SlideShare ist ein Scribd-Unternehmen logo

Malware and Software Vulnerability Analysis Using Wireshark

Als PPT, PDF herunterladen
S
ssuser0a05422

This document provides an overview of using Wireshark and tcpdump to monitor network traffic. It discusses how to capture live traffic using these tools, how to apply filters to focus on specific traffic types, and how to analyze captured packet traces in Wireshark. The document includes examples of common tcpdump and Wireshark commands as well as screenshots of Wireshark's interface. It also describes how to view session data and endpoint statistics after capturing packets.

Geräte & Hardware
1 von 63
CAP6135: Malware and Software Vulnerability Analysis Network Traffic Monitoring Using Wireshark Cliff Zou Spring 2016
Acknowledgement  http://ilta.ebiz.uapps.net/ProductFiles/prod uctfiles/672/wireshark.ppt  UC Berkley course “EE 122: Intro to Communication Networks”  http://www.eecs.berkeley.edu/~jortiz/courses/ ee122/presentations/Wireshark.ppt  Other resources:  http://openmaniak.com/wireshark_filters.php 2
Motivation for Network Monitoring  Essential for Network Management  Router and Firewall policy  Detecting abnormal/error in networking  Access control  Security Management  Detecting abnormal traffic  Traffic log for future forensic analysis 3
4 Tools Overview  Tcpdump  Unix-based command-line tool used to intercept packets  Including filtering to just the packets of interest  Reads “live traffic” from interface specified using -i option …  … or from a previously recorded trace file specified using -r option  You create these when capturing live traffic using -w option  Tshark  Tcpdump-like capture program that comes w/ Wireshark  Very similar behavior & flags to tcpdump  Wireshark  GUI for displaying tcpdump/tshark packet traces
5 Tcpdump example 01:46:28.808262 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230- 7.dsl.pltn13.pacbell.net.2481: . 2513546054:2513547434(1380) ack 1268355216 win 12816 01:46:28.808271 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230- 7.dsl.pltn13.pacbell.net.2481: P 1380:2128(748) ack 1 win 12816 01:46:28.808276 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230- 7.dsl.pltn13.pacbell.net.2481: . 2128:3508(1380) ack 1 win 12816 01:46:28.890021 IP adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481 > danjo.CS.Berkeley.EDU.ssh: P 1:49(48) ack 1380 win 16560 • Ran tcpdump on a Unix machine • First few lines of the output:
6 01:46:28.808262 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481: . 2513546054:2513547434(1380) ack 1268355216 win 12816 Timestamp This is an IP packet Source host name Source port number (22) Destination host name Destination port number TCP specific information • Different output formats for different packet types What does a line convey?
7 Similar Output from Tshark 1190003744.940437 61.184.241.230 -> 128.32.48.169 SSH Encrypted request packet len=48 1190003744.940916 128.32.48.169 -> 61.184.241.230 SSH Encrypted response packet len=48 1190003744.955764 61.184.241.230 -> 128.32.48.169 TCP 6943 > ssh [ACK] Seq=48 Ack=48 Win=65514 Len=0 TSV=445871583 TSER=632535493 1190003745.035678 61.184.241.230 -> 128.32.48.169 SSH Encrypted request packet len=48 1190003745.036004 128.32.48.169 -> 61.184.241.230 SSH Encrypted response packet len=48 1190003745.050970 61.184.241.230 -> 128.32.48.169 TCP 6943 > ssh [ACK] Seq=96 Ack=96 Win=65514 Len=0 TSV=445871583 TSER=632535502
8 Demo 1 – Basic Run  Syntax: tcpdump [options] [filter expression]  Unfortunately, Eustis machine does not allow normal users to run tcpdump  $ sudo tcpdump –i eth0  Sudo command allows you to run tcpdump in root previlege  On your own Unix machine, you can run it using “sudo” or directly run “tcpdump” if you have root previliege  Observe the output
9 Filters  We are often not interested in all packets flowing through the network  Use filters to capture only packets of interest to us
10 Demo 2 1. Capture only udp packets • tcpdump “udp” 2. Capture only tcp packets • tcpdump “tcp”
11 Demo 2 (contd.) 1. Capture only UDP packets with destination port 53 (DNS requests) • tcpdump “udp dst port 53” 2. Capture only UDP packets with source port 53 (DNS replies) • tcpdump “udp src port 53” 3. Capture only UDP packets with source or destination port 53 (DNS requests and replies) • tcpdump “udp port 53”
12 Demo 2 (contd.) 1. Capture only packets destined to longwood.eecs.ucf.edu • tcpdump “dst host longwood.eecs.ucf.edu” 2. Capture both DNS packets and TCP packets to/from longwood.eecs.ucf.edu • tcpdump “(tcp and host longwood.eecs.ucf.edu) or udp port 53”
13 How to write filters  Refer the tcpdump/tshark man page  Many example webpages on the Internet
14 Running tcpdump  Requires superuser/administrator privileges on Unix  http://www.tcpdump.org/  You can do it on your own Unix machine  You can install a Linux OS in Vmware on your windows machine  Tcpdump for Windows  WinDump: http://www.winpcap.org/windump/  Free software
So What is WireShark?  Packet sniffer/protocol analyzer  Open Source Network Tool  Latest version of the ethereal tool
What is tShark?  The command-line based packet capture tool  Equivalent to Wireshark 16
17 Network Layered Structure  What is the Internet? Application Application Network Network Data Link Transport Transport Data Link Physical link Web, Email, VOIP TCP, UDP IP Ethernet, cellular
Wireshark Interface 18
19 Wireshark Interface
Status Bar 20
