Academy/Intro to Network Traffic Analysis/Dissecting Network Traffic with Wireshark Questions


that-s the point! sudo!

Hey! can you give me a hint for finding the employee name? Cant find it. look at conversations, used ctr+F to filter by string Credent, auth, user or name as the packet details and nothing.

Look at the conversations between IP addresses. Like one of the replies stated, at some point the user has to log in.

LOL thank you so much … ■■■■!

I think that HTB should have made that more clear …

unless I overlooked something, I don’t think there is a very clear cut order to use the


I was stuck on this too, simply because I wasn’t using sudo in my command. I STRONGLY DISAGREE that sudo should be a requirement for this question. Sudo is not required to read a pcap file in /tmp–even if sudo was used to create the pcap. Change my mind :slight_smile:

(this is a general comment, not a specific reply to @laurenchen0631 :+1:)

1 Like

May I suggest the following: I think the exercise with the nomachine setup could be greatly simplified by simply providing the pcap file. the setup with nomachine is really cumbersome, I get timeouts every couple of minutes and reconnecting takes another couple of minutes. Like this it is just a pain.

1 Like


Regarding the malicious employ, does he login trough HTTP or he is login with a different protocol.
Because i was able to find the name of the picture but i am not able to find the username.

I found from the logs that was added a username in Windows with password but this username is not the correct one.

Could you please give a little bit hint, how to find the employee because the question is not so clear.

Thanks in advance.

tanks for noticing this and share it.


I’m stuck in Packet Inception, Dissecting Network Traffic With Wireshark.

I have to connect to a target machine with Nomachine to launch Wireshark, but I can’t find the target IP. It is not shown in the connection instructions and all the IP I’ve tried in the Wireshark-Lab-2-Resources are not reachable from the Pwnbox.

If someone could provide me some help it would be great.


The target is the one you get from “spawn target” in the Questions section. The Wireshark file offered in the ressources it’s only to get the image file, after that you spawn a target and connect to it USING no machine and realize an active scan from there. Check for a POST request there after a few minutes of scan.

Thx I’m dumb sometimes

Keep in mind that if you are using two or more switches together, you only need one “-”. You have -X -r and have two “-” so that’s incorrect. You have -r (Filename) and then -X. That’s incorrect. Then you have -rX. Now look at that one one for a second. In -rX you are telling tcpdump to read first THEN after reading do X. But the command wont work because you interruped the read command with X. Getting the ideas here. Try flipping -rX and same file name. Also the question asked for the command, not the swithces. So it would be sudo tcpdump [your switches] [file name]. sudp tcpdump-** /file name 1/file pcap

yep, “just run everything with sudo” means there’s no use for sudo and you might as well just log in as root.
On the next set of questions, one question is about running tcpdump to capture traffic on an interface. The accepted answer does not include sudo - in real life, without some fiddling, this will actually need sudo

On the Guided Lab: Traffic Analysis Workflow section, there really should be a highly visible message to use the provided pcap in the resource.

I tried for some time trying to capture the required network traffic for the questions on the NoMachine host but never got anything that matched up with the questions being asked.

Finally diving into the provided pcap, I found it instantly. I really think that an emphasis on using those provided resources would save people a lot of headache, especially in this introduction courses.

I literally can’t get pass this login screen. I’m providing the correct credentials, but it just don’t work. This exercise should have been with a pcap file… such a pain just to make it work…

Can somone help me with “What filter will allow me to see traffic coming from or destined to the host with an ip of” i tried every possible answer i could think of Q1 Tcpdump packet filtering

Wow, ive been stuck on this forever. Seriously wtf why would it specifically say to log into no machine ans then ask a question completely unrelated?!

Just so its 100% clear:

The question regarding the name of the image file (w/ hint: file.jpg) utilizes the Wireshark-Lab-2.pcap file.

The question regarding the name of the user who is acting maliciously utilizes the packet capture data from the target device you spawn and then rdp into the capture VM.

Do not mix them up, and be aware that these two questions use different resources for their answer.

1 Like

Same problem, the question asks only for the switch and the variable and it stays like this
“dst host” or “dst” but with none