Home‎ > ‎CIS 140NA‎ > ‎

Lab 7: Record a Baseline

In this lab you will record and analyze a baseline for your personal or lab computer.

Introduction

Modern computers are busy all the time performing tasks that require the network. This background chatter is often why it's difficult to see the action of viruses and other malware. Difficult but not impossible. Wireshark lets to examine every packet that enters or leaves your computer. If you suspect your computer is compromised you can use Wireshark on a separate machine to track malware's comings and goings. In this lab you will record your computers normal background communication and analyze what it's doing.

Collect Baseline Information

In this part you will collect packets on your computer for at least one hour. The best way to capture packets for a long time is using the dumpcap command from the command line. Execute dumpcap like this:

dumpcap -a duration:3600 -a filesize:1000000 -w baseline.pcapng

On Windows run:

"c:\Program Files\Wireshark\dumpcap.exe" -a duration:3600 -a filesize:1000000 -w baseline.pcapng

If you're capturing on a computer with multiple Ethernet interfaces or an Ethernet and a WiFi interface you may have to specify which to use with the "-i" option. For example:

## on a Mac en0 is usually the wired Ethernet and en1 is the WiFi
dumpcap -a duration:3600 -a filesize:1000000 -w baseline.pcapng -i en0

## on Windows use the connection name:
"c:\Program Files\Wireshark\dumpcap.exe" -a duration:3600 -a filesize:1000000 -w baseline.pcapng -i "Local Area Connection"

The command will automatically stop capturing when one of two things happen:
  1. An hour is reached
  2. The capture file grows to 1 Gigabyte
The second condition is there to prevent runaway captures while you watch YouTube. Because the command will shut itself off you can safely do this and go to bed.

Analyze Your Baseline

In the last part you created a file called baseline.pacapng. In this part you will open the file and explore what your computer has been up to. With your baseline open perform the following tasks:
  1. Take a screenshot of the file Summary
  2. Show the address resolution of all IP hosts, copy and paste the information into a file called address-resolution.txt
  3. Show the IPv4 and IPv6 conversations. Copy and paste both into a file called conversations.csv and answer the following question:
    1. What conversation transferred the most data?
  4. Show the IPv4 and IPv6 endpoints. Copy and paste both into a file called endpoints.csv and answer the following questions: 
    1. What endpoints transferred the most data?
  5. Make an I/O graph of your baseline and save the graph to a file called io-graph.png

Extra Credit: Who are you talking to? 

For extra credit enable Geotagging in Wireshark and submit an screen capture of a map that shows the geographic locations of the endpoints that you captured in your baseline.

Turn In

Turn in the following files:
  1. address-resolution.txt
  2. conversations.csv
  3. enpoints.csv
  4. io-graph.png
  5. (optional) A screenshot of your world map
  6. Answers to questions 3.1 and 4.1 above
Submit your homework on Canvas.

Grading

  • 4 points each for parts 1 through 5 (20 total)
  • 5 points extra credit for your map
Comments