Scribd
Upload
173 views9 pages

Wireshark Lab 1.2 Import and Examine PCAP File (V1.1)

Uploaded by

fallj366
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
173 views9 pages

Wireshark Lab 1.2 Import and Examine PCAP File (V1.1)

Uploaded by

fallj366
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

Wireshark Lab 1.1. Recording Network Traffic and creating A PCAP file (V1.

1)

OVERVIEW
What is a PCAP File?

PCAP files are data files created by using the Wireshark program, and they contain the
packet data of a network. These files are mainly used in analyzing the network
characteristics of certain data.
The files also contribute to successfully controlling the traffic of a certain network since
they are being monitored by the program.

The data and the results of the network analysis are saved using the PCAP file
extension, which is why they are called PCAP files.
These files are used to determine network status, allowing analyzers to attend to
problems that may have occurred on the network and allow them to study data
communications using Wireshark.

OBJECTIVE:
1- How to use the PCAP file.
2- How to examine a PCAP file.
3- How to find/extract information from a PCAP file.

REQUIREMENTS:
Wireshark Application
OS (Windows, macOS, or Linux)

STEPS:

Part 1 - Capture Traffic on Ethernet NIC /or WiFi Nic.


Part 2 - Add Coloring Rule for TCP packet.
Part 3 - adding Custom Columns (TCP Segment Len).
Part 4: Saving captured Traffic.

Part 1- HOW TO OPEN A PCAP FILE?

Launch a PCAP file by double-clicking it. If your file associations are set up correctly,
the application that is meant to open yourPCAP file will open it, or use Wireshark
software. Click on file, and then click OPEN or (CTRL + O).

1
Part 2 - Examining PCAP File:

In this lab, we are going to examine (2022-03-21 - TRAFFIC ANALYSIS EXERCISE -


BURNINCANDLE) PCAP file. To get started:

Download the PCAP for this lab using the link here Password: infected
Extract the file after you download it, then open the PCAP file.
Open the PCAP file in Wireshark.

How many packets were captured in this trace file?

2
Check the bottom-right corner of the recorded packets to determine how many packets
are there. The number of packets will appear as seen in the image below.
❖ Number of packets : 16296

What protocol does packet number 4 contain?


The packet number 4 protocol is HTTP as shown in the picture below.

3
Look at packet number 1. What is the source IP address in this packet?
From the PCAP file, the source IP address for packet number one is : 10.0.19.14
as shown in the picture below.

What is the source and destination TCP port in this same packet?

From the PCAP file:


❖ The source TCP port is: 62179.
❖ The destination TCP port is: 80.

4
What TCP flag is set in packet number 1?

From the PCAP, there are two ways to identify the TCP flag:
❖ The TCP flag is SYN, as shown in the first packet's information column.
❖ We can find the TCP Flag by expanding the TCP section, and then in the
flags section as shown in the picture below.

5
What is the frame number of the next packet in this TCP conversation?

The TCP 3-Way Handshake (SYN, SYN-ACK,ACK) - because the first packet is
a SYN packet, the second packet will be a SYN-ACK packet.

There are many methods for locating all of the packets that are related to the first
packet:
Use a filter (TCP.port == the first packet's port number).
Use scrolling, through the packets seeking a packet with the same port
number.

6
Part 3 - Host Information from DHCP Traffic
To locate the host name in the PCAP file. Search for the DHCP DORA packets.
On the Filter tab, type DHCP.
Click the DHCP Request Packet.
Expand the TCP section, and then choose Option (12) Host Name
Host Name = DESKTOP-5QS3D5D

7
This concludes this lab.

Please discuss the following questions with your instructor.

LAB SUBMISSION REQUIREMENTS

Please submit a pdf with the following:

1. A screenshot of the snapshot taken once the lab is completed.


2. One to three screenshots demonstrating the configurations that you made
during this lab.
3. Discussion questions with your answers.

DISCUSSION QUESTIONS:

1. Can Wireshark modify packets?

[type answer name here]

2. What can you determine from the PCAP File?

[type answer name here]

3. How do I get information from a PCAP File?

[type answer name here]

8
4. How do I edit a PCAP File?

[type answer name here]

5. What files can Wireshark read?

[type answer name here]

You might also like