Capture Options Promiscuous mode is used to Capture all traffic Sometime this does not work: • driver does not support • You are on a switch LAN
Capture Filter
Capture Filter examples host 10.1.11.24 host 192.168.0.1 and host 10.1.11.1 tcp port http ip not broadcast not multicast ether host 00:04:13:00:09:a3
Capture Buffer Usage
Capture Interfaces
Interface Details: Characteristics
Interface Details: Statistics
Interface Details: 802.3 (Ethernet)
Display Filters (Post-Filters)  Display filters (also called post-filters) only filter the view of what you are seeing. All packets in the capture still exist in the trace  Display filters use their own format and are much more powerful then capture filters
Display Filter
Display Filter Examples ip.src==10.1.11.00/24 ip.addr==192.168.1.10 && ip.addr==192.168.1.20 tcp.port==80 || tcp.port==3389 !(ip.addr==192.168.1.10 && ip.addr==192.168.1.20) (ip.addr==192.168.1.10 && ip.addr==192.168.1.20) && (tcp.port==445 || tcp.port==139) (ip.addr==192.168.1.10 && ip.addr==192.168.1.20) && (udp.port==67 || udp.port==68) tcp.dstport == 80
Display Filter 33
TCP segment structure source port # dest port # 32 bits application data (variable length) sequence number acknowledgement number Receive window Urg data pnter checksum F S R P A U head len not used Options (variable length) URG: urgent data (generally not used) ACK: ACK # valid PSH: push data now RST, SYN, FIN: connection estab (setup, teardown commands) # bytes rcvr willing to accept counting by bytes of data (not segments!) Internet checksum (as in UDP)
Display Filter  String1, String2 (Optional settings):  Sub protocol categories inside the protocol.  Look for a protocol and then click on the "+" character.  Example:  tcp.srcport == 80  tcp.flags == 2  SYN packet  Tcp.flags.syn==1  tcp.flags == 18  SYN/ACK  Note of TCP Flag field: 35
Display Filter Expressions  snmp || dns || icmp  Display the SNMP or DNS or ICMP traffics.  tcp.port == 25  Display packets with TCP source or destination port 25.  tcp.flags  Display packets having a TCP flags  tcp.flags.syn == 0x02  Display packets with a TCP SYN flag. 36 If the filter syntax is correct, it will be highlighted in green, otherwise if there is a syntax mistake it will be highlighted in red. Correct syntax Wrong syntax
Save Filtered Packets After Using Display Filter  We can also save all filtered packets in text file for further analysis  Operation: 37 FileExport packet dissections as “plain text” file 1). In “packet range” option, select “Displayed” 2). In choose “summary line” or “detail”
Protocol Hierarchy
Protocol Hierarchy
Follow TCP Stream
Follow TCP Stream red - stuff you sent blue - stuff you get
Filter out/in Single TCP Stream  When click “filter out this TCP stream” in previous page’s box, new filter string will contain like:  http and !(tcp.stream eq 5)  So, if you use “tcp.stream eq 5” as filter string, you keep this HTTP session 42
Expert Info
Expert Info
Conversations
Conversations
 Use the “Copy” button to copy all text into clipboard  Then, you can analyze this text file to get what statistics you want 47
Find EndPoint Statistics  Menu “statistics”  “endpoint list”  “TCP”  You can sort by field  “Tx” : transmit “Rx” : receive 48
Find EndPoint Statistics  Use the “Copy” button to copy all text into clipboard  Then, you can analyze this text file to get what statistics you want 49
Flow Graphs
Flow Graphs • The “displayed packet” option could let you only Show the flow of packets shown up for example, only display http traffic, then show The flow to analyze
Flow Graphs
Export HTTP
Export HTTP Objects
HTTP Analysis
HTTP Analysis – Load Distribution Click “Create Stat” button You can add “filter” to only Show selected traffic
HTTP Analysis – Packet Counter
HTTP Analysis – Requests
Improving WireShark Performance  Don’t use capture filters  Increase your read buffer size  Don’t update the screen dynamically  Get a faster computer  Use a TAP  Don’t resolve names
Post-Processing Text File  For saved text-format packet files, further analysis needs coding or special tools  One useful tool on Unix: Grep  On Windows: PowerGrep http://www.powergrep.com/  Command-line based utility for searching plain-text data sets for lines matching a regular expression. 60
Basic usage of Grep  Command-line text-search program in Linux  Some useful usage:  Grep ‘word’ filename # find lines with ‘word’  Grep –v ‘word’ filename # find lines without ‘word’  Grep ‘^word’ filename # find lines beginning with ‘word’  Grep ‘word’ filename > file2 # output lines with ‘word’ to file2  ls -l | grep rwxrwxrwx # list files that have ‘rwxrwxrwx’ feature  grep '^[0-4]‘ filename # find lines beginning with any of the numbers from 0-4  Grep –c ‘word’ filename # find lines with ‘word’ and print out the number of these lines  Grep –i ‘word’ filename # find lines with ‘word’ regardless of case  Many tutorials on grep online  http://www.cyberciti.biz/faq/howto-use-grep-command-in-linux-unix/  http://www.thegeekstuff.com/2009/03/15-practical-unix-grep-command- examples/ 61
On-line Wireshark Trace Files  Public available .pcap files:  http://www.netresec.com/?page=PcapFiles  http://www.tp.org/jay/nwanalysis/traces/Lab%20 Trace%20Files/  Wiki Sample capture  https://wiki.wireshark.org/SampleCaptures 62
Example Trace File and Questions  Network Forensic Puzzle Contests  http://forensicscontest.com/2010/02/03/puzzl e-4-the-curious-mr-x  SharkFest'15 Packet Challenge  https://sharkfest.wireshark.org/assets/present ations15/packetchallenge.zip 63

