Network Traffic and Exploit Identification

Learning Objectives and Outcomes
Analyze network packet captures.


Assignment Requirements


Answer the following questions based on the packet capture that proceed them. You may research any of these on the Internet if you need to do so.

  1. What was the first connection made, to where, and via what protocol?
    15:40:19.571032 IP 192.168.2.62.44389 > 192.168.2.104.22: S 1273007928:1273007928(0) win 5840

    15:40:19.571720 IP 192.168.2.104.22 > 192.168.2.62.44389: S 1312754191:1312754191(0) ack
    1273007929 win 5792
    15:40:19.571812 IP 192.168.2.62.44389 > 192.168.2.104.22: . ack 1 win 92
    15:40:19.604635 IP 192.168.2.104.22 > 192.168.2.62.44389: P 1:40(39) ack 1 win 91

    15:40:19.611687 IP 192.168.2.62.44389 > 192.168.2.104.22: . ack 40 win 92
    15:40:19.612844 IP 192.168.2.62.44389 > 192.168.2.104.22: P 1:40(39) ack 40 win 92
  2. What website did the user visit? What port did it connect to?
    15:42:31.063149 IP 192.168.2.62.36182 > 192.168.2.1.53: 64516+ A? google.com. (28)
    15:42:31.080163 IP 192.168.2.1.53 > 192.168.2.62.36182: 64516 6/0/0 A 74.125.95.103,[|domain]
    15:42:31.126128 IP 192.168.2.62.60175 > 74.125.95.103.80: S 3347203011:3347203011(0) win 5840

    15:42:31.151658 IP 74.125.95.103.80 > 192.168.2.62.60175: S 1961428039:1961428039(0) ack
    3347203012 win 5672
    15:42:31.151923 IP 192.168.2.62.60175 > 74.125.95.103.80: . ack 1 win 92
    15:42:31.152698 IP 192.168.2.62.60175 > 74.125.95.103.80: P 1:465(464) ack 1 win 92

    15:42:31.185873 IP 74.125.95.103.80 > 192.168.2.62.60175: . ack 465 win 106
    15:42:31.186930 IP 74.125.95.103.80 > 192.168.2.62.60175: P 1:512(511) ack 465 win 106

    15:42:31.186969 IP 192.168.2.62.60175 > 74.125.95.103.80: . ack 512 win 108
  3. What is different about this connection to the same site? Explain what was different, and what this
    would mean to a security analyst performing packet captures.
    15:47:49.273824 IP 192.168.2.62.42937 > 192.168.2.1.53: 30382+ A? www.google.com. (32)
    15:47:49.292587 IP 192.168.2.1.53 > 192.168.2.62.42937: 30382 7/0/0 CNAME
    www.l.google.com.,[|domain]
    15:47:49.293736 IP 192.168.2.62.44190 > 209.85.225.104.443: S 4032272183:4032272183(0) win 5840

    15:47:49.320776 IP 209.85.225.104.443 > 192.168.2.62.44190: S 901179054:901179054(0) ack
    4032272184 win 5672
    15:47:49.320842 IP 192.168.2.62.44190 > 209.85.225.104.443: . ack 1 win 92
    15:47:49.321702 IP 192.168.2.62.44190 > 209.85.225.104.443: P 1:164(163) ack 1 win 92

    15:47:49.351569 IP 209.85.225.104.443 > 192.168.2.62.44190: . ack 164 win 106
    15:47:49.352940 IP 209.85.225.104.443 > 192.168.2.62.44190: . 1:1419(1418) ack 164 win 106

