Andrew Dickinson

Andrew Dickinson

Technical Consultant, Team Leader, Cyber Security Specialist

TryHackMe: Wireshark 101

1 minute read

This is a write up for the Wireshark 101 room on TryHackMe. Some tasks have been omitted as they do not require an answer.

ARP Traffic

What is the Opcode for Packet 6?

Answer: request (1)

What is the source MAC Address of Packet 19?

Answer: 80:fb:06:f0:45:d7

What 4 packets are Reply packets?

Use the following filter to return only ARP Reply packets.

arp.opcode == 2

Answer: 76,400,459,520

What IP Address is at 80:fb:06:f0:45:d7?

This information is available in the info column.

Answer: 10.251.23.1

ICMP Traffic

What is the type for packet 4?

Answer: 8

What is the type for packet 5?

Answer: 0

What is the timestamp for packet 12, only including month day and year?

May 31, 2013 does not appear to work. As instructed, we try the day before and the answer is accepted.

Answer: May 30, 2013

What is the full data string for packet 18?

Answer: 08090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637

DNS Traffic

What is being queried in packet 1?

Answer: 8.8.8.8.in-addr.arpa

What site is being queried in packet 26?

Answer: www.wireshark.org

What is the Transaction ID for packet 26?

Answer: 0x2c58

HTTP Traffic

What percent of packets originate from Domain Name System?

Answer: 4.7

What endpoint ends in .237?

Answer: 145.254.160.237

What is the user-agent listed in packet 4?

Answer: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113

Looking at the data stream what is the full request URI from packet 18?

Answer: http://pagead2.googlesyndication.com/pagead/ads?client=ca-pub-2309191948673629&random=1084443430285&lmt=1082467020&format=468x60_as&output=html&url=http%3A%2F%2Fwww.ethereal.com%2Fdownload.html&color_bg=FFFFFF&color_text=333333&color_link=000000&color_url=666633&color_border=666633

What domain name was requested from packet 38?

Answer: www.ethereal.com

Looking at the data stream what is the full request URI from packet 38?

Answer: http://www.ethereal.com/download.html

HTTPS Traffic

Looking at the data stream what is the full request URI for packet 31?

Answer: https://localhost/icons/apache_pb.png

Looking at the data stream what is the full request URI for packet 50?

Answer: https://localhost/icons/back.gif

What is the User-Agent listed in packet 50?

Answer: Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2

Recap

In this task we learnt how to:

  • Use Wireshark to analyse ARP, ICMP, TCP, DNS, HTTP and HTTPS traffic

Updated: