{"id":53,"date":"2025-06-12T01:29:11","date_gmt":"2025-06-12T01:29:11","guid":{"rendered":"https:\/\/epbrtcybersecurityportfolio.xyz\/?p=53"},"modified":"2025-06-13T00:01:57","modified_gmt":"2025-06-13T00:01:57","slug":"introduction-to-wireshark","status":"publish","type":"post","link":"https:\/\/epbrtcybersecurityportfolio.xyz\/?p=53","title":{"rendered":"Introduction to Wireshark"},"content":{"rendered":"\n

The goal of this lab is to familiarize myself with the basic functionalities of Wireshark. <\/p>\n\n\n\n

Exercise 1 \u2013 Wireshark Profile Setup<\/h3>\n\n\n\n

To kick off the lab, I started by setting up a custom Wireshark configuration profile. These profiles are really helpful because they let you tailor things like display columns, settings, and layout to match your workflow. You can switch between different profiles depending on what you’re analyzing, and it\u2019s easy to import\/export them to share with others.<\/p>\n\n\n\n

For this exercise, I used a pre-made profile provided for the class. I opened Wireshark on my system and imported the SEC503.Wireshark.profile.zip<\/strong> file. Once that was in place, I loaded the wireshark.pcap<\/strong> capture file, which set me up to move on to the next part of the lab (Exercise 2).<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Exercise 2 \u2013 Identifying TCP Protocols in the PCAP<\/h3>\n\n\n\n

In this part of the lab, I analyzed the provided wireshark.pcap<\/code> file to identify the different TCP-based protocols present in the capture. <\/p>\n\n\n\n

By going to the Statistics<\/strong> menu in Wireshark and selecting Protocol Hierarchy<\/strong>, I was able to quickly identify the three TCP protocols used in the capture file. This feature provides a clear breakdown of all protocols seen in the traffic, making it easy to spot which ones are running over TCP:<\/p>\n\n\n\n

-SSH<\/p>\n\n\n\n

-MySQL <\/p>\n\n\n\n

-Internet Relay Chat<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

How many different IP addresses were involved in conversations in this pcap?<\/strong><\/p>\n\n\n\n

To answer this, I opened the Conversations<\/strong> window under the Statistics<\/strong> menu in Wireshark. This tool displays all IP-level conversations and allowed me to easily identify how many unique IP addresses were communicating in the capture. It\u2019s a quick way to get an overview of the network activity and see which hosts were involved.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

We can see that 4 different IP addresses were involved in 3 conversations in this file. <\/p>\n\n\n\n

What is the largest number of Bytes exchanged in any IPv4 conversation?<\/strong><\/p>\n\n\n\n

To determine the largest number of bytes exchanged in any IPv4 conversation, I used the IPv4 Conversations<\/strong> tab under Statistics > Conversations<\/strong> in Wireshark. This view lists the total byte count for each conversation.<\/p>\n\n\n\n

From the output, I found that the highest byte exchange between any two hosts was 31k<\/strong>. This gave me a quick insight into which conversation involved the most data transfer within the capture.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Exercise 3 \u2013 Counting TCP Conversations<\/h3>\n\n\n\n

How many different TCP conversations are in this pcap?<\/strong><\/p>\n\n\n\n

For this exercise, I used the Statistics > Conversations<\/strong> feature in Wireshark and navigated to the TCP<\/strong> tab. This tab lists all the unique TCP sessions found in the capture file. Each entry represents a separate conversation between two IP addresses over TCP.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

We can see 4 different TCP conversations in this file. <\/p>\n\n\n\n

What is the duration of the conversation that lasted the longest?<\/strong><\/p>\n\n\n\n

To answer this, I stayed in the TCP<\/strong> tab under Statistics > Conversations<\/strong> in Wireshark. This view includes a Duration<\/strong> column, which shows how long each TCP conversation lasted. By scanning this column, I identified the conversation with the longest duration (776.1629 seconds)<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Exercise 4 \u2013 Inspecting Ethernet Type<\/h3>\n\n\n\n

