INTRO TO NETWORK TRAFFIC ANALYSIS > Packet Inception, Dissecting Network Traffic With Wireshark

Hello there,
I got stuck on the Question:

Which employee is suspected of performing potentially malicious actions in the live environment?

I Connected to NoMachine, on interface ens224 and inspected all the traffic inside this NoMachine. It’s basically TCP, HTTP und FTP. I Posted every IP address and every login name I found in cleartext, nothing was the right answer.

Am I right trying to find the name/ip directly in the traffic? There are not many possability just 3 172.16… Adresses and 2 or 3 external adresses which i might have caused when I opened the browser.

Thanks for a hint!

1 Like

All you need to do is find the employee’s login information, and of course there’s a high chance you’ll find them from the HTTP and POST Metthod packets, try looking at the contents of each packet. , you may find that the “username” field contains the name of the employee you are looking for



I was able to find the name of the jpeg file from the packets but i am not able to find the login name in the HTTP packets.

Could you please give a little hint.

Thanks in advance.

1 Like

follow http stream you will see all data you need
----> big hint : username start with “b”

1 Like

Actually after looking carefully the logs with WireShark i was able to find the username :smiley:
Thanks anyway for your reply z3r0Day

Hi guys,
I can’t connect to NoMachine. Please can you help me to pass this questions?