Academy/Intro to Network Traffic Analysis/Dissecting Network Traffic with Wireshark Questions

Need some pointers on the second question of this module. Question is “Which employee is suspected of preforming potentially malicious actions in the live environment?”

I did a 10 minute packet capture, got over 500 packets, and still can’t figure this out. I followed the HTTP stream and also found no “file.jpeg”. Any help would be appreciated.

I figured this out; wasn’t looking at all the conversations.

I’m struggling in tcpdump fundamentals. in question:
Given the capture file at /tmp/capture.pcap, what tcpdump command will enable you to read from the capture and show the output contents in Hex and ASCII?
i try:
-X -r /tmp/capture.pcap
-r /tmp/capture.pcap -X
-rX /tmp/capture.pcap

Any tip ? :slight_smile:

Type your comment> @CabraCega said:

I’m struggling in tcpdump fundamentals. in question:
Given the capture file at /tmp/capture.pcap, what tcpdump command will enable you to read from the capture and show the output contents in Hex and ASCII?
i try:
-X -r /tmp/capture.pcap
-r /tmp/capture.pcap -X
-rX /tmp/capture.pcap

Any tip ? :slight_smile:

Same issue and What TCPDump switch will increase the verbosity of our output? won’t acept any -v -vv -vvv -vvvvvvv

Type your comment> @OvertlyObscure said:

Type your comment> @CabraCega said:

I’m struggling in tcpdump fundamentals. in question:
Given the capture file at /tmp/capture.pcap, what tcpdump command will enable you to read from the capture and show the output contents in Hex and ASCII?
i try:
-X -r /tmp/capture.pcap
-r /tmp/capture.pcap -X
-rX /tmp/capture.pcap

Any tip ? :slight_smile:

Same issue and What TCPDump switch will increase the verbosity of our output? won’t acept any -v -vv -vvv -vvvvvvv

try without - :wink:

Hello friends, I am stuck on this question, I have tried all the combinations but nothing works for me
tcpdump -Xr /tmp/capture.pcap
tcpdump -X -r /tmp/capture.pcap
tcpdump -rX /tmp/capture.pcap
tcpdump -r -X /tmp/capture.pcap

Please some help!!

Type your comment> @Dannypena said:

Hello friends, I am stuck on this question, I have tried all the combinations but nothing works for me
tcpdump -Xr /tmp/capture.pcap
tcpdump -X -r /tmp/capture.pcap
tcpdump -rX /tmp/capture.pcap
tcpdump -r -X /tmp/capture.pcap

Please some help!!

The point is that the question asks you “what command” rather than just “what switch”.
Thus, you should provide the whole command, including sudo.

it work. Thank!!

I’m having difficulty finding any of the image files mentioned. I was able to find the employee, but when I filter by http && image-jfif like the guide says to, I get nothing. I’ve collected like 900 packets.

Look at all conversations happening… that’s my best clue.

Did you ever end up getting it? I was stuck on this for 2 hours before I figured out that I was supposed to be looking at the pre-captured data from the Wireshark-lab-2.pcap file and NOT data from the nomachine wireshark session.

Hey! I’m having trouble finding the malicious employee in the live environment. Can you give me a hint how to find him/her?

UPDATE: Nvm I found him.