TryHackMe | Wireshark: Packet Operations Writeup
TryHackMe has released another new Wireshark room. The first one was an awesome introduction to Wireshark and covered the basics. This room introduces the statistics menu, protocol details, packet filtering, protocol filtering, and advanced filtering. This is a writeup of how to solve each task and the steps necessary to do so.
Task 1: Introduction
1. Read the task above.
Read the information and click “Completed”.
Task 2: Statistics | Summary
1. Investigate the resolved addresses. What is the IP address of the hostname starts with “bbc”?
Opening up the “Resolved Addresses” window under “Statistics” allows us to search for an entry in the “Hosts” tab. Searching for “bbc” reveals the IP address.
2. What is the number of the TCP Data packets?
In the “Statistics” menu, there is a “Protocol Hierarchy” option. This window shows the number of packets in each protocol along with other useful information. Under Transmission Control Protocol there is a section for the number of Data packets.
3. What is the number of IPv4 conversations?
This can be found by selecting “Conversations” in the “Statistics” menu. The top of the screen will display the number of conversations for Ethernet, IPv4, IPv6, TCP, and UDP.
4. How many bytes (k) were transferred from the “Micro-St” MAC address?
Selecting “Endpoints” under “Statistics” shows a list of 26 Ethernet addresses along with information about the packets associated with that address. Selecting the “Name Resolution” option shows the names of each address, which “Micro-St” can be found in.
5. What is the number of IP addresses linked with “Kansas City”?
The “Endpoints” tab from the last question can be changed to look at the IPv4 addresses along with things like the city and country. You can then scroll through the list until you come across the ones from Kansas City.
6. Which IP address is linked with “Blicnet” AS Organisation?
Still looking at the IPv4 endpoints, you can sort the list by organization and look for “Blicnet d.o.o” which shows the IP address associated with it.
Task 3: Statistics | Protocol Details
1. What is the most used IPv4 destination address?
Navigating to Statistics>IPv4 Statistics>Destinations and Ports brings up a list of every destination address along with a count. Filtering by count descending shows the most used IP address.
2. What is the max service request-response time of the DNS packets?
Selecting the “DNS” option under “Statistics” provides a menu with different information. Under the “Service Stats” drop-down item there is an item titled “request response time (secs)” which shows the average, minimum, and maximum value.
3. What is the number of HTTP Requests accomplished by “rad[.]msn[.]com?
Looking at Statistics>HTTP>Load Distribution shows a window with each address and the number of requests. Sorting by Topic/Item and scrolling to the URL shows the count.
Task 4: Packet Filtering | Principles
- Read the task above.
Read the information and click “Completed”.
Task 5: Packet Filtering | Protocol Filters
- What is the number of IP packets?
To find the IP packets, we have to look only for them. To do this, we can use the filter near the top of the screen. To look only at IP packets, we can simply type “ip” into the bar and hit enter. The number of packets will be shown in the “Displayed:” category at the bottom of the window.
2. What is the number of packets with a “TTL value less than 10”?
TTL is the time to live value of a packet. It is included in the Internet Protocol tab when viewing a packet, and filtering for it follows that same convention. If we filter for “ip.ttl < 10”, all packets with TTL less than 10 will be shown, and the number of packets will show in the “Displayed:” category at the bottom of the window.
3. What is the number of packets which uses “TCP port 4444”?
This question uses the tcp.port option when filtering. We have to set it to look for only port 4444. Filtering for “tcp.port == 4444” finds this. Again, we can see the number of packets by looking at the “Displayed:” category.
4. What is the number of “HTTP GET” requests sent to port “80”?
To find the number of port 80 GET requests, we have to start combining different filters. We know we can filter ports by using tcp.port so we’ll put “tcp.port == 80” into the filter, but next we need to filter by the request method. The filter for this looks at the request method used in the HTTP section of the packet, so we can use http.request.method and set that to only look for packets that use the GET method. The full filter will look like “tcp.port == 80 && http.request.method == “GET””. We must use the && operator to ensure that the packets satisfy both requirements. The number of packets are listed in the “Displayed:” category.