Empfohlen

Traffic monitoring
Traffic monitoringTraffic monitoring
Traffic monitoringRadu Galbenu
 
wireshark.pdf
wireshark.pdfwireshark.pdf
wireshark.pdfssuserafc27c
 
Workshop Wireshark
Workshop Wireshark Workshop Wireshark
Workshop Wireshark Fabio Rosa
 
Wireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance toolsWireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance toolsSachidananda Sahu
 
Tc pdump mod
Tc pdump modTc pdump mod
Tc pdump modSini
 
Wireshark Basics
Wireshark BasicsWireshark Basics
Wireshark BasicsYoram Orzach
 
Practical 7 - Using Wireshark Tutorial and Hands-on
Practical 7 - Using Wireshark Tutorial and Hands-onPractical 7 - Using Wireshark Tutorial and Hands-on
Practical 7 - Using Wireshark Tutorial and Hands-onQaisSaifQassim
 
Packet capture in network security
Packet capture in network securityPacket capture in network security
Packet capture in network securityChippy Thomas
 

Empfohlen

Traffic monitoring
Traffic monitoringTraffic monitoring
Traffic monitoringRadu Galbenu
 
wireshark.pdf
wireshark.pdfwireshark.pdf
wireshark.pdfssuserafc27c
 
Workshop Wireshark
Workshop Wireshark Workshop Wireshark
Workshop Wireshark Fabio Rosa
 
Wireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance toolsWireshark, Tcpdump and Network Performance tools
Wireshark, Tcpdump and Network Performance toolsSachidananda Sahu
 
Tc pdump mod
Tc pdump modTc pdump mod
Tc pdump modSini
 
Wireshark Basics
Wireshark BasicsWireshark Basics
Wireshark BasicsYoram Orzach
 
Practical 7 - Using Wireshark Tutorial and Hands-on
Practical 7 - Using Wireshark Tutorial and Hands-onPractical 7 - Using Wireshark Tutorial and Hands-on
Practical 7 - Using Wireshark Tutorial and Hands-onQaisSaifQassim
 
Packet capture in network security
Packet capture in network securityPacket capture in network security
Packet capture in network securityChippy Thomas
 
Wireshark Inroduction Li In
Wireshark Inroduction Li InWireshark Inroduction Li In
Wireshark Inroduction Li Inmhaviv
 
Day2
Day2Day2
Day2Jai4uk
 
Chapter 3. sensors in the network domain
Chapter 3. sensors in the network domainChapter 3. sensors in the network domain
Chapter 3. sensors in the network domainPhu Nguyen
 
Wireshark
Wireshark Wireshark
Wireshark antivirusspam
 
Wireshark course, Ch 03: Capture and display filters
Wireshark course, Ch 03: Capture and display filtersWireshark course, Ch 03: Capture and display filters
Wireshark course, Ch 03: Capture and display filtersYoram Orzach
 
Introduction to ns3
Introduction to ns3Introduction to ns3
Introduction to ns3Shahid Beheshti University
 
an_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.pptan_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.pptIwan89629
 
Network traffic analysis course
Network traffic analysis courseNetwork traffic analysis course
Network traffic analysis courseTECHNOLOGY CONTROL CO.
 
project_docs
project_docsproject_docs
project_docsAndrey Lavrinovic
 
Tshark pen testing, very good insight of the pent test
Tshark pen testing, very good insight of the pent testTshark pen testing, very good insight of the pent test
Tshark pen testing, very good insight of the pent testclaudiu59
 
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 FinalExploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Finalmasoodnt10
 
OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)
OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)
OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)Denny K
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationOlehLevytskyi1
 
Firewalls rules using iptables in linux
Firewalls rules using iptables in linuxFirewalls rules using iptables in linux
Firewalls rules using iptables in linuxaamir lucky
 
Abandon Decades-Old TCPdump for Modern Troubleshooting
Abandon Decades-Old TCPdump for Modern TroubleshootingAbandon Decades-Old TCPdump for Modern Troubleshooting
Abandon Decades-Old TCPdump for Modern TroubleshootingAvi Networks
 
Packet Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferencePacket Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferenceCengage Learning
 
01204427-scanner.ppt
01204427-scanner.ppt01204427-scanner.ppt
01204427-scanner.pptVarunBehere1
 
Firewall Facts
Firewall FactsFirewall Facts
Firewall FactsDAVID RAUDALES
 
Nmap
NmapNmap
NmapFat-Thing Gabriel-Culley
 
Wireshark network analysing software
Wireshark network analysing softwareWireshark network analysing software
Wireshark network analysing softwaredharmesh nakum
 
Call Girls Pimple Saudagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Pimple Saudagar Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Pimple Saudagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Pimple Saudagar Call Me 7737669865 Budget Friendly No Advance Bookingroncy bisnoi
 
9004554577, Get Adorable Call Girls service. Book call girls & escort service...
9004554577, Get Adorable Call Girls service. Book call girls & escort service...9004554577, Get Adorable Call Girls service. Book call girls & escort service...
9004554577, Get Adorable Call Girls service. Book call girls & escort service...Pooja Nehwal
 

Weitere ähnliche Inhalte

Ähnlich wie Malware and Software Vulnerability Analysis Using Wireshark

Wireshark Inroduction Li In
Wireshark Inroduction Li InWireshark Inroduction Li In
Wireshark Inroduction Li Inmhaviv
 
