Skip to content

Wireshark: Packet Operations Banner

Wireshark: Packet Operations Logo

Wireshark: Packet Operations

This guide contains the answer and steps necessary to get to them for the TITLE room.

Table of contents

Statistics | Summary

  1. Investigate the resolved addresses. What is the IP address of the hostname starts with "bbc"?

SUMMARIES IP

Click for answer199.232.24.81

  1. What is the number of IPv4 conversations?

SUMMARIES IPV4

Click for answera435

  1. How many bytes (k) were transferred from the "Micro-St" MAC address?

SUMMARIES MICRO 1

SUMMARIES MICRO 2

Click for answer7474

  1. What is the number of IP addresses linked with "Kansas City"?
ip.geoip.city == "Kansas CIty"

SUMMARIES KANSAS

Click for answer4

  1. Which IP address is linked with "Blicnet" AS Organisation?
ip.geoip.org matches "Blicnet.*"

SUMMARIES BLICNET

Click for answer188.246.82.7

Statistics | Protocol Details

  1. What is the most used IPv4 destination address?

Navigating to: "Statistics -> IPv4 Statistics -> Source and Destination Addresses" we can see the number of destination addresses.

Details IPv4

Click for answer10.100.1.33

  1. What is the max service request-response time of the DNS packets?

This we can find under: "Statistics -> DNS -> Service Stats". Make sure that you use the same unit as the question (i.e., seconds vs miliseconds).

Details Response

Click for answer0.467897

  1. What is the number of HTTP Requests accomplished by "rad[.]msn[.]com?

This can be found in the "HTTP -> Request" statistics menu. We can filter the data on our specified host name using:

```cmd http.host matches ".rad.msn.com."

Details Requests

Click for answer39

Packet Filtering | Protocol Filters

  1. What is the number of IP packets?

Use the following display filter:

ip

Click for answer81420

  1. What is the number of packets with a "TTL value less than 10"?

Use the following display filter:

ip.ttl < 10

Click for answer66

  1. What is the number of packets which uses "TCP port 4444"?

Use the following display filter:

tcp.port == 4444

Click for answer632

  1. What is the number of "HTTP GET" requests sent to port "80"?

Use the following display filter:

(http.request.method == "GET") && (tcp.dstport == 80)

For some strange reason the amount I found here wasn't correct. Luckily, it was just 1 shy of the correct answer.

Filters HTTP Get

Click for answer527

  1. What is the number of "type A DNS Queries"?

Use the following display filter:

dns.a

Click for answer51

Advanced Filtering

  1. Find all Microsoft IIS servers. What is the number of packets that did not originate from "port 80"?

Use the following display filter:

http.server contains "IIS" && !(tcp.srcport == 80)

Click for answer21

  1. Find all Microsoft IIS servers. What is the number of packets that have "version 7.5"?

Use the following display filter:

http.server matches "IIS.*7.5.*"

Click for answer71

  1. What is the total number of packets that use ports 3333, 4444 or 9999?

Use the following display filter:

tcp.port in {3333,4444,9999}

Click for answer2235

  1. What is the number of packets with "even TTL numbers"?

Use the following display filter:

string(ip.ttl) matches ".*[02468]$"

This first converts the TTL value to a string and matches it the a regex expression looking for strings ending with an even number (hence the .*).

Click for answer77289

  1. Change the profile to "Checksum Control". What is the number of "Bad TCP Checksum" packets?

In the bottom right, we must right-click to switch to the "Checksum Profile".

Looking through the display filter expression menu for checksum, we get a hit that we can use.

tcp.checksum_bad.expert

Click for answer

  1. Use the existing filtering button to filter the traffic. What is the number of displayed packets?

After switching to the correct profile a display filter button is visible for us to use. It uses the following filter:

(http.response.code == 200 ) && (http.content_type matches "image(gif||jpeg)")

Advanced Button

Click for answer261