This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello everyone, I am very new to wireshark and have close to no idea of what I'm doing. On a practice Wireshark round (don't worry, it's over now), they wanted me to "find the email address of a machine." The only problem is, there's like 10000 packets. How am I supposed to find the answers? Thanks!

URL for capture file: https://drive.google.com/drive/folders/0B9mXYmkPhvROYV9TNjJHWmg3bFU

Wireshark Scenario:

Several complaints are coming into the IT Department that the company, All-Time Favorites Arcade's, network is running slower than normal. Due to the amount of complaints, you as the network administrator run Wireshark to capture and analyze the companies network traffic see where the bottleneck may be occurring within the company network. During your analysis of the PCAP file you notice a specific IP address is beaconing out to the Internet every two (2) hours. While beconing IP address has nothing to do with the bottleneck you originally were working to resolve the beaconing activity is suspicious. Once your analysis of the PCAP file is complete you present the information to your Security Manager concerning the beaconing IP address. The Security Manager has determined to error on the side of caution as the machine may possibly be infected with a malicious software that is calling back every two (2) hours.
The Security Manager then orderes the computer to be removed from the network immediately, so the computer is shut down and physically removed from the network for the forensic analysis team to determine if there is possible malware. Please answer the following questions concerning the PCAP file:

  1. What is the email address the machine within the captured PCAP Analysis (do not put the @xxx.xxx) only the first part of the inbox name?

  2. What part of the HTTP protocol did you find the email address?

  3. What is the destination port located in the steam you found the email address?

  4. What is the destination IP Address?

  5. What is the source IP Address?

  6. What was the frame number you were able to find all the information to the above questions in?

asked 31 Jan '16, 16:06

DanielChen's gravatar image

DanielChen
6224
accept rate: 0%


This takes a bit of understanding how the HTTP protocol (and thus, HTML) works, and how you can find it in Wireshark.

In Wireshark, you are able to search for strings with "Edit->Find Packet...". I would search from strings such as "email", "mail", etc. Chances are, someone has to submit an email via a form. So in the "input" tag of the HTML form, you should see references to values that would accept an email address coming from the server to the client. Once you find that, at some point in the trace thereafter, the user will have provided the email address going to the server.

So look for an email address being sent from the client source to the server destination in Wireshark.

Hope that helps.

permanent link

answered 01 Feb '16, 13:35

jeantunis's gravatar image

jeantunis
213
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×20

question asked: 31 Jan '16, 16:06

question was seen: 10,401 times

last updated: 01 Feb '16, 13:35

p​o​w​e​r​e​d by O​S​Q​A