Chapter 3. sensors in the network domain
Chapter 3. sensors in the network domainChapter 3. sensors in the network domain
Chapter 3. sensors in the network domainPhu Nguyen
 
Wireshark course, Ch 03: Capture and display filters
Wireshark course, Ch 03: Capture and display filtersWireshark course, Ch 03: Capture and display filters
Wireshark course, Ch 03: Capture and display filtersYoram Orzach
 
an_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.pptan_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.pptIwan89629
 
Tshark pen testing, very good insight of the pent test
Tshark pen testing, very good insight of the pent testTshark pen testing, very good insight of the pent test
Tshark pen testing, very good insight of the pent testclaudiu59
 
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 FinalExploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Finalmasoodnt10
 
OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)
OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)
OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)Denny K
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationOlehLevytskyi1
 
Firewalls rules using iptables in linux
Firewalls rules using iptables in linuxFirewalls rules using iptables in linux
Firewalls rules using iptables in linuxaamir lucky
 
Abandon Decades-Old TCPdump for Modern Troubleshooting
Abandon Decades-Old TCPdump for Modern TroubleshootingAbandon Decades-Old TCPdump for Modern Troubleshooting
Abandon Decades-Old TCPdump for Modern TroubleshootingAvi Networks
 
Packet Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferencePacket Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferenceCengage Learning
 
01204427-scanner.ppt
01204427-scanner.ppt01204427-scanner.ppt
01204427-scanner.pptVarunBehere1
 
Wireshark network analysing software
Wireshark network analysing softwareWireshark network analysing software
Wireshark network analysing softwaredharmesh nakum
 

Ähnlich wie Malware and Software Vulnerability Analysis Using Wireshark (20)

Wireshark Inroduction Li In
Wireshark Inroduction Li InWireshark Inroduction Li In
Wireshark Inroduction Li In
 
Day2
Day2Day2
Day2
 
Chapter 3. sensors in the network domain
Chapter 3. sensors in the network domainChapter 3. sensors in the network domain
Chapter 3. sensors in the network domain
 
Wireshark
Wireshark Wireshark
Wireshark
 
Wireshark course, Ch 03: Capture and display filters
Wireshark course, Ch 03: Capture and display filtersWireshark course, Ch 03: Capture and display filters
Wireshark course, Ch 03: Capture and display filters
 
Introduction to ns3
Introduction to ns3Introduction to ns3
Introduction to ns3
 
an_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.pptan_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.ppt
 
Network traffic analysis course
Network traffic analysis courseNetwork traffic analysis course
Network traffic analysis course
 
project_docs
project_docsproject_docs
project_docs
 
Tshark pen testing, very good insight of the pent test
Tshark pen testing, very good insight of the pent testTshark pen testing, very good insight of the pent test
Tshark pen testing, very good insight of the pent test
 
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 FinalExploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
 
OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)
OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)
OSTU - Quickstart Guide for Wireshark (by Tony Fortunato)
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
 
Firewalls rules using iptables in linux
Firewalls rules using iptables in linuxFirewalls rules using iptables in linux
Firewalls rules using iptables in linux
 
Abandon Decades-Old TCPdump for Modern Troubleshooting
Abandon Decades-Old TCPdump for Modern TroubleshootingAbandon Decades-Old TCPdump for Modern Troubleshooting
Abandon Decades-Old TCPdump for Modern Troubleshooting
 
Packet Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferencePacket Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing Conference
 
01204427-scanner.ppt
01204427-scanner.ppt01204427-scanner.ppt
01204427-scanner.ppt
 
Firewall Facts
Firewall FactsFirewall Facts
Firewall Facts
 
Nmap
NmapNmap
Nmap
 
Wireshark network analysing software
Wireshark network analysing softwareWireshark network analysing software
Wireshark network analysing software
 

Kürzlich hochgeladen

Call Girls Pimple Saudagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Pimple Saudagar Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Pimple Saudagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Pimple Saudagar Call Me 7737669865 Budget Friendly No Advance Bookingroncy bisnoi
 
9004554577, Get Adorable Call Girls service. Book call girls & escort service...
9004554577, Get Adorable Call Girls service. Book call girls & escort service...9004554577, Get Adorable Call Girls service. Book call girls & escort service...
9004554577, Get Adorable Call Girls service. Book call girls & escort service...Pooja Nehwal
 
Makarba ( Call Girls ) Ahmedabad ✔ 6297143586 ✔ Hot Model With Sexy Bhabi Rea...
Makarba ( Call Girls ) Ahmedabad ✔ 6297143586 ✔ Hot Model With Sexy Bhabi Rea...Makarba ( Call Girls ) Ahmedabad ✔ 6297143586 ✔ Hot Model With Sexy Bhabi Rea...
Makarba ( Call Girls ) Ahmedabad ✔ 6297143586 ✔ Hot Model With Sexy Bhabi Rea...Naicy mandal
 
Escorts Service Arekere ☎ 7737669865☎ Book Your One night Stand (Bangalore)
Escorts Service Arekere ☎ 7737669865☎ Book Your One night Stand (Bangalore)Escorts Service Arekere ☎ 7737669865☎ Book Your One night Stand (Bangalore)
Escorts Service Arekere ☎ 7737669865☎ Book Your One night Stand (Bangalore)amitlee9823
 
NO1 Verified Amil Baba In Karachi Kala Jadu In Karachi Amil baba In Karachi A...
NO1 Verified Amil Baba In Karachi Kala Jadu In Karachi Amil baba In Karachi A...NO1 Verified Amil Baba In Karachi Kala Jadu In Karachi Amil baba In Karachi A...
NO1 Verified Amil Baba In Karachi Kala Jadu In Karachi Amil baba In Karachi A...Amil baba
 
VVIP Pune Call Girls Karve Nagar (7001035870) Pune Escorts Nearby with Comple...
VVIP Pune Call Girls Karve Nagar (7001035870) Pune Escorts Nearby with Comple...VVIP Pune Call Girls Karve Nagar (7001035870) Pune Escorts Nearby with Comple...
VVIP Pune Call Girls Karve Nagar (7001035870) Pune Escorts Nearby with Comple...Call Girls in Nagpur High Profile
 
High Profile Call Girls In Andheri 7738631006 Call girls in mumbai Mumbai ...
High Profile Call Girls In Andheri 7738631006 Call girls in mumbai Mumbai ...High Profile Call Girls In Andheri 7738631006 Call girls in mumbai Mumbai ...
High Profile Call Girls In Andheri 7738631006 Call girls in mumbai Mumbai ...Pooja Nehwal
 
Top Rated Pune Call Girls Ravet ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Ravet ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Ravet ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Ravet ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Call Girls in Nagpur High Profile
 
9892124323 Pooja Nehwal Call Girls Services Call Girls service in Santacruz A...
9892124323 Pooja Nehwal Call Girls Services Call Girls service in Santacruz A...9892124323 Pooja Nehwal Call Girls Services Call Girls service in Santacruz A...
9892124323 Pooja Nehwal Call Girls Services Call Girls service in Santacruz A...Pooja Nehwal
 
(👉Ridhima)👉VIP Model Call Girls Mulund ( Mumbai) Call ON 9967824496 Starting ...
(👉Ridhima)👉VIP Model Call Girls Mulund ( Mumbai) Call ON 9967824496 Starting ...(👉Ridhima)👉VIP Model Call Girls Mulund ( Mumbai) Call ON 9967824496 Starting ...
(👉Ridhima)👉VIP Model Call Girls Mulund ( Mumbai) Call ON 9967824496 Starting ...motiram463
 
Lucknow 💋 Call Girls Adil Nagar | ₹,9500 Pay Cash 8923113531 Free Home Delive...
Lucknow 💋 Call Girls Adil Nagar | ₹,9500 Pay Cash 8923113531 Free Home Delive...Lucknow 💋 Call Girls Adil Nagar | ₹,9500 Pay Cash 8923113531 Free Home Delive...
Lucknow 💋 Call Girls Adil Nagar | ₹,9500 Pay Cash 8923113531 Free Home Delive...anilsa9823
 
Low Rate Call Girls Nashik Vedika 7001305949 Independent Escort Service Nashik
Low Rate Call Girls Nashik Vedika 7001305949 Independent Escort Service NashikLow Rate Call Girls Nashik Vedika 7001305949 Independent Escort Service Nashik
Low Rate Call Girls Nashik Vedika 7001305949 Independent Escort Service NashikCall Girls in Nagpur High Profile
 
Call Girls Dubai Slut Wife O525547819 Call Girls Dubai Gaped
Call Girls Dubai Slut Wife O525547819 Call Girls Dubai GapedCall Girls Dubai Slut Wife O525547819 Call Girls Dubai Gaped
Call Girls Dubai Slut Wife O525547819 Call Girls Dubai Gapedkojalkojal131
 
Develop Keyboard Skill.pptx er power point
Develop Keyboard Skill.pptx er power pointDevelop Keyboard Skill.pptx er power point
Develop Keyboard Skill.pptx er power pointGetawu
 
Kothanur Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Bang...
Kothanur Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Bang...Kothanur Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Bang...
Kothanur Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Bang...amitlee9823
 
Vip Mumbai Call Girls Andheri East Call On 9920725232 With Body to body massa...
Vip Mumbai Call Girls Andheri East Call On 9920725232 With Body to body massa...Vip Mumbai Call Girls Andheri East Call On 9920725232 With Body to body massa...
Vip Mumbai Call Girls Andheri East Call On 9920725232 With Body to body massa...amitlee9823
 
VVIP Pune Call Girls Kalyani Nagar (7001035870) Pune Escorts Nearby with Comp...
VVIP Pune Call Girls Kalyani Nagar (7001035870) Pune Escorts Nearby with Comp...VVIP Pune Call Girls Kalyani Nagar (7001035870) Pune Escorts Nearby with Comp...
VVIP Pune Call Girls Kalyani Nagar (7001035870) Pune Escorts Nearby with Comp...Call Girls in Nagpur High Profile
 
Top Rated Pune Call Girls Chakan ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...
Top Rated Pune Call Girls Chakan ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...Top Rated Pune Call Girls Chakan ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...
Top Rated Pune Call Girls Chakan ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...Call Girls in Nagpur High Profile
 

Kürzlich hochgeladen (20)

Call Girls Pimple Saudagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Pimple Saudagar Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Pimple Saudagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Pimple Saudagar Call Me 7737669865 Budget Friendly No Advance Booking
 
9004554577, Get Adorable Call Girls service. Book call girls & escort service...
9004554577, Get Adorable Call Girls service. Book call girls & escort service...9004554577, Get Adorable Call Girls service. Book call girls & escort service...
9004554577, Get Adorable Call Girls service. Book call girls & escort service...
 
