Andrew Dickinson

Andrew Dickinson

Technical Consultant, Team Leader, Cyber Security Specialist

TryHackMe: Wireshark 101

1 minute read

This is a write up for the Wireshark 101 room on TryHackMe. Some tasks have been omitted as they do not require an answer.

ARP TrafficPermalink

What is the Opcode for Packet 6?Permalink

Answer: request (1)

What is the source MAC Address of Packet 19?Permalink

Answer: 80:fb:06:f0:45:d7

What 4 packets are Reply packets?Permalink

Use the following filter to return only ARP Reply packets.

arp.opcode == 2

Answer: 76,400,459,520

What IP Address is at 80:fb:06:f0:45:d7?Permalink

This information is available in the info column.

Answer: 10.251.23.1

ICMP TrafficPermalink

What is the type for packet 4?Permalink

Answer: 8

What is the type for packet 5?Permalink

Answer: 0

What is the timestamp for packet 12, only including month day and year?Permalink

May 31, 2013 does not appear to work. As instructed, we try the day before and the answer is accepted.

Answer: May 30, 2013

What is the full data string for packet 18?Permalink

Answer: 08090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637

DNS TrafficPermalink

What is being queried in packet 1?Permalink

Answer: 8.8.8.8.in-addr.arpa

What site is being queried in packet 26?Permalink

Answer: www.wireshark.org

What is the Transaction ID for packet 26?Permalink

Answer: 0x2c58

HTTP TrafficPermalink

What percent of packets originate from Domain Name System?Permalink

Answer: 4.7

What endpoint ends in .237?Permalink

Answer: 145.254.160.237

What is the user-agent listed in packet 4?Permalink

Answer: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113

Looking at the data stream what is the full request URI from packet 18?Permalink

Answer: http://pagead2.googlesyndication.com/pagead/ads?client=ca-pub-2309191948673629&random=1084443430285&lmt=1082467020&format=468x60_as&output=html&url=http%3A%2F%2Fwww.ethereal.com%2Fdownload.html&color_bg=FFFFFF&color_text=333333&color_link=000000&color_url=666633&color_border=666633

What domain name was requested from packet 38?Permalink

Answer: www.ethereal.com

Looking at the data stream what is the full request URI from packet 38?Permalink

Answer: http://www.ethereal.com/download.html

HTTPS TrafficPermalink

Looking at the data stream what is the full request URI for packet 31?Permalink

Answer: https://localhost/icons/apache_pb.png

Looking at the data stream what is the full request URI for packet 50?Permalink

Answer: https://localhost/icons/back.gif

What is the User-Agent listed in packet 50?Permalink

Answer: Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2

RecapPermalink

In this task we learnt how to:

  • Use Wireshark to analyse ARP, ICMP, TCP, DNS, HTTP and HTTPS traffic

Updated: