{"id":199,"date":"2025-06-22T16:41:19","date_gmt":"2025-06-22T16:41:19","guid":{"rendered":"https:\/\/epbrtcybersecurityportfolio.xyz\/?p=199"},"modified":"2025-06-22T16:41:19","modified_gmt":"2025-06-22T16:41:19","slug":"wireshark-part-iii","status":"publish","type":"post","link":"https:\/\/epbrtcybersecurityportfolio.xyz\/?p=199","title":{"rendered":"Wireshark part III"},"content":{"rendered":"\n

Exercise 1<\/strong><\/p>\n\n\n\n

Description:<\/strong> Extract the web object image from wireshark3.pcap<\/code> and view it. According to the extracted image, what did Snort save?<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Exercise 2<\/strong><\/p>\n\n\n\n

Description:<\/strong> Carve and decode the base64-encoded message from the SMTP exchange between 10.10.10.10 and 10.10.10.25. What does it say?<\/p>\n\n\n\n

First, we apply a filter to capture all the packets involved in this exchange: <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Then, we can right-click on any of these packets so that we can follow the TCP stream for this conversation:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

We can then save this stream as ‘raw’:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Using notepad, I can now edit the file I just saved.<\/p>\n\n\n\n

I have to delete all lines above and below the single base64-encoded line and delete all blank lines. <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I can now decode the resulting base64-encoded carved file. There are many online base64 decoders available. I can also use built-in tools on most operating systems.<\/p>\n\n\n\n

For Windows, I am going to use the built-in certutil command-line tool. The certutil command with the –decode option takes in a base64 file and outputs the decoded file. The format is:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The encoded message says: You rock big time! <\/p>\n","protected":false},"excerpt":{"rendered":"

Exercise 1 Description: Extract the web object image from wireshark3.pcap and view it. According to the extracted image, what did Snort save? Exercise 2 Description: Carve and decode the base64-encoded message from the SMTP exchange between 10.10.10.10 and 10.10.10.25. What does it say? First, we apply a filter to capture all the packets involved in […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-199","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=\/wp\/v2\/posts\/199","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=199"}],"version-history":[{"count":2,"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=\/wp\/v2\/posts\/199\/revisions"}],"predecessor-version":[{"id":208,"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=\/wp\/v2\/posts\/199\/revisions\/208"}],"wp:attachment":[{"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=199"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=199"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=199"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}