Makarba ( Call Girls ) Ahmedabad ✔ 6297143586 ✔ Hot Model With Sexy Bhabi Rea...
Makarba ( Call Girls ) Ahmedabad ✔ 6297143586 ✔ Hot Model With Sexy Bhabi Rea...Makarba ( Call Girls ) Ahmedabad ✔ 6297143586 ✔ Hot Model With Sexy Bhabi Rea...
Makarba ( Call Girls ) Ahmedabad ✔ 6297143586 ✔ Hot Model With Sexy Bhabi Rea...
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Escorts Service Arekere ☎ 7737669865☎ Book Your One night Stand (Bangalore)
Escorts Service Arekere ☎ 7737669865☎ Book Your One night Stand (Bangalore)Escorts Service Arekere ☎ 7737669865☎ Book Your One night Stand (Bangalore)
Escorts Service Arekere ☎ 7737669865☎ Book Your One night Stand (Bangalore)
 
NO1 Verified Amil Baba In Karachi Kala Jadu In Karachi Amil baba In Karachi A...
NO1 Verified Amil Baba In Karachi Kala Jadu In Karachi Amil baba In Karachi A...NO1 Verified Amil Baba In Karachi Kala Jadu In Karachi Amil baba In Karachi A...
NO1 Verified Amil Baba In Karachi Kala Jadu In Karachi Amil baba In Karachi A...
 
VVIP Pune Call Girls Karve Nagar (7001035870) Pune Escorts Nearby with Comple...
VVIP Pune Call Girls Karve Nagar (7001035870) Pune Escorts Nearby with Comple...VVIP Pune Call Girls Karve Nagar (7001035870) Pune Escorts Nearby with Comple...
VVIP Pune Call Girls Karve Nagar (7001035870) Pune Escorts Nearby with Comple...
 
High Profile Call Girls In Andheri 7738631006 Call girls in mumbai Mumbai ...
High Profile Call Girls In Andheri 7738631006 Call girls in mumbai Mumbai ...High Profile Call Girls In Andheri 7738631006 Call girls in mumbai Mumbai ...
High Profile Call Girls In Andheri 7738631006 Call girls in mumbai Mumbai ...
 
Top Rated Pune Call Girls Ravet ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Ravet ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Ravet ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Ravet ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
 
9892124323 Pooja Nehwal Call Girls Services Call Girls service in Santacruz A...
9892124323 Pooja Nehwal Call Girls Services Call Girls service in Santacruz A...9892124323 Pooja Nehwal Call Girls Services Call Girls service in Santacruz A...
9892124323 Pooja Nehwal Call Girls Services Call Girls service in Santacruz A...
 
(👉Ridhima)👉VIP Model Call Girls Mulund ( Mumbai) Call ON 9967824496 Starting ...
(👉Ridhima)👉VIP Model Call Girls Mulund ( Mumbai) Call ON 9967824496 Starting ...(👉Ridhima)👉VIP Model Call Girls Mulund ( Mumbai) Call ON 9967824496 Starting ...
(👉Ridhima)👉VIP Model Call Girls Mulund ( Mumbai) Call ON 9967824496 Starting ...
 
Lucknow 💋 Call Girls Adil Nagar | ₹,9500 Pay Cash 8923113531 Free Home Delive...
Lucknow 💋 Call Girls Adil Nagar | ₹,9500 Pay Cash 8923113531 Free Home Delive...Lucknow 💋 Call Girls Adil Nagar | ₹,9500 Pay Cash 8923113531 Free Home Delive...
Lucknow 💋 Call Girls Adil Nagar | ₹,9500 Pay Cash 8923113531 Free Home Delive...
 
Low Rate Call Girls Nashik Vedika 7001305949 Independent Escort Service Nashik
Low Rate Call Girls Nashik Vedika 7001305949 Independent Escort Service NashikLow Rate Call Girls Nashik Vedika 7001305949 Independent Escort Service Nashik
Low Rate Call Girls Nashik Vedika 7001305949 Independent Escort Service Nashik
 
🔝 9953056974🔝 Delhi Call Girls in Ajmeri Gate
🔝 9953056974🔝 Delhi Call Girls in Ajmeri Gate🔝 9953056974🔝 Delhi Call Girls in Ajmeri Gate
🔝 9953056974🔝 Delhi Call Girls in Ajmeri Gate
 
Call Girls Dubai Slut Wife O525547819 Call Girls Dubai Gaped
Call Girls Dubai Slut Wife O525547819 Call Girls Dubai GapedCall Girls Dubai Slut Wife O525547819 Call Girls Dubai Gaped
Call Girls Dubai Slut Wife O525547819 Call Girls Dubai Gaped
 
Develop Keyboard Skill.pptx er power point
Develop Keyboard Skill.pptx er power pointDevelop Keyboard Skill.pptx er power point
Develop Keyboard Skill.pptx er power point
 
Kothanur Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Bang...
Kothanur Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Bang...Kothanur Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Bang...
Kothanur Call Girls Service: 🍓 7737669865 🍓 High Profile Model Escorts | Bang...
 
Vip Mumbai Call Girls Andheri East Call On 9920725232 With Body to body massa...
Vip Mumbai Call Girls Andheri East Call On 9920725232 With Body to body massa...Vip Mumbai Call Girls Andheri East Call On 9920725232 With Body to body massa...
Vip Mumbai Call Girls Andheri East Call On 9920725232 With Body to body massa...
 
VVIP Pune Call Girls Kalyani Nagar (7001035870) Pune Escorts Nearby with Comp...
VVIP Pune Call Girls Kalyani Nagar (7001035870) Pune Escorts Nearby with Comp...VVIP Pune Call Girls Kalyani Nagar (7001035870) Pune Escorts Nearby with Comp...
VVIP Pune Call Girls Kalyani Nagar (7001035870) Pune Escorts Nearby with Comp...
 
