Hi all!
I have been given an assignment of various exercises, one of which is about a .pcap file. Let me preface this with 2 things:
- The rest of the assignment is not terribly complicated, but requires some knowledge of the underlying problem (e.g. Python programming, or in this case .pcac files)
- I do NOT have any kind of experience in .pcap analysis.
So here is the context. I have been given a .pcap file, containing around 16k simulated (I'm assuming) packages lapsing 4 minutes of activity on a random day. I am told that "someone is doing something suspicious, and we need to investigate", and give IP/hostname and so on. After fiddling for a couple days, I think I am able to extract those things easily once I figure out which is the suspicious activity.
But I have no idea where to start to figure out what is suspicious. I have no other context.
What I tried so far:
- Looking at the Expert Information tab of Wireshark. This gave me 2 Warning types (D-SACK sequence, and Connection Reset (RST), with multiple IP for each, so I wouldn't be sure which one is at fault), and 1 Error type (Expected: 6 bytes, one singular IP is sending something on port 4000 that Wireshark recognize as a malformed KNX/IP - however, if I disable that extension from Wireshark (as advised on some other website), it turns out to be a normal UDP protocol. So I am not sure if that is something to be wary of.
- By filtering HTTP requests, all of them but 2 go through port 80. The 2 others go through port 6969 - I thought that was it, but after some research I found out it's a "normal" port for some kind of torrent, and lots of activity on this server goes for a (legal) torrent website, so again I think that's not what I need to look for.
- As advised somewhere else, I tried to look for people sending way more SYN message than the amount of ACK messages they receive back. The 2 people sending the most SYN messages have respectively 25 and 16 SYN, and 25 and 16 ACK. (To be noted, the IP with 25 SYN also appears in the warning from point 1, as having a lot of Connection Reset (RST).
- Finally, out of frustration, I tried random filters and looked around at color coded messages, and found one IP in TCP protocol that appeared black - the only activity on the server is a TCP retransmission of the same message (I assume, since the size never changes), for a total of 9 times. No other activity from this IP, and no other exchange happening, which makes me believe that's not the culprit, since I there is not enough activity to answer some of the questions of the assignment with them.
I hope I made it clear, sorry for any mistake I made with my explanation - I am not sure what I am supposed to be doing here. I'm looking for any clue as to where to look for a "suspicious activity".
Thanks!
No comments:
Post a Comment