Wireshark

Go up to the NWS HW page (md)

Overview

We have seen multiple ways to capture network packets: we can: listen in on the wired network connection, observe the WiFi traffic, execute an in-the-middle attack using a USB Pineapple, ARP spoof, send router redirects, or just run a Scapy Python program. Now that we can observe packets, we are going to start capturing them and analyzing them.

In this assignment you will be analyzing network traffic through Wireshark. You will analyze saved pcap files, save your own pcap files, and analyze live network traffic. Wireshark is installed on the Docker images.

You will be submitting an edited version of wireshark.py (src).

Changelog

Any changes to this page will be put here for easy reference. Typo fixes and minor clarifications are not listed here. So far there aren’t any significant changes to report.

Basic Analysis

Most network analysis comes from saved pcap files. A program, such as tcpdump, will save the file, and then it is analyzed later. In this section, we will walk you through how to analyze a saved pcap file.

Your answers to the questions posed below will go in the wireshark.py (src) file.

First you have to download your pcap file to analyze. You must use your own! The URL to download it is on the Canvas landing page.

After completing this entire assignment, you would be expected to be able to find this type of information in a pcap file without the walk-through that is below.

To start this analysis, we are going to analyze a few separate network connections in the pcap file. This file has 492 packets.

Advanced Analysis

Having just seen the basics of pcap analysis, we are going to look at a more advanced analysis of a pcap file. You are not expected to be able to do this analysis after completing this assignment (although if you can, great!). But you are expected to understand each step, even if you would not have come up with the various steps yourself.

Due to it’s size, the pcap file for this part is in Canvas Files, and is called wireshark_hw.pcap.

Each step indicates how many packets are displayed by the current filters – you should ensure that is the case when you enter the filters yourself.

Questions to answer:

Again, you are not expected to be able to do this part on your own – that requires a lot of experience analyzing network packets. You are expected to understand how each step works, though.

Live Capture

Uh-oh, it looks like there is some malware on the inner container. We don’t know much about it, so you have to figure out what is up and let us know. This file seems to send network traffic, but not much else. It’s been quarantined, and the executable is /usr/bin/run_malware, so you can just run it via run_malware; it is not running by default. You can type “quit” at any time to cause it to exit. If that file is not there, try restarting your Docker containers (docker compose down followed by docker compose up -d).

Note: this is not real malware, and it doesn’t actually do anything malicious. It does send some network data, of course – otherwise there would be no point to this part of the assignment. While you are welcome to try to use other tools to figure out what is going on, the executable has been deigned so that any other tools will not be all that useful. This part of the assignment was explicitly designed to only need Wireshark.

There are at least four different “things” going on in this program. However, you do not need to find all of them for full credit!

You will put your findings in wireshark.py (src).

Wireshark warning: when capturing live network traffic, the network packets are saved to memory. You can restart the capture via the toolbar icon (the green shark fin) – this removes from memory all the captured packets so far. If you leave it running for too long while capturing network packets, it may fill up your computer’s memory, causing slowdown or halting the system. The run_malware program creates around 1 Mb of data every 10 minutes, so it is not likely to be a problem, unless you leave it running overnight or for a very long time. But be aware that if you are on a busy network, it will fill up fast.

Important Mac host note

Mac users MUST run Wireshark on gateway, NOT on inner. The way that Mac hosts run GUIs is to send the display information over the Docker network. If you run Wireshark on inner, you will see all of your display traffic in addition to the traffic that you are trying to analyze – and there is much more display traffic. If you run Wireshark on gateway, then the display traffic goes directly to firewall (via outernet), and you can monitor gateway’s interface to inner (eth0), which will have all the run_malware traffic from inner, but none of the display traffic.

Saving pcaps

The last part of this assignment is to make your own .pcap file. You can do this through Wireshark. The intent is to save enough packets from one of the “malicious” things that the run_malware executable does. You will indicate which one in the wireshark.py (src) file.

You will need to edit your pcap to only have the necessary packets. The intent is not to just save a lot of network data and submit that. There is a maximum file size allowed for this submission! To edit your pcap file, load it into Wireshark (if not already loaded). You can highlight the relevant packets, and select File -> Export Selected Packets. In the dialog box that appears, you have to toggle some of the settings at the bottom – in particular, you will want to change the packet range from “all packets” to “selected packets only”. Also, be sure to save it as a .pcap file type, not a .pcapng (which is what Wireshark defaults to). You can see these selections in the dialog box image to the right.

The capture should be saved to capture.pcap.


Submission

You will be submitting an edited version of wireshark.py (src) as well as your capture.pcap file.