Escolar Documentos
Profissional Documentos
Cultura Documentos
Task
Your task is to perform an analysis of the network traffic capture
contained in the file:
“Inn550-2010-assignment2.pcap”
The main tool you will need to perform the analysis is WireShark. Note
that the file contains a lot of packets (67,995 in total) so you will need to
be clever about how you perform the analysis. Looking at each packet
individually will not be time well spent.
The network traffic capture was obtained from the host with the IP
address 58.168.247.171. It is suspected that this host was compromised
and that details of what happened after the computer was compromised
are contained within the provided file. You should try to determine the
nature of the compromise and detail the activities undertaken by the
perpetrator. Note that the network traffic capture file contains no Layer 2
network data so you do not have any details about the link layer.
You should verify that you have a correct copy of the file:
While WireShark will be very useful to you during your analysis you should
explore the use of other tools to assist with your analysis. Examples of
tools that may be usefu) include: tcpflow, whois, GeoIP, Snort, and
pyFLAG. You do not have to use any of these tools - you might find other
tools that are more useful. You should, however, aim to use at least two
(2) tools in addition to WireShark. Clearly you should not report on every
packet! You need to think about how to group together related packets
and summarise (or characterise) the activity that is occurring within them.
The following section should give you a clearer idea of what your report is
expected to contain.
Further Details
You report should include discussion of the following:
2. A section which describes, to the extent possible, the nature of the host
from which the network traffic capture was obtained. This should include,
at least:
_ identify the location and owner of the IP address being monitored;
_ a list of the services running on the monitored host;
_ a summary of the types of traffic that the host receives;
_ a summary of the traffic initiated by the monitored host;
_ where possible, give an indication of the versions of the server and client
applications observed in the traffic.
7. Finally, you should conclude your report with a summary of the main
findings of your analysis.