets if the packets are not addressed to the system. However in the promiscuous mode, the network card forwards all packets reaching the card to the operating system so that tcpdump can capture them, regardless of their (MAC) addresses. Using tcpdump in the promiscuous mode can exam all traffic through the interface, extract sensitive information and thereby sniffer the network.

Root privilege is required to use tcpdump for sniffing. I’ve also posted a reading , if you want to know how tcpdump works you can read here http://danielmiessler.com/study/tcpdump/ . Also I’d encourage to read the tutorial from https://packetlife.net/media/library/12/tcpdump.pdf

You kali VM already has tcpdump installed. If it is not installed Tcpdump can be downloaded from http://www.tcpdump.org/#latest-release for the latest version, which now is tcpdump-4.99.1. However, unless you are using Campus machines I would recommend use a prebuild Kali.

Before starting, use the show your IP address and the name of your network interface and record them.

Kali VM IP : _____________ interface ______________________

Host IP : ________________ Interface : _____________________

1. Open a terminal window and type the following command to start capturing TCP/IP packets from the active interface. Do not close this terminal window. Provide a screen capture .

Type tcpdump ­

how many packet did you get ? you can Use Crtl+Ct to stop tcpdump any time

Now type tcpdump ­ -nn

What did you get ? what is the difference ? (Type “man tcpdump” in the command ­line to see all options is available for tcpdump. Use the Space Bar to move to the next page. You can also use the Page

Up and Page Down keys to navigate the manual pages. When you are done, press Q to go back to the terminal.

2. Open a terminal window and type the following command to start capturing TCP/IP packets from the active interface. Do not close this terminal window and type

tcpdump - ­nn

Open another terminal window and ping the target computer 10 times by typing ping your host machine ping __ ___ ___ ____

Go to the terminal window where tcpdump is running. You should see ICMP echo packets between your computer and the host machine. Show the traffic . (5)

3. Open the same site that you have used before http://urbexforums.com/ to make some network traffic, meanwhile check out the output of tcpdump:

your result looks like [arrivial time][source IP].[port]>[destination IP].[port].

What is the arrival time, source address? What is the destination address? Which port ? (5)

Type

tcpdump –e

tcpdump -e -i eth0 ( my interface is eth 0 , please put yours)

Compare between the results. It is also possible to capture packets based on the source or destination ports. For example, type tcpdump port 80 - ­nn (5)

4. tcpdump allows you to capture packets and show inter-arrival time instead of arrival time in result. use tcpdump to get inter-arrival time while capturing packets information.

Type tcpdump –ttt

What is the inter arrival time between packet form your computer and my3gb.com

5. Now use tcpdump and Log on to my http://urbexforums.com and analyze the captures traffic the same way you did with Wireshark before. Can you find your userID and password now?

Have a similar question?

Continue to edit or attach image(s).

  • Fast and convenient

    Fast and convenient

    Simply post your question and get it answered by professional tutor within 30 minutes. It's as simple as that!

  • Any topic, any difficulty

    Any topic, any difficulty

    We've got thousands of tutors in different areas of study who are willing to help you with any kind of academic assignment, be it a math homework or an article.

  • 100% Satisfied Students

    100% Satisfied Students

    Join 3,4 million+ members who are already getting homework help from StudyDaddy!