The purpose of this lab is to provide a quick introduction to searching through network traffic looking for suspicious activity.

Use the provided pcap file (http://isis.poly.edu/~cyfor/wiresharkForensicsLab.pcap) to answer the following questions.

  1. Google: The user performed two different Google searches. What two things was he researching?
  2. File Downloads: The user downloaded a file from a site via FTP. What is the file name?
  3. Email: The user logged into an email account via the IMAP protocol and sent an email. What is:
    1. The user’s email account login information
    2. The email address of the sender and recipient
    3. The important information he was sending?
  4. IRC Chat: What IRC chatroom did the user join?
  5. BONUS: International Communications: This challenge can be completed using the “GeoIP” Technology which is implemented in newer versions of Wireshark. You will first need to download the free GeoIP databases and provide Wireshark with the path to them. Instructions can be found here:

Written: http://www.symantec.com/connect/articles/trace-location-traffic-geoip-technology-implemented-wireshark

Video: http://www.securitytube.net/video/380

You will then need to enable GeoIP Lookups. This option can be enabled in Wireshark as: Edit -> Preferences -> Protocols (left-hand column) -> IPv4 -> Enable GeoIP Lookups

Finally, use Firefox to view the map, it may not display correctly in other browsers.

Question: Connections were established with servers in three countries outside America. What are the IP addresses of those servers and what countries are they located in?

Further information on this module can be found at the following links.


The network traffic file for the lab is attached below.

wiresharkForensicsLab.pcap(5.59 MB) marcbudofsky, Mar 17 2013, 9:42 PM

You must Sign-In to post a comment.