Academy/Intro to Network Traffic Analysis/Dissecting Network Traffic with Wireshark Questions

Need some pointers on the second question of this module. Question is “Which employee is suspected of preforming potentially malicious actions in the live environment?”

I did a 10 minute packet capture, got over 500 packets, and still can’t figure this out. I followed the HTTP stream and also found no “file.jpeg”. Any help would be appreciated.

I figured this out; wasn’t looking at all the conversations.

I’m struggling in tcpdump fundamentals. in question:
Given the capture file at /tmp/capture.pcap, what tcpdump command will enable you to read from the capture and show the output contents in Hex and ASCII?
i try:
-X -r /tmp/capture.pcap
-r /tmp/capture.pcap -X
-rX /tmp/capture.pcap

Any tip ? :slight_smile:

Type your comment> @CabraCega said:

I’m struggling in tcpdump fundamentals. in question:
Given the capture file at /tmp/capture.pcap, what tcpdump command will enable you to read from the capture and show the output contents in Hex and ASCII?
i try:
-X -r /tmp/capture.pcap
-r /tmp/capture.pcap -X
-rX /tmp/capture.pcap

Any tip ? :slight_smile:

Same issue and What TCPDump switch will increase the verbosity of our output? won’t acept any -v -vv -vvv -vvvvvvv

Type your comment> @OvertlyObscure said:

Type your comment> @CabraCega said:

I’m struggling in tcpdump fundamentals. in question:
Given the capture file at /tmp/capture.pcap, what tcpdump command will enable you to read from the capture and show the output contents in Hex and ASCII?
i try:
-X -r /tmp/capture.pcap
-r /tmp/capture.pcap -X
-rX /tmp/capture.pcap

Any tip ? :slight_smile:

Same issue and What TCPDump switch will increase the verbosity of our output? won’t acept any -v -vv -vvv -vvvvvvv

try without - :wink:

Hello friends, I am stuck on this question, I have tried all the combinations but nothing works for me
tcpdump -Xr /tmp/capture.pcap
tcpdump -X -r /tmp/capture.pcap
tcpdump -rX /tmp/capture.pcap
tcpdump -r -X /tmp/capture.pcap

Please some help!!

Type your comment> @Dannypena said:

Hello friends, I am stuck on this question, I have tried all the combinations but nothing works for me
tcpdump -Xr /tmp/capture.pcap
tcpdump -X -r /tmp/capture.pcap
tcpdump -rX /tmp/capture.pcap
tcpdump -r -X /tmp/capture.pcap

Please some help!!

The point is that the question asks you “what command” rather than just “what switch”.
Thus, you should provide the whole command, including sudo.

2 Likes

it work. Thank!!

I’m having difficulty finding any of the image files mentioned. I was able to find the employee, but when I filter by http && image-jfif like the guide says to, I get nothing. I’ve collected like 900 packets.

1 Like

Look at all conversations happening… that’s my best clue.

Did you ever end up getting it? I was stuck on this for 2 hours before I figured out that I was supposed to be looking at the pre-captured data from the Wireshark-lab-2.pcap file and NOT data from the nomachine wireshark session.

Hey! I’m having trouble finding the malicious employee in the live environment. Can you give me a hint how to find him/her?

UPDATE: Nvm I found him.

if anyone needs a nudge for the ‘malicious employ’:

note its not the IP or MAC address required. Its literally the employees login name

I did the capture but I am lost in it and I have no idea how to find the user. I checked the common protocols but no result. Could you give me any advice?
The file name has been found for the 1st question but the 2nd one is difficult for me.

Im assuming you know the ‘malicious ip address’. Look at other activity from that IP address - at some point the user of that ip address will have logged on exposing his credentials.

The main problem is that I don’t know how to use the live environment.
I can start an SSH and the ens224 is available:
htb-student@nta-sniff01:~$ tcpdump -D
1.ens192 [Up, Running]
2.ens224 [Up, Running]

but I start the wireshark on my Parrot OS and there is no ens224 there only eht0 and others.
And I can not start wireshark in the spawned system I have no right to do it.
I know it is a stupid thing but I am lost a little bit between the system. :slight_smile:

From memory, you use ‘nomachine’ to remote desktop on the remote machine - the instructions are in the module.

You then load up Wireshark on that remote machine (not your own machine which I think is what you’re doing).

Yes sounds good, but after connection to NoMachine this comes up:

and the Username == htb-student does not work:(

That’s the username I used – it worked for me okay with the password.

Note that when you enter the password what you type is not shown on screen. So write the password into the name section as a test to ensure what you are typing is what is actually being typed in the remote machine.

The remote machine did not type ‘@‘ the same as is shown on my keyboard - my keyboard is UK but I assume the remote machine keyboard is US so the key was different to that shown on my keyboard.

I hope that makes sense.

wow, finally I found it:
kép

Thank you very much for your help, I would have given up without you.
When I wanted to log in for the last time the Ubuntu didn’t ask the 2nd authentication, it just let me in, without the above login window.
Task is done:)