    15:47:49.352966 IP 192.168.2.62.44190 > 209.85.225.104.443: . ack 1419 win 137
  4. What is occurring in the following traffic capture? What tells you this?
    15:50:53.508777 IP 192.168.2.104.52386 > 192.168.2.62.5900: S 3291711383:3291711
    383(0) win 2048
    15:50:53.508927 IP 192.168.2.62.5900 > 192.168.2.104.52386: R 0:0(0) ack 3291711
    384 win 0
    15:50:53.509020 IP 192.168.2.104.52386 > 192.168.2.62.110: S 3291711383:32917113
    83(0) win 4096
    15:50:53.509033 IP 192.168.2.62.110 > 192.168.2.104.52386: R 0:0(0) ack 32917113
    84 win 0
    15:50:53.509614 IP 192.168.2.104.52386 > 192.168.2.62.22: S 3291711383:329171138
    3(0) win 1024
    15:50:53.509629 IP 192.168.2.62.22 > 192.168.2.104.52386: R 0:0(0) ack 329171138
    4 win 0
    15:50:53.510196 IP 192.168.2.104.52386 > 192.168.2.62.1025: S 3291711383:3291711
    383(0) win 4096
    15:50:53.510210 IP 192.168.2.62.1025 > 192.168.2.104.52386: R 0:0(0) ack 3291711
    384 win 0
    15:50:53.511099 IP 192.168.2.104.52386 > 192.168.2.62.135: S 3291711383:32917113
    83(0) win 4096
    15:50:53.511113 IP 192.168.2.62.135 > 192.168.2.104.52386: R 0:0(0) ack 32917113
    84 win 0
    15:50:53.511220 IP 192.168.2.62.199 > 192.168.2.104.52386: R 0:0(0) ack 32917113
    84 win 0
    15:50:53.511275 IP 192.168.2.104.52386 > 192.168.2.62.23: S 3291711383:329171138
    3(0) win 1024
    15:50:53.511289 IP 192.168.2.62.23 > 192.168.2.104.52386: R 0:0(0) ack 329171138
    4 win 0
    15:50:53.512057 IP 192.168.2.104.52386 > 192.168.2.62.993: S 3291711383:32917113
    83(0) win 3072
    15:50:53.512082 IP 192.168.2.62.993 > 192.168.2.104.52386: R 0:0(0) ack 32917113
    84 win 0
    15:50:53.512490 IP 192.168.2.104.52386 > 192.168.2.62.80: S 3291711383:329171138
    3(0) win 3072
    15:50:53.512503 IP 192.168.2.62.80 > 192.168.2.104.52386: R 0:0(0) ack 329171138
    4 win 0
    15:50:53.512625 IP 192.168.2.104.52386 > 192.168.2.62.587: S 3291711383:32917113
    83(0) win 2048
    15:50:53.512636 IP 192.168.2.62.587 > 192.168.2.104.52386: R 0:0(0) ack 32917113
    84 win 0
    15:50:53.513796 IP 192.168.2.104.52386 > 192.168.2.62.139: S 3291711383:32917113
    83(0) win 2048
    15:50:53.513816 IP 192.168.2.62.139 > 192.168.2.104.52386: R 0:0(0) ack 32917113
    84 win 0
  5. Advanced analysis exercise: Packet (d) below contains interesting content. Read through it
    carefully and explain what might be occurring.
    a. 16:05:51.768502 IP (tos 0x0, ttl 64, id 46146, offset 0, flags [DF], proto TCP (6),
    length 451) 192.168.2.62.51622 > 192.168.2.104.8080: P 999656888:999657287(399) ack
    1026547700 win 544 E….B@.@……>…h….;…=/…..
    ………….KmGET /zzioR5iD HTTP/1.1 Host:
    b. 16:05:51.963761 IP (tos 0x0, ttl 64, id 26181, offset 0, flags [DF], proto TCP (6),
    length 52) 192.168.2.104.8080 > 192.168.2.62.51622: ., cksum 0x70f9 (correct), 1:1(0) ack
    399 win 175 E..4fE@.@.N….h…>….=/..;..G….p…………..
    c. 16:05:55.129265 IP (tos 0x0, ttl 64, id 26182, offset 0, flags [DF], proto TCP (6),
    length 1500) 192.168.2.104.8080 > 192.168.2.62.51622: . 1:1449(1448) ack 399win 175
    E…fF@.@.H….h…>….=/..;..G….=…………..HTTP/1.1 200 OKContent-Type:
    d. 16:05:55.130916 IP (tos 0x0, ttl 64, id 26186, offset 0, flags [DF], proto TCP (6),
    length 1500) 192.168.2.104.8080 > 192.168.2.62.51622: . 5793:7241(1448) ack399 win 175

    E…fJ@.@.H….h…>….=/..;..G………………216){tOy += tOy;}
    Required Resources
    § Course textbook
    § Internet access
    Submission Requirements
    § Format: Microsoft Word (or compatible)
    § Font: Arial, size 12, double-space
    § Citation Style: Follow your school’s preferred style guide
    § Length: 1 to 2 pages
    Self-Assessment Checklist
    § I analyzed the packet captures.
    § I answered each question fully.
    § I followed the submission guidelines

Leave a Reply