Wireshark is a network inspection tool - commonly referred to as a traffic, protocol, or packet analyzer. Packet Analysis refers to the process of intercepting network data (packets) and examining those packets to deduce relevant information about their contents, the parties involved in the exchange, or the network itself. To draw a simple comparison, Wireshark is like an X-ray machine for computer networks - and a powerful one at that. Much like how a doctor uses an X-ray machine to see inside a patient’s body, Wireshark provides visibility into a computer network and the packets streaming across it to understand what’s happening at each protocol layer.

A Note on Protocols: Before we lose you – protocols are just networking languages. Where programs have programming languages for describing their function and behavior (like C, Java, Python), network communications are made possible by networking languages called protocols (like HTTP and IPv4), that dictate how systems communicate with one another. In the technology world, it’s languages all the way down to the wire. All computer systems must agree on a specific way of communicating before they can get anything done; there is no room for creative interpretation. On the bright side, that makes them easy to understand – you just need to know the rules in place. If packets are the words, protocols are the grammar, syntax, and diction.

However, this lab isn’t about rules, it’s about the practical applications of Wireshark. A doctor does not need to understand the physics of high-energy electromagnetic radiation to gain insights from an X-ray machine; they only need to understand the information that the tool is providing and how that information might be useful. Furthermore, you’re not about to get your MD here, you’re about to become the equivalent of an X-ray technician. But, with a little practice, you will be on your way to residency soon enough. 

In practice, Wireshark can be used for a variety of different purposes. To name a few, Wireshark allows:

  • Network Engineers to troubleshoot network performance problems.
  • Security Analysts to review intrusion attempts and validate internal controls.
  • Forensic Analysts to gain insights into security breaches and malware distributions.
  • Penetration Testers to search for sensitive information that may give them a foothold in a target network.

Now, let’s make you a wire shark - or, at least, a wire fish. Grab your lab coat/bathing suit - it’s time to dive in. 

Lab Questions and Answers: 1.1 Core Concepts

True or False: Packets are the grammar, syntax, and diction of computer systems.

A. True

B. False

Correct Answer: B

Packet Analysis refers to the process of:

A. intercepting network data.

B. examining packets to deduce relevant information about their contents.

C. examining packets to deduce relevant information about the parties involved in the exchange.

D. examining packets to deduce relevant information about the network itself.

E. all of the above

Correct Answer: E

Which of the following is not an application of Wireshark?

A. troubleshooting network performance problems.

B. reviewing intrusion attempts and validating internal controls.

C. blocking malicious traffic.

D. gaining insights into security breaches and malware distributions.

Correct Answer: C

True or False: The Packet Details pane of the Wireshark GUI shows the raw data in the packet, encoded in human-readable representations.

A. True

B. False

Correct Answer: B

Lab Questions and Answers: 1.2 Guided Exercise

1. What color does Wireshark use to indicate SYN and FIN packets in a TCP stream? Hint: Remember that Telnet connection you made?

A. gray

B. green

C. red

D. yellow

Answer: A. gray

2. What Wireshark Display Filter would you use to isolate all ICMP and ARP traffic?

A. icmp and arp

B. icmp or arp

C. icmp + arp

D. icmp && arp

Answer:  B. icmp or arp

3. What version of Python is running on the webserver?

Answer: 3.10.6

4. What cookie remained in your browser after logging out of the web application?
Answer: {SIGH_BRARY_WELL_THEN}
5. You exported an HTTP object which turned out to be an image with some text. What are the last two words in this image (no spaces)?
Answer: NEVERHAPPENED

Lab Questions and Answers: 1.3 Challenge Exercise

1. Based on the ARP traffic, how many live hosts are on the network this was captured on?
Answer: 5
Hint: User arp filter in Wireshark and look for devices that reply to "Who has <IP> Tell <IP>"
2. What FTP credentials were used to log in to the fileserver? (Provide your answer in the format username / password)
Answer: cybrarian / dewey-hexadecimal
Hint: Use the ftp filter and find username and follow TCP stream.
3. Identify the human-readable session cookie set by the web application that remains after logout.
Answer: {CHOCOLATE_CHIP}
Hint: Use the http.cookie filter and found the logout packet and follow tcp/http stream.
4. Export the file that was downloaded when the user visited a website over HTTP. What are the two words depicted in the file (no spaces)?
Answer: incidentresponse
Hint: Click on File on Wireshark menu then click export objects and save all. Open file manager and found download named image file.

Conclusion:

Throughout the exercise, you applied different display filters in Wireshark to isolate specific traffic types (ICMP, ARP, Telnet, HTTP) and followed TCP and HTTP streams for detailed session data analysis. Finally, by analyzing ARP traffic, you identified the number of live hosts on the network, demonstrating the practical use of Wireshark for network monitoring and security analysis.