Top Rated Pune Call Girls Chakan ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...
Top Rated Pune Call Girls Chakan ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...Top Rated Pune Call Girls Chakan ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...
Top Rated Pune Call Girls Chakan ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...
 

Malware and Software Vulnerability Analysis Using Wireshark

  • 1. CAP6135: Malware and Software Vulnerability Analysis Network Traffic Monitoring Using Wireshark Cliff Zou Spring 2016
  • 2. Acknowledgement  http://ilta.ebiz.uapps.net/ProductFiles/prod uctfiles/672/wireshark.ppt  UC Berkley course “EE 122: Intro to Communication Networks”  http://www.eecs.berkeley.edu/~jortiz/courses/ ee122/presentations/Wireshark.ppt  Other resources:  http://openmaniak.com/wireshark_filters.php 2
  • 3. Motivation for Network Monitoring  Essential for Network Management  Router and Firewall policy  Detecting abnormal/error in networking  Access control  Security Management  Detecting abnormal traffic  Traffic log for future forensic analysis 3
  • 4. 4 Tools Overview  Tcpdump  Unix-based command-line tool used to intercept packets  Including filtering to just the packets of interest  Reads “live traffic” from interface specified using -i option …  … or from a previously recorded trace file specified using -r option  You create these when capturing live traffic using -w option  Tshark  Tcpdump-like capture program that comes w/ Wireshark  Very similar behavior & flags to tcpdump  Wireshark  GUI for displaying tcpdump/tshark packet traces
  • 5. 5 Tcpdump example 01:46:28.808262 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230- 7.dsl.pltn13.pacbell.net.2481: . 2513546054:2513547434(1380) ack 1268355216 win 12816 01:46:28.808271 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230- 7.dsl.pltn13.pacbell.net.2481: P 1380:2128(748) ack 1 win 12816 01:46:28.808276 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230- 7.dsl.pltn13.pacbell.net.2481: . 2128:3508(1380) ack 1 win 12816 01:46:28.890021 IP adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481 > danjo.CS.Berkeley.EDU.ssh: P 1:49(48) ack 1380 win 16560 • Ran tcpdump on a Unix machine • First few lines of the output:
  • 6. 6 01:46:28.808262 IP danjo.CS.Berkeley.EDU.ssh > adsl-69-228-230-7.dsl.pltn13.pacbell.net.2481: . 2513546054:2513547434(1380) ack 1268355216 win 12816 Timestamp This is an IP packet Source host name Source port number (22) Destination host name Destination port number TCP specific information • Different output formats for different packet types What does a line convey?
  • 7. 7 Similar Output from Tshark 1190003744.940437 61.184.241.230 -> 128.32.48.169 SSH Encrypted request packet len=48 1190003744.940916 128.32.48.169 -> 61.184.241.230 SSH Encrypted response packet len=48 1190003744.955764 61.184.241.230 -> 128.32.48.169 TCP 6943 > ssh [ACK] Seq=48 Ack=48 Win=65514 Len=0 TSV=445871583 TSER=632535493 1190003745.035678 61.184.241.230 -> 128.32.48.169 SSH Encrypted request packet len=48 1190003745.036004 128.32.48.169 -> 61.184.241.230 SSH Encrypted response packet len=48 1190003745.050970 61.184.241.230 -> 128.32.48.169 TCP 6943 > ssh [ACK] Seq=96 Ack=96 Win=65514 Len=0 TSV=445871583 TSER=632535502
  • 8. 8 Demo 1 – Basic Run  Syntax: tcpdump [options] [filter expression]  Unfortunately, Eustis machine does not allow normal users to run tcpdump  $ sudo tcpdump –i eth0  Sudo command allows you to run tcpdump in root previlege  On your own Unix machine, you can run it using “sudo” or directly run “tcpdump” if you have root previliege  Observe the output
  • 9. 9 Filters  We are often not interested in all packets flowing through the network  Use filters to capture only packets of interest to us
  • 10. 10 Demo 2 1. Capture only udp packets • tcpdump “udp” 2. Capture only tcp packets • tcpdump “tcp”
  • 11. 11 Demo 2 (contd.) 1. Capture only UDP packets with destination port 53 (DNS requests) • tcpdump “udp dst port 53” 2. Capture only UDP packets with source port 53 (DNS replies) • tcpdump “udp src port 53” 3. Capture only UDP packets with source or destination port 53 (DNS requests and replies) • tcpdump “udp port 53”
  • 12. 12 Demo 2 (contd.) 1. Capture only packets destined to longwood.eecs.ucf.edu • tcpdump “dst host longwood.eecs.ucf.edu” 2. Capture both DNS packets and TCP packets to/from longwood.eecs.ucf.edu • tcpdump “(tcp and host longwood.eecs.ucf.edu) or udp port 53”
  • 13. 13 How to write filters  Refer the tcpdump/tshark man page  Many example webpages on the Internet
  • 14. 14 Running tcpdump  Requires superuser/administrator privileges on Unix  http://www.tcpdump.org/  You can do it on your own Unix machine  You can install a Linux OS in Vmware on your windows machine  Tcpdump for Windows  WinDump: http://www.winpcap.org/windump/  Free software
  • 15. So What is WireShark?  Packet sniffer/protocol analyzer  Open Source Network Tool  Latest version of the ethereal tool
  • 16. What is tShark?  The command-line based packet capture tool  Equivalent to Wireshark 16
  • 17. 17 Network Layered Structure  What is the Internet? Application Application Network Network Data Link Transport Transport Data Link Physical link Web, Email, VOIP TCP, UDP IP Ethernet, cellular