Before starting this task, I made sure that all three Wireshark panes were visible: the packet list, packet details, and packet bytes. If they weren\u2019t showing, I adjusted the window size by dragging from the bottom-right corner until they appeared.<\/p>\n\n\n\n

Navigate to the first packet in the pcap. What is the hexadecimal value of the Ethernet type?<\/strong><\/p>\n\n\n\n

I selected the first packet in the capture and expanded the Ethernet II<\/strong> section in the middle pane. From there, I located the Type<\/strong> field, which shows the Ethernet type in hexadecimal format (0x0800). This value indicates the protocol being used at the next layer (IPv4 here).<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

What is the IP Time To Live Value?<\/strong><\/p>\n\n\n\n

We can find it by expanding the IPv4 section in the middle pane and find that the value is equal to 64.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

What transport layer follows the IP layer?<\/strong><\/p>\n\n\n\n

We can find our answer right under the TTL line under Protocol. Hre we can see that the transport layer is TCP (which corresponds to an Hexadecimal value is 0x06)<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

What is the last hexadecimal byte value of the TCP header ?<\/strong><\/p>\n\n\n\n

By clicking on the TCP header in the middle pane, the entire TCP header gets highlighted in the lower pane and we can see that the last hexadecimal byte value is 0xef<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Exercise 5 \u2013 Inspecting MySQL Traffic<\/h3>\n\n\n\n

As identified earlier using Protocol Hierarchy Statistics<\/strong>, the pcap file contains MySQL traffic. According to the instructions, there is a single MySQL session that begins at packet 372<\/strong>.<\/p>\n\n\n\n

Locate the MySQL session that begins in packet 372. Follow the MySQL TCP conversation. What is the version of the MySQL server package for Ubuntu?<\/strong><\/p>\n\n\n\n

To complete this task, I navigated to packet 372<\/strong> by going to the Go menu and selecting the Go To Packet option:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I then right-clicked on it to select Follow > TCP Stream<\/strong>. This allowed me to view the entire MySQL session in context. By examining the initial handshake and server response, I was able to extract the MySQL version number used in the Ubuntu server package (5.0.51a-3ubuntu5.8). This kind of inspection is useful for identifying software versions and potential vulnerabilities in network traffic.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

What is the name of the SQL Table that the user performs an Insert Into command on?<\/strong><\/p>\n\n\n\n

At the bottom of the TCP stream, we can see that the command is performed on a table called “auth_users”.<\/p>\n\n\n\n

<\/p>\n\n\n\n

Exercise 6 \u2013 Finding a Specific String in Packet Data<\/h3>\n\n\n\n

What is the last packet that contains the string “beer”?<\/strong><\/p>\n\n\n\n

To complete this exercise, I used Wireshark\u2019s Find Packet<\/strong> feature by pressing Ctrl + F<\/code> and switching the search type to String<\/strong> within Packet Bytes<\/strong>. I then searched for the keyword “beer”<\/strong>.<\/p>\n\n\n\n

Wireshark highlighted each packet containing this string. I scrolled through the results to locate the last packet<\/strong> in the capture that contained “beer” and recorded its packet number (470). This was a fun way to practice content-based searches within packet data.<\/p>\n\n\n\n

\"\"<\/figure>\n","protected":false},"excerpt":{"rendered":"

The goal of this lab is to familiarize myself with the basic functionalities of Wireshark. Exercise 1 \u2013 Wireshark Profile Setup To kick off the lab, I started by setting up a custom Wireshark configuration profile. These profiles are really helpful because they let you tailor things like display columns, settings, and layout to match […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[6],"class_list":["post-53","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-wireshark"],"_links":{"self":[{"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=\/wp\/v2\/posts\/53","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=53"}],"version-history":[{"count":5,"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=\/wp\/v2\/posts\/53\/revisions"}],"predecessor-version":[{"id":74,"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=\/wp\/v2\/posts\/53\/revisions\/74"}],"wp:attachment":[{"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=53"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=53"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/epbrtcybersecurityportfolio.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=53"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}