Task 1(warm up)

Download the following pcap file:(http://nsl.cs.waseda.ac.jp/~mori/data/warmup.pcap)
For the following tasks, you can use tcpdump and GNU command-line tools such as cat, wc, sort, uniq, grep, awk, and etc. If you want, you can also use your favorite script language such as Python, Ruby, Perl, or whatever. You are NOT allowed to use wireshark here.

1.1 count the number of total frames

Using the WireShark software:
result is 100,000
Using the wireshark command on CentOS: tshark

yum install -y wireshark
tshark -r warmup.pcap | wc -l

result is 100,000

using capinfos

capinfos warmup.pcap | grep "Number of packets"| tr -d " " | cut -d ":" -f 2

Using tcpdump

tcpdump -r test.cap 2>/dev/null| wc -l

failed!!!???

1.2 count the number of IPv4 packets

Using the WireShark software:
95860

1.3 count the number of IPv6 packets

Using the WireShark software:
4171

1.4 count the number of IPv4/tcp packets

Using the WireShark software:
73343

1.5 count the number of IPv4/udp packets

Using the WireShark software:
6347

1.6 count the number of distinct source IPv4 addresses:

Using the WireShark software
6299

1.7 count the number of distinct destination IPv4 addresses

Using the WireShark software
15839

1.8 list the top-10 source IP addresses that appeared the most.

Using the Wireshark software

203.50.118.210    74.157.109.74    17.157.75.206     163.162.85.250    162.98.176.7
31.242.205.139    23.32.18.78      104.167.125.139   203.50.109.231    203.50.109.226

1.9 list the top-10 destination IP addresses appeared the most

Using the Wireshark software

202.139.239.243    202.133.50.192    203.50.118.210    203.50.100.162    13.181.101.53 
163.162.250.91     202.139.239.29    202.133.18.189    163.162.113.121   163.162.15.96

Task 2

download the following file: (http://nsl.cs.waseda.ac.jp/~mori/data/first2015.pcap)
Note: this pcap file is a part of the dataset used in the following training event: (https://www.first.org/resources/papers/conf2015/first_2015_-_hjelmvik-erik-_hands-on_network_forensics_20150604.pdf)

