This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Need help decoding network traffic.

-1

Due to not expose my question here, and the fact that google has snapped up this, I'm removing what was written here just in case my research would be snapped up and used by my classmates.

I don't know how to delete an entire question, so I'm doing it this way.

If this is not allowed, I could post my original question here again.

asked 21 Nov '12, 09:25

tcphelp's gravatar image

tcphelp
0112
accept rate: 0%

edited 21 Nov '12, 14:07

What happened? Why do you want to delete the question now? Did you try to cheat? I don't think so, as you solved most of the assignment yourself.

(21 Nov '12, 14:33) Kurt Knochner ♦

No cheating here, but I've spent loads of hours figuring this out, and you only have to search for one of the strings on google to get to this post and therefore you have all my work displayed for everyone to see ;) I'd just like to keep my work to myself as it's an individual assignment.

(21 Nov '12, 14:45) tcphelp

One Answer:

0

Your analysis is pretty good and almost complete.

The machine with 192.168.264.128 is a (most likely) a Windows box

hard to say, as there are no real signs for that. If it is a windows box, it must be something >= Windows Vista, as it uses the source port 54955 for the HTTP connection (Frame: #11). The ephemeral port range was changed in Windows Vista:

http://support.microsoft.com/kb/929851

However, it could be any OS with a modified ephemeral port range.

So, what other sings are there? It denies packets on port UDP/137. As you already mentioned, that could be the Windows firewall or it's a system that has no service on UDP/137 (Windows with some disabled Netbios features or Linux/Unix).

Anything else? Well: The initial TCP window size in frame #11 could be interesting. Observe some TCP connections from a windows and a Linux box with Wireshark and compare what you see with the content of frame #11.

To me it looks like the 128 machine is trying to access the Web Server at 13,

Right. Frame #11.

Furthermore I believe that the strings between 3-8 consists of the Web Server trying to access the 128 machine and resolve it's name via NetBIOS name service.

Looks like that's happening. Which could be, because 192.168.246.13 thinks 192.168.246.128 is a Windows box !?!

The operation fails 3 times, most likely because the 128 machine has got an internal Firewall that blocks the attempt,

maybe

or it's a Linux box,

maybe

or the last case might be that the machine is routed through an external Firewall box with NAT.

Take a look at Frame #1 and #2 and rethink your last assumption.

So, string 9-10 is somewhat blurry to me, as I don't know really what's going on here, besides it looks like the end of a handshake, only it seems to have failed.

Look at the source port and compare it with the other TCP connection in the capture output.

String 11-14 is ok, as it's a completion of a tree way handshake between the 128 and 13 machine.

correct.

Another thing that's confusing, is the timespan between 8-9 and 10-14. To me it seems like something's missing here, but we've not quite figured it out yet.

Look at the source ports and you will understand.

Another part of the assignment is to determine what kind of security level is at the machine at 192.168.246.13.

If you ever get the solution for this assignment, please post the answer to this question. I'm eager to see how your teacher is able to deduce the 'security level' (how is that defined) of that machine from the given capture output :-)

Regards
Kurt

answered 21 Nov '12, 11:59

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 21 Nov '12, 12:11