[go: up one dir, main page]
Scribd
Upload
697 views9 pages

ISCS 3523 Event Analysis Lab2

The document appears to be a lab report analyzing network traffic from a packet capture file. It describes running analysis tools on the capture file and answering questions about the traffic. The summary is: 1) The lab report analyzes a 8.96 second packet capture file containing 2449 packets and 8111157 bytes of traffic. 2) The analysis found the traffic was on a local network with 5 nodes, including a host computer with IP 172.16.1.35 running Windows. 3) The capture showed the user accessing an ISP site and downloading images, which caused a transmission spike in the traffic.

Uploaded by

Hamza Bhatti
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
697 views9 pages

ISCS 3523 Event Analysis Lab2

The document appears to be a lab report analyzing network traffic from a packet capture file. It describes running analysis tools on the capture file and answering questions about the traffic. The summary is: 1) The lab report analyzes a 8.96 second packet capture file containing 2449 packets and 8111157 bytes of traffic. 2) The analysis found the traffic was on a local network with 5 nodes, including a host computer with IP 172.16.1.35 running Windows. 3) The capture showed the user accessing an ISP site and downloading images, which caused a transmission spike in the traffic.

Uploaded by

Hamza Bhatti
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 9

NAME:

STUDENT ID#
LAB#

10/15/2022
ISCS 3523
Event Analysis

I open the given capture file using the SimSpace tools Network Miner, Brim, Wireshark and
SNORT on any Win-Hunt VM.
I perform an analysis on the captured traffic and I consider the following things;
a. How long did the session capture last?
Answer: The total time of taken by the session is 8.96900 seconds as shown in the
screenshot below.
Screenshot taken form snort’s results

Screenshot taken form Wireshark’s results

b. How many packets were captured?


Answer: The total number of captured packets are 2449 displayed in the snort result as
shown in the screenshot below.
Screenshot taken form Wireshark’s results

1|Page
Screenshot taken form Snort’s results

c. How many bytes were captured?


Answer: In Wireshark I open the protocol hierarchy statistics section and the first line show
the captured bytes of the file the results show that 8111157 bytes were captured in total as
shown in the screenshot below.

d. What protocols were observed?


Answer: The observed protocols are; Ethernet, Internet Protocol Version 4, User Datagram
Protocol, TiVoConnect Discovery Protocol, NetBIOS, SMB, Microsoft Windows Browser
Protocol, Multicast Domain Name System, Dynamic Host Configuration Protocol, Domain
Name System, Transmission Control Protocol, Transport Layer Security, Hypertext Transfer
Protocol, File Transfer Protocol and Address Resolution Protocol [1] as shown in the screenshots
below.

2|Page
Screenshot taken form Snort’s results

e. When did the bulk of the data get transmitted?


Answer: I open the I/O graph of Wireshark to check that when did the bulk of data get
transmitted and I see that at the time around 100 seconds the bulk of data is transmitted about
200 packets per second [2] were transmitted as shown in the screenshot below.

3|Page
f. What caused this transmission spike?
Answer: Because of downloading and accessing image files using HTTP over TCP causes
this transmission spike.

g. Were any Internet Service Provider sites were accessed? If so which ones? What
accounts?
Answer: Yes, the internet service provider “homeportal.gateway.2wire.net” was accessed the
detail [3] is shown in the screenshot below.

h. What is the name of the host computer? It’s IP address?


Answer: The name of the Host computer is “Kaufman Upstairs, KAUFMAN UPSTAIRS
<00>” and the IP address is “172.16.1.35” as shown in the screenshot below.

4|Page
i. What Operating system is it using?
Answer: It using Windows Professional SP4 Operating System as shown in the screenshot
below.

j. What does the local network look like?


Answer: The local network looks like a LAN that contains 5 nodes in which one is the ISP
one is the gateway and the other three are hosts as shown in the screenshot below.

5|Page
k. What device names are on the local network?
Answer: The devices on the local network are;
 homeportal.gateway.2wire.net
 Kaufman Upstairs
 DVR 8525.local
 Kaufman Upstairs “IP network camera”

l. Did I access any other computers on the local area network?


Answer: No, I didn’t access any other computer on the local network but only a few packets
were exchanged between the other computer and the host.

m. Are any other devices on the network?


Answer: Yes, there is an IP network camera was found on the network as shown in the
screenshot below.

3) What “story” does the capture file tell?


Answer: The captured file tells the story that a person login to the system using FTP by giving
the credentials “username: anonymous and password: IEUser@” and then run a few command to
passively monitor the wireless network and the attacker succeed in his mission. The attacker also
download some image files and also other type of files such as .cert, .dll and .txt etc.

6|Page
4) Run the capture file through SNORT. What if any alerts are triggered?
Answer: I run the file through SNORT [4] and I found that there are two types of alerts are
triggered that are shown in the screenshots below.

The alerts show two types of classifications given below:


 Unknown Traffic
 Potentially Bad Traffic

7|Page
Bibliography
[1]. Jain, G. (2021, March). Application of SNORT and Wireshark in network traffic analysis. In
IOP Conference Series: Materials Science and Engineering (Vol. 1119, No. 1, p. 012007). IOP
Publishing.
[2]. Kurose, A.J. and Ross, K.W., 2005. Supplements: Wireshark Labs.
[3]. Volarević, I., Tomić, M., & Milohanić, L. (2022, May). Network forensics. In 2022 45th
Jubilee International Convention on Information, Communication and Electronic Technology
(MIPRO) (pp. 1025-1030). IEEE.
[4]. Rehman, R. U. (2003). Intrusion detection systems with Snort: advanced IDS techniques
using Snort, Apache, MySQL, PHP, and ACID. Prentice Hall Professional.

8|Page

You might also like