2.1 extract the query names from DNS query packets

Python pyshark

mycompany.com', 'pop.gmx.com', 'password-ned-xp.pwned.se', 'password-ned-xp', 'safebrowsing.google.com', 'safebrowsing-cache.google.com', 'clients2.google.com', '_ftp._tcp.local', 'clients4.google.com', 'client.dropbox.com', '_ipp._tcp.local', 'navigator-bs.gmx.com', 'accounts.google.com', '_ipps._tcp.local', '16-0.19-a3000081.20081.1644.1e39.2f4a.210.0.lsfzcu3cfr5h1cip6rdsa7h5uj.avts.mcafee.com', 'a-0.19-a3000081.0.1644.1e39.2f4a.210.0.6fnn1j35k3nnmigna2v11i9swj.avts.mcafee.com', 'a-0.19-a3000081.0.1644.1e39.2f4a.210.0.5qzbq178cpcpkz3ash969p4vtb.avts.mcafee.com', 'a-0.19-a3000081.0.1644.1e39.2f4a.210.0.5qwgzz8ezez1mwk72db4mfbk7t.avts.mcafee.com', 'a-0.19-a3000081.0.1644.1e39.2f4a.210.0.q5geq2e7kll2zfk2mrugnuh14q.avts.mcafee.com', 'a-0.19-a30000c1.d040083.1644.1e39.2f4a.210.0.94rhhfkzeebvlhkzt644av1snj.avts.mcafee.com', 'a-0.19-a3000081.0.1644.1e39.2f4a.210.0.n16ddjdlrwenfmj61er2jgkb6b.avts.mcafee.com', 'c.14-0.19-a3000081.8010081.1644.1e39.2f4a.210.0.dae44v4q334j48qqwp95jaad5t.avts.mcafee.com', 'a-0.19-a3000081.0.1644.1e39.2f4a.210.0.9euk3unrrrp7k71c4r3c4mkv2t.avts.mcafee.com', 'a-0.19-a3000081.0.1644.1e39.2f4a.210.0.tdnt4a1hciwwwq61tm1ef4b3kb.avts.mcafee.com', 'c-0.19-a3000071.40481.1644.1e39.2f4a.210.0.du5czgeg5ng1hjphkd7j21qhdi.avts.mcafee.com', '16-0.19-a3000071.10081.1644.1e39.2f4a.210.0.vtb7pr9gljq31vf9tvfllftapq.avts.mcafee.com', 'a-0.19-a3000071.d020082.1644.1e39.2f4a.210.0.25nahcdech5gsrv9ecemf2lbkt.avts.mcafee.com', 'c-0.19-a3000081.70481.1644.1e39.2f4a.210.0.clq6shkdqf4qk2l2h7f23zrbdj.avts.mcafee.com', 'wpad.pwned.se', 'wpad', 'watson.microsoft.com', 'c-0.19-a7000008.8a70083.1644.1e39.2f4a.210.0.sp4llip8fbzphb22g2r6w8iu1j.avts.mcafee.com', 'go.microsoft.com', 'ctldl.windowsupdate.com', 'dmd.metaservices.microsoft.com', 'a-0.19-a3000081.9110081.1644.1e39.2f4a.210.0.5wauzj8kclu1up9r1vmvdufkaj.avts.mcafee.com', 'c-0.19-a3000081.50481.1644.1e39.2f4a.210.0.tzbz944k79p2izgrrwssktv4p6.avts.mcafee.com', 'c-0.19-a3000008.60081.1644.1e39.2f4a.210.0.iu67rk8f86junz2fmh7vk62c2b.avts.mcafee.com', 'compatexchange.trafficmanager.net', 'ocsp.msocsp.com', 'watson2.microsoft.com', 'notify8.dropbox.com', 'clients1.google.com', 'client-lb.dropbox.com', 'tools.google.com', 'redirector.gvt1.com', 'r6---sn-uxap5nvoxg5-5goe.gvt1.com', 'clients3.google.com', 'apis.google.com', 'mail.google.com', 'ssl.gstatic.com', 'www.google.com', 'www.google.se', 'www.googleapis.com', 'www.gstatic.com', 'translate.googleapis.com', 'mtalk.google.com', 'accounts.youtube.com', 'clients2.googleusercontent.com', 'zkygedkpyzdll.pwned.se', 'ltynerolirvuzj.pwned.se', 'ghurdoi.pwned.se', 'zkygedkpyzdll', 'ltynerolirvuzj', 'ghurdoi', 'changelogs.ubuntu.com', '3c-bs.gmx.com', 'isatap.pwned.se', 'Dell-Dator32', 'services.addons.mozilla.org', 'ocsp.digicert.com', 'versioncheck-bg.addons.mozilla.org', 'gfe.nvidia.com', 'addons.mozilla.org', 'blocklist.addons.mozilla.org', 'www.hipchat.com', 'ad.doubleclick.net', 'www.skybluecanvas.com', 'www.php.net', 'www.zend.com', 'php.net', 'ajax.googleapis.com', 'edit.php.net', 'bugs.php.net', 'example.com', 'www.example.com', 'softontherocks.blogspot.com', 'msdn.microsoft.com', '146.49.195.217.in-addr.arpa', 'versioncheck.addons.mozilla.org', 'fhr.data.mozilla.com', 'aus4.mozilla.org', 'lc.mcafee.com', 'update.nai.com', 'mirrorlist.centos.org', 'ftp.acc.umu.se', 'ftp.heanet.ie', 'mirror.23media.de', 'mirror.omnilance.com', 'ftp-stud.hs-esslingen.de', 'ftp.uni-bayreuth.de', 'mirror.serverbeheren.nl', 'ftp.nluug.nl', 'ftp.uni-kl.de', 'mirror.i3d.net', 'mirrors.nic.cz', 'mirror.de.leaseweb.net', 'fedora.uib.no', 'mirror.vutbr.cz', 'ftp.colocall.net', 'mirror.oss.maxcdn.com', 'fedora.tu-chemnitz.de', 'mirror.switch.ch', 'ftp.fi.muni.cz', 'ftp.linux.cz', 'ftp.upjs.sk', 'mirrors.neterra.net', 'mirror.nonstop.co.il', 'www.mirrorservice.org', 'ftp.mirrorservice.org', 'mirror.karneval.cz', 'anorien.csc.warwick.ac.uk', 'ftp.crc.dk', 'mirrors.telianet.dk', 'mirror.nl.leaseweb.net', 'mirror.duomenucentras.lt', 'ftp.wrz.de', 'ftp.icm.edu.pl', 'mirrors.uni-ruse.bg', 'vesta.informatik.rwth-aachen.de', 'mirror.euserv.net', 'mirror.proserve.nl', 'epel.mirrors.ovh.net', 'mirrors.n-ix.net', 'mirror.uv.es', 'mirror.datacenter.by', 'mir01.syntis.net', 'mirror-fr2.bbln.org', 'fedora.ip-connect.vn.ua', 'mirror-fr1.bbln.org', 'mirror.imt-systems.com', 'www.fedora.is', 'ftp.fedora.is', 'mirrors.ircam.fr', 'mirror.dgn.net.tr', 'mirror.bytemark.co.uk', 'ftp.astral.ro', 'ftp.linux.org.tr', 'mirror.vit.com.tr', 'mirror.vorboss.net', 'mirrors.coreix.net', 'epel.check-update.co.uk', 'ftp.pbone.net', 'mirror.slu.cz', 'fr2.rpmfind.net', 'repo.boun.edu.tr', 'ftp.cc.uoc.gr', 'mirror.yandex.ru', 'mirrors.ukfast.co.uk', 'mirror.fraunhofer.de', 'fedora-epel.skarta.net', 'mirror.kinamo.be', 'mirror.bacloud.com', 'mirror.pmf.kg.ac.rs', 'epel.besthosting.ua', 'mirror.digitalnova.at', 'be.mirror.eurid.eu', 'ftp.uma.es', 'mirror.ibcp.fr', 'centos.vianett.no'

