Question: What are the client and server port numbers used in first full TCP three-way handshake? (low number first then high number)
I’ve been pulling my hair out trying to figure out what the heck is the other port. So far, all I have for the solution is “443 [other port]”. I’ve spent so much time trying to play with filters via tcpdump and within wireshark but just cannot for the life me find what the heck is that other port. I found somewhere that the other port in question is sending a TCP packet with the RST flag enabled (this even confuses me but inputting such ports don’t work) but that seems to be the only piece of information out there concerning this question. Can someone please provide what in the world is this other port number???
When reading the pcap starting from the top of the file, you are looking for the first conversation that has a full handshake sequence:
SYN: Flags [S]
SYN-ACK: Flags [S.]
ACK: Flags [.]
Start with the [S] flag and look at the source port (bigger number). Then try to see if you can find a [S.] flag with the same port number (it will be the destination port this time), followed by a [.] flag with the same port number (it will be the source port again).
Make sure to check for both HTTP (80) and HTTPS (443) conversations. It helps to prevent name resolution for hostnames and ports using -nn:
Does anyone mind explaining how I can complete this lab? am I meant to start a Linux VM or do I do this on my local machine? I downloaded the PCAP file but I don’t really know how to access it in the VM
I copied the download link from the resources page. I then pasted the link within the browser of the instance. From there, you can download and access the file within the instance. Hope this helps!