5. What is the number of “type A DNS Queries”?
Each DNS query has a list of flags that are checks and specify different things about the message. In this case, we are looking for the response flag to be marked as 1. We also need the packets to be type A queries. This requires two different DNS flags to be used. The first will be to set the DNS query type to A, which can be done using “dns.qry.type == 1”. The second is to make sure that the response flag is set to 1, which is done using “dns.flag.response == 1”. We also have to combine these so we’ll need to use &&, which means the full filter will be “dns.qry.type == 1 && dns.flags.response == 1”.
Task 6: Advanced Filtering
- Find all Microsoft IIS servers. What is the number of packets that did not originate from “port 80”?
To find the Microsoft IIS servers, we must use the http.server filter option and the contains operator to find any packet that contains “IIS”. So the filter will look like “http.server contains “IIS””. We then have to combine this filter with the tcp.srcport to look for any packets whose source port does not equal 80. This can be found using “tcp.srcport != 80”. There is a slight problem though if we do use these as the filter.
It turns out that the does not equal (!=) operator is deprecated or not recommended to be used. The correct number of packets do get displayed doing it this way but it may not work with different queries. The way to fix this is to use “!(tcp.srcport == 80)” which removes the warning and shows the correct number of packets. Meaning the real correct filter is “http.server contains “IIS” && !(tcp.srcport == 80)”.
2. Find all Microsoft IIS servers. What is the number of packets that have “version 7.5”?
Like in the last question, to find the Microsoft IIS servers we use “http.server contains “IIS””. The version number of the server is also found under http.server, so we can use the matches operator to find all that have 7.5. So the filter for that looks like “http.server matches “7.5”. The full filter would look like “http.server contains “IIS” && http.server matches “7.5””.
3. What is the total number of packets that use ports 3333, 4444 or 9999?
This question is similar to question 3 in task 5 except instead of filtering for one port we’ll be filtering for three. This is done using the “in” operator along with the list of the three ports surrounded by “{}”. The filter will be “tcp.port in {3333 4444 9999}”.
4. What is the number of packets with “even TTL numbers”?
We used the TTL value earlier by looking at ip.ttl, but now we have to convert it to a string and see if it is an even number. This is done using the string and matches operators along with “[02468]$” to see if it ends in an even number. The filter will look like “string(ip.ttl) matches “[02468]$””.
5. Change the profile to “Checksum Control”. What is the number of “Bad TCP Checksum” packets?
To change our profile to the checksum control, we need to navigate to Edit>Configuration Profiles…>Checksum Control>OK. This profile highlights packets which have failed checksums. To filter for these bad checksums, we can use the Analyze>Display Filter Expression… to create a filter. In this menu, we can scroll to tcp.checksum.status or search for it to start making the filter. We’re looking for any that are bad so we can use the “==” operator and the “Bad” value (which in this case is defined as 0) to get the full filter.
We can then click “OK” to have this filter automatically fill the filter and get our results.
6. Use the existing filtering button to filter the traffic. What is the number of displayed packets?
On the right side of the Wireshark window right next to the filter, there is a button that has a filter built into it. All we have to do is click it and it will automatically apply this filter to our packets.
Task 7: Conclusion
- Proceed to the next room and keep learning!
Read the above an click “Completed”.
This concludes TryHackMe’s Wireshark: Packet Operations room. I hope this writeup could be helpful in completing the room! If you are still struggling please leave a comment or message me on Twitter and I will try my best to assist!
Lessons Learned:
- The statistics tab is incredibly useful in analyzing what happened in the capture
- Packet filtering makes it easy to find exactly what you’re looking for
- Creating personalized profiles can allow easy filtering if you’re consistently looking for the same thing
What I would do different a second time:
I struggled to find the correct filtering option for task 6 question 5. I had to look for a long time and struggle through a lot of the options until I found the correct one. I could have improved on this by using the search bar and searching for different terms. On task 5 question 5 I spent a long time figuring out the second filter, I knew it was type A but I didn’t know it needed to be a response. I think I just didn’t fully read through everything to understand it.
Final Thoughts:
This was a really great addition to the first room. It built upon the foundation of that room and made it slightly more challenging. I learned a lot in this room mostly relating to analyzing the statistics tab and protocol details. “Wireshark: Traffic Analysis” has not been released yet but I’m excited to try it once it comes out!