2.2 list the top-10 query names that appeared the most in the DNS request packets.

Python pyshark

mycompany.com    safebrowsing-cache.google.com    pop.gmx.com    safebrowsing.google.com    www.google.com  
 password-ned-xp   password-ned-xp.pwned.se    mail.google.com    clients4.google.com   navigator-bs.gmx.com

2.3 what was the IP address of the server named "mycompany.com" ?

wireshark

192.168.0.2

3. Task 3

use the pcap file downloaded at task 2.
hint: POP3 users TCP port number 110 (plain text).

3.1 identify the POP3 password registered for user with the e-mail address of [email protected].

wireshark

pop.request.command == "PASS"

3.2 what was the subject of e-mail message the user with email address of [email protected] received from the pop server on 19:32:36 with the command of "RETR 15".

wireshark

tcp.port == 110 and pop

Subject: HipChat power tips for power users

3.3 what was the name of the pop3 server used by [email protected]?

wireshark
[email protected]
212.227.17.187

Task 4

use the pcap file downloaded at task 2.
python pyshark

4.1 list all the HTTP user-agent appeared in the HTTP flows (remove duplicates).

Microsoft-Windows/6.1 UPnP/1.0
Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.4.0
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:33.0) Gecko/20100101 Firefox/33.0
Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0
McAfee Agent
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
urlgrabber/3.10 yum/3.4.3
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Microsoft-CryptoAPI/6.1
MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2251.0 Safari/537.36
Morfeus Fucking Scanner
netscan.gtisc.gatech.edu
Python-urllib/3.4
WicaAgent

4.2 what was the HTTP user-agent that appeared most?

Microsoft-Windows/6.1 UPnP/1.0

Appeared 290 times

4.3 present the URL accessed from a client with HTTP user-agent of "Python-urllib/3.4".

http.user_agent == "Python-urllib/3.4"

(http://changlogs.ubuntu.com/meta-release)

4.4 what is drawn in the file named fr.jpg?

(http.user_agent) && (http.request.method == "GET")

The catalog of a websit
(http://www.pwned.se/skyblue/fr.jpg)

Task 5

use the pcap file downloaded at task 2.
hint: TLS uses TCP port 443.

5.1 identify the largest TCP flow that users TLS and present its 5-tuple, i.e., src IP address, dst IP address, protocol, src port, and dst port.

wireshark statistics and tcp.port = 443

src IP = 192.168.0.54   port = 51197
dst IP = 216.58.209.101   port = 443
protocol = tcp

5.2 identify the name of the server in the flow detected above.

5.3 list all the hostnames of the servers that used SSL/TLS (hint: use the SNI field).

Task 6

use the pcap file downloaded at task 1.
perform the periodical packet sampling; i.e., for each block containing 100 packets, sample the first packet.
perform the random packet sampling, i.e., sample each packet with the probability of 0.01.

6.1 count the number of total TCP packets for original data, periodically sampled data, and randomly sampled data

Origin data: 77317 TCP packets
Periodically sampled data: 803 TCP packets(total 970 packets)
Randomly sampled data: 742 TCP packets(total 982 packets)

6.2 count the number of distinct source IP addresses for original data, periodically sampled data, and randomly sampled data

Origin data: 15839 distinct source IP addresses
Periodically sampled data: 200distinct source IP addresses(total 970 packets)
Randomly sampled data: 141distinct source IP addresses(total 982 packets)

6.3 discuss the difference between (1) and (2).

The random sample method has more similar features with origin data.

Homework of ANS