  • 21. Capture Options Promiscuous mode is used to Capture all traffic Sometime this does not work: • driver does not support • You are on a switch LAN
  • 23. Capture Filter examples host 10.1.11.24 host 192.168.0.1 and host 10.1.11.1 tcp port http ip not broadcast not multicast ether host 00:04:13:00:09:a3
  • 25.
  • 30. Display Filters (Post-Filters)  Display filters (also called post-filters) only filter the view of what you are seeing. All packets in the capture still exist in the trace  Display filters use their own format and are much more powerful then capture filters
  • 32. Display Filter Examples ip.src==10.1.11.00/24 ip.addr==192.168.1.10 && ip.addr==192.168.1.20 tcp.port==80 || tcp.port==3389 !(ip.addr==192.168.1.10 && ip.addr==192.168.1.20) (ip.addr==192.168.1.10 && ip.addr==192.168.1.20) && (tcp.port==445 || tcp.port==139) (ip.addr==192.168.1.10 && ip.addr==192.168.1.20) && (udp.port==67 || udp.port==68) tcp.dstport == 80
  • 34. TCP segment structure source port # dest port # 32 bits application data (variable length) sequence number acknowledgement number Receive window Urg data pnter checksum F S R P A U head len not used Options (variable length) URG: urgent data (generally not used) ACK: ACK # valid PSH: push data now RST, SYN, FIN: connection estab (setup, teardown commands) # bytes rcvr willing to accept counting by bytes of data (not segments!) Internet checksum (as in UDP)
  • 35. Display Filter  String1, String2 (Optional settings):  Sub protocol categories inside the protocol.  Look for a protocol and then click on the "+" character.  Example:  tcp.srcport == 80  tcp.flags == 2  SYN packet  Tcp.flags.syn==1  tcp.flags == 18  SYN/ACK  Note of TCP Flag field: 35
  • 36. Display Filter Expressions  snmp || dns || icmp  Display the SNMP or DNS or ICMP traffics.  tcp.port == 25  Display packets with TCP source or destination port 25.  tcp.flags  Display packets having a TCP flags  tcp.flags.syn == 0x02  Display packets with a TCP SYN flag. 36 If the filter syntax is correct, it will be highlighted in green, otherwise if there is a syntax mistake it will be highlighted in red. Correct syntax Wrong syntax
  • 37. Save Filtered Packets After Using Display Filter  We can also save all filtered packets in text file for further analysis  Operation: 37 FileExport packet dissections as “plain text” file 1). In “packet range” option, select “Displayed” 2). In choose “summary line” or “detail”
  • 41. Follow TCP Stream red - stuff you sent blue - stuff you get
  • 42. Filter out/in Single TCP Stream  When click “filter out this TCP stream” in previous page’s box, new filter string will contain like:  http and !(tcp.stream eq 5)  So, if you use “tcp.stream eq 5” as filter string, you keep this HTTP session 42
  • 47.  Use the “Copy” button to copy all text into clipboard  Then, you can analyze this text file to get what statistics you want 47
  • 48. Find EndPoint Statistics  Menu “statistics”  “endpoint list”  “TCP”  You can sort by field  “Tx” : transmit “Rx” : receive 48
  • 49. Find EndPoint Statistics  Use the “Copy” button to copy all text into clipboard  Then, you can analyze this text file to get what statistics you want 49
  • 51. Flow Graphs • The “displayed packet” option could let you only Show the flow of packets shown up for example, only display http traffic, then show The flow to analyze
  • 56. HTTP Analysis – Load Distribution Click “Create Stat” button You can add “filter” to only Show selected traffic
  • 57. HTTP Analysis – Packet Counter
  • 58. HTTP Analysis – Requests
  • 59. Improving WireShark Performance  Don’t use capture filters  Increase your read buffer size  Don’t update the screen dynamically  Get a faster computer  Use a TAP  Don’t resolve names
  • 60. Post-Processing Text File  For saved text-format packet files, further analysis needs coding or special tools  One useful tool on Unix: Grep  On Windows: PowerGrep http://www.powergrep.com/  Command-line based utility for searching plain-text data sets for lines matching a regular expression. 60
  • 61. Basic usage of Grep  Command-line text-search program in Linux  Some useful usage:  Grep ‘word’ filename # find lines with ‘word’  Grep –v ‘word’ filename # find lines without ‘word’  Grep ‘^word’ filename # find lines beginning with ‘word’  Grep ‘word’ filename > file2 # output lines with ‘word’ to file2  ls -l | grep rwxrwxrwx # list files that have ‘rwxrwxrwx’ feature  grep '^[0-4]‘ filename # find lines beginning with any of the numbers from 0-4  Grep –c ‘word’ filename # find lines with ‘word’ and print out the number of these lines  Grep –i ‘word’ filename # find lines with ‘word’ regardless of case  Many tutorials on grep online  http://www.cyberciti.biz/faq/howto-use-grep-command-in-linux-unix/  http://www.thegeekstuff.com/2009/03/15-practical-unix-grep-command- examples/ 61
  • 62. On-line Wireshark Trace Files  Public available .pcap files:  http://www.netresec.com/?page=PcapFiles  http://www.tp.org/jay/nwanalysis/traces/Lab%20 Trace%20Files/  Wiki Sample capture  https://wiki.wireshark.org/SampleCaptures 62
  • 63. Example Trace File and Questions  Network Forensic Puzzle Contests  http://forensicscontest.com/2010/02/03/puzzl e-4-the-curious-mr-x  SharkFest'15 Packet Challenge  https://sharkfest.wireshark.org/assets/present ations15/packetchallenge.zip 63