Exercise 1 \u2013 Filtering DNS Queries for a Specific Domain<\/h3>\n\n\n\n
Task:<\/strong> Find the packet record number(s) where a DNS query name contains the string glenhighland<\/strong>.<\/p>\n\n\n\n There are many ways to solve this. One way is to filter the packets in Wireshark for DNS query name using the filter ‘dns.qry.name’ and then looking for the glenhighland string in the filtered packets using the Edit\/Find Packet menu. Packets 101 and 102 contains this string. <\/p>\n\n\n\n Task:<\/strong> Find all ARP request records. How many are there, and what filter did you use?<\/p>\n\n\n\n To complete this task, I used a Wireshark display filter<\/strong> that isolates ARP request packets specifically. First, I reviewed the structure of an ARP packet by looking at one in the packet list which Wireshark identified as a request under the Address Resolution Protocol<\/strong> section. <\/p>\n\n\n\n I then right clicked on the Opcode line and applied this same filter to the packet list. <\/p>\n\n\n\n The arp.opcode==1 gets applied, and 16 packets get displayed (it is shown at the bottom right corner of the wireshark screen).<\/p>\n\n\n\n Task:<\/strong> Find the record numbers of any ICMP echo reply (type 0) frames that required zero-padding due to being smaller than the minimum acceptable Ethernet II length.<\/p>\n\n\n\n To solve this, I first recalled that the minimum Ethernet II frame size<\/strong> is 64 bytes<\/strong>, and that the Ethernet header (14 bytes)<\/strong> plus trailer (4 bytes)<\/strong> leave at least 46 bytes<\/strong> required for the IP payload. Therefore, any IP datagram smaller than 46 bytes would be too short<\/strong> and must be padded<\/strong> to meet Ethernet\u2019s minimum.<\/p>\n\n\n\n I used the Wireshark Display Filter Expression<\/strong> dialog to build a compound filter<\/strong> that would identify:<\/p>\n\n\n\n To do this:<\/p>\n\n\n\n We identified 3 packets using these combined filters.<\/p>\n\n\n\n Task:<\/strong> Find all records where the UDP protocol<\/strong> is carrying DNS traffic<\/strong>. How many are there? Save those packets to a new file named dns.pcapng<\/strong>.<\/p>\n\n\n\n To complete this, I used this display filter in Wireshark:<\/p>\n\n\n\n This filter shows all packets where DNS communication is occurring over UDP (14 packets are displayed). <\/p>\n\n\n\n Once filtered, I saved the displayed packets to a new capture file:<\/p>\n\n\n\n Wireshark Display Filters Lab \u2013 Overview and Setup This lab focused on becoming more familiar with using Wireshark display filters to isolate specific types of traffic. Exercise 1 \u2013 Filtering DNS Queries for a Specific Domain Task: Find the packet record number(s) where a DNS query name contains the string glenhighland. There are many ways […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[6],"class_list":["post-120","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-wireshark"],"_links":{"self":[{"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=\/wp\/v2\/posts\/120","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=120"}],"version-history":[{"count":5,"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=\/wp\/v2\/posts\/120\/revisions"}],"predecessor-version":[{"id":135,"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=\/wp\/v2\/posts\/120\/revisions\/135"}],"wp:attachment":[{"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=120"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=120"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=120"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"\"](\"https:\/\/epbrtcybersecurityportfolio.xyz\/wp-content\/uploads\/2025\/06\/image-39-1024x249.png\")
<\/figure>\n\n\n\nExercise 2 \u2013 Finding ARP Request Records<\/h3>\n\n\n\n
![\"\"](\"https:\/\/epbrtcybersecurityportfolio.xyz\/wp-content\/uploads\/2025\/06\/image-40-1024x443.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/epbrtcybersecurityportfolio.xyz\/wp-content\/uploads\/2025\/06\/image-42-1024x580.png\")
<\/figure>\n\n\n\nExercise 3 \u2013 Identifying ICMP Echo Replies with Undersized IP Payloads<\/h3>\n\n\n\n
\n
\n
<<\/code>) relation<\/li>\n\n\n\n46<\/code><\/li>\n\n\n\n![\"\"](\"https:\/\/epbrtcybersecurityportfolio.xyz\/wp-content\/uploads\/2025\/06\/image-43-1024x119.png\")
<\/figure>\n\n\n\nExercise 4 \u2013 Isolating and Exporting DNS over UDP Traffic<\/h3>\n\n\n\n
![\"\"](\"https:\/\/epbrtcybersecurityportfolio.xyz\/wp-content\/uploads\/2025\/06\/image-44-1024x488.png\")
<\/figure>\n\n\n\n\n
dns.pcapng<\/code>.<\/li>\n\n\n\n![\"\"](\"https:\/\/epbrtcybersecurityportfolio.xyz\/wp-content\/uploads\/2025\/06\/image-45-1024x648.png\")
<\/figure>\n","protected":false},"excerpt":{"rendered":"