Home‎ > ‎CIS 140NA‎ > ‎

Lab 8: Using Display Filters

In this lab you will use display filters to answer complex questions about this packet capture.

Introduction

Working with packets is a game of finding a needle in a haystack. As we've seen earlier in the semester capture filters can reduce the number of packets in your capture but they are limited. Display filters are much more powerful because they can take advantage of Wireshark's dissectors. In this lab you will download a capture sample and answer important questions about it. Finding the right display filters will make finding the answers to the questions quick and easy. 

Finding Common TCP Problems

The majority of traffic in the capture file is TCP. The capture was taken during average network conditions. Use display filters to answer the following questions. 
  1. How many individual TCP sessions were captured as measured by the first packet in the TCP three-way handshake?
  2. How many duplicate ACKs were seen? 

Looking at DNS

DNS is the system that hosts use to find IP addresses given human-readable host names. Use display filters to answer the following questions: 
  1. How many IPv4 (A) queries were made?
  2. How many IPv6 (AAAA) queries were made? 
Only count the query packets, not the response packets. Note: Wireshark includes some ICMP packets that happen when a query has an error. Do not count ICMP packets

Looking Deeper Into Packets 

Much of the traffic in the capture is loading random pages from Wikipedia. Use display filters to answer the following question: 
  1. How many times is the word football mentioned? 
Hint: Remember the "F" can be capital or not and the word "footballer" doesn't count!

Identifying Haters

This packet capture is from a machine that has an SSH server facing the public Internet. As soon as the Internet finds out you have an SSH server people try to guess passwords. Use display filters to answer the following questions:
  1. How many different IP addresses have attempted to connect using SSH?
  2. How many TCP connections to SSH have been made?

Turn In

  1. Answers to each of the questions with the filter you used to find the answer. There are many possible filters for each answer.
Submit your homework on Canvas.

Grading
  • 20 points (2 to 3 per question)
ċ
lab7-combined.pcapng
(10153k)
Michael Matera,
Mar 16, 2015, 8:34 PM
Comments