top of page
  • Writer's pictureLaura Chappell

Wireshark Challenge 01 Answers

Did you get a chance to try out last week's Wireshark Challenge based on the chappell-WChallenge012024.pcapng? Too easy?


If you didn't - go back and grab the trace file and try it out before looking at the answers below. There's often more than one way to get an answer. Below, I have offered one option for each question.


1. What tool was used for the capture process?

Dumpcap (Wireshark) 4.2.5 (v4.2.5-0-g4aa814ac25a1) - Click the button next to the Expert down on the Status Bar - that launches the Capture File Properties window (or select Statistics > Capture File Properties).



2. What is Fred's machine's IPv4 address?

10.0.0.157 - Find a DNS Request, TCP SYN, or HTTP2 GET request and look at the source IP address.


3. What is Fred's machine's Ethernet address?

d8:bb:c1:56:61:63 - Since the instructions said the trace file was taken on Fred's machine, we simply need to look at the Source Ethernet address on packets sent from Fred's machine - any packets used for #2.


4. What is/are the IP address(es) of the DNS server(s)?

75.75.75.75 and 75.75.75.76 - A simple dns filter will reveal the answer here. If we want to view just DNS responses, we can filter on dns.flags.response == True to view only DNS responses.


5. What operating system is running on Fred's machine?

Windows - HTTP/2 GET requests contain a user-agent field that defines the browser and operating system of the source.


6. Is Fred likely located on the East or West coast of the US?

West coast - we might make that assumption given the answer to #9, but we can actually locate an indication inside a TLS Client Hello where the Server Name field offers interesting insights into the communications.


7. What browser is Fred using?

Firefox - This is visible in the user-agent field - see #5.


8. In what sport is Fred interested?

Ice Hockey - the DNS traffic gives this away - use that dns filter again - just like in #4. There are a lot of references to NHL - National Hockey League.


9. In what team is Fred interested?

San Jose Sharks (sad... what a terrible year they had) - again, the DNS traffic gives this away.


10. What TLS version(s) does Fred's machine support?

TLS 1.2 and TLS 1.3 - inside the TLS Client Hello packets, we must look for and expand the "supported versions" extension section.

How did you do? Did you add and sort any columns? Did you apply other display filters?

This is great practice!


Cheers!

4 Comments


su xeko
su xeko
Jul 03

This blog is exceptional. It was a pleasure to read your articles. This book was exceedingly entertaining for me. I have bookmarked it and am enthusiastic about reading additional content. Maintain your exceptional performance! foodle

Like

jmb69997
Jun 28

12312

Like

Harald Norvik
Harald Norvik
Jun 21

A few comments to your answers: #5 - OS on Fred's machine: The capture file properties show Windows 11 (23H2) while Firefox advertises Windows 10. I noticed the HTTP2 GET but I decided to put my trust in Wireshark rather than Firefox. #6 - Location East or West: Statistics Endpoint IP will show City / Longitude with the maxmind db installed. Then filter all SYN/SYN-ACK sequences and add a column for time since previous frame in this stream. IP's that reply to Fred's SYN and has the lowest delta time is then closest to Fred. Verify those against the list of endpoints and I agree that Fred is most likely on the West Coast.

Keep more of these challenges coming. It…

Like
Harald Norvik
Harald Norvik
Jun 21
Replying to

But then the capture could have been done off a network tap or span port, hence the Firefox HTTP2 OS would be correct. I wonder if there is a way to find out from the capture if the device that ran dumpcap is the same as the Fred's host? I don't see the normal switch based chatter, so it could then be an export of a subset of the packets in the original capture.....

Like
bottom of page