PROJECT 2 LAB: NETWORK TRAFFIC CAPTURE AND ANALYSIS
Introduction and Overview
The chief information officer (CIO) of your employer is concerned about a potential cyberattack that is likely to
impact some user computers, a domain controller with a huge pile of user accounts, and external-facing web servers.
As a proactive measure, a packet capture was immediately initiated after the internal monitoring system sent an
initial alert. You have been called in to assess the situation based on your expertise. Acting as a security operations
analyst in this lab, the CIO wants you to analyze the network packets that were captured and investigate the
potential target hosts, inbound and outbound traffic, and the specific type of attack such as DDoS or SQL injection.
Additionally, you are to include in your findings whether this is an active or passive sniffing attack. As you conduct
this lab acting as a security operations analyst, you will reinforce the concepts learned in the classroom.
The purpose of this lab is to help you gain hands-on experience and get a deeper understanding of network security
concepts by capturing and analyzing network packets traversing through specified endpoints or networks. In other
words, students will gain hands-on experience running vulnerability analysis tools that can help detect potential
weaknesses in a system. In a previous project, you utilized OpenVAS to conduct vulnerability assessment; however,
you will use Nmap and Wireshark in this lab to achieve a similar but distinct goal. You may have already learned the
functionality of these tools as you studied the content within the steps in your classroom.
You will use Wireshark and Nmap as network packet analyzers, which are pre-installed in the Windows VM within
the UMGC MARS Virtual lab environment (VLE) to help you analyze network packets.
After completing this lab, you are expected to achieve the following learning objectives:
â€¢ Use network sniffing and scanning tools to scan and analyze network traffic within Windows and Linux
networked environments and get acquainted with the structure of network packets.
â€¢ Gain experience using Wireshark and Nmap as packet sniffing tools.
â€¢ Analyze network packets at four main TCP/IP layers including application, transport, network, and datalink
to develop your assessment report.
â€¢ Analyze captured network traffic using a given Wireshark file and identify suspicious traffic (such as DDoS,
SQL injection attacks), malicious data, open ports, and others.
â€¢ Develop a security assessment and risk assessment report as part of your project report.
By the end of this lab, you are expected to satisfy the following competencies aligned with the course learning
outcomes of the Cybersecurity Technology Program.
â€¢ Organize documents or presentations clearly in a manner that promotes understanding and meets the
requirements of the assignment. Tailor communications to the audience.
â€¢ Explore and address cybersecurity concerns, promote awareness, best practices, and emerging
â€¢ Knowledge of methods and tools used for risk management and mitigation of risk.
â€¢ Demonstrate the ability to detect, identify, and resolve host and network intrusion incidents.
â€¢ Possess knowledge and skills to categorize, characterize, and prioritize an incident as well as to handle
relevant digital evidence appropriately.
â€¢ Network traffic analysis; network mapping; security, vulnerability, and risk assessment; threat detection;
and endpoints protection.
GENERAL LAB REQUIREMENTS
Please pay attention to the following general requirements:
â€¢ While your professor and classmates can be a resource if you need help, you are required to
complete the lab independently.
â€¢ The lab procedures and results need to be documented as part of your submission, and where
necessary, provide screenshots to support your submitted work.
â€¢ Before proceeding, you are encouraged to revisit the section or project steps in the classroom that
specify the requirements and the items you will need to include in your lab project.
Upon completing this lab, you are required to provide the following deliverables based on the Wireshark and
Nmap results and analysis.
â€¢ The lab procedures and results need to be documented as part of your submission and where necessary,
provide screenshots to support your submitted work.
â€¢ Develop a security and risk assessment report as part of your project report.
â€¢ Use the lab experience report template to share your experience to demonstrate the skills gained, as well
as confirm that experience. Then incorporate your findings into the project deliverables for submission.
â€¢ The Project 2 Lab Experience Report Template is a Word document located in the Lab Files (Project
2) folder under the Folders & Files tab in your MARS student portal. Download and use it for your
â€¢ Please refer to the MARS Reference Guide for guidance.
The MARS environment has two main virtual machines (VMs) for this course; however, there are a host of other VMs,
servers, and endpoint devices in the virtual environment.
Types of VMs in this Lab
VM # VM Name OS Type VM Type
VM1 Windows Desktop Windows Target/Attacker Machine
VM2 Linux Desktop Linux Target/Attacker Machine
â€¢ There is one internal IPv4 subnet (10.138.0.0/16) for both VMs in this course.
â€¢ One of the machines runs Linux OS, while the other runs Windows.
UMGC/MARS Virtual Lab Topology
The hypothetical lab topology shown below gives you an idea of an overall layout of the VMs in the dedicated virtual
environment with configured IP subnets and dynamically assigned IPv4 addresses. The VMs are connected as depicted in
the simplified lab topology below.
â€¢ All the information and software including the cybersecurity tools made available in the MARS virtual
environment are for educational purposes only.
â€¢ For safety, legal, and ethical concerns about the potential for misuse of some software tools when performing
the lab, students should exercise care when accessing the internet from the MARS environment.
â€¢ Note that many of the cybersecurity tools used in the labs in this course can potentially be misused by hackers. It
is important that you use these tools in an ethical and responsible manner. It is the end userâ€™s responsibility to
comply with all University guidelines and policies including applicable acceptable use policy (AUP) and safety
â€¢ The MARS VLE is set up to use dynamic IP addresses instead of static IP addresses.
â€¢ Therefore, the assigned IP addresses to your specific lab VMs are likely to be different from what you see in
the given screenshots.
â€¢ As a result, make sure you are using the IP addresses that reflect your allocated machines.
Lab Resources and Software Requirements
You will use the Windows Desktop VM to access both Wireshark and Nmap to complete this lab.
Lab Credentials Required to Access MARS
â€¢ Upon accessing the MARS website, you will be prompted to enter your username and password (UMGC
SSO credentials) to access your student portal.
â€¢ Then use your 6-digit 2-Factor Authentication (MARS Security) code sent to your email address to
complete the login process and get your VMs started. Next, use your retrieved passwords to log into the
Windows Desktop and/or Kali Linux VM depending on which VM(s) to use.
TIP: Should you forget your password, you can copy it by clicking on the Click to show link under the password
field in the VM section of your student portal. If necessary, refer to the MARS Guide for additional information.
Review the following open-source resources to reinforce your understanding of the key concepts and tools in this
â€¢ Refer to Wireshark, Wireshark Documentation , Wireshark Training, and NMap websites for official
documentation, white papers, user manuals, FAQs, webcast slides, online videos, and online
â€¢ You may also refer to the optional lab reference resources provided elsewhere in this lab document.
â€¢ Alternatively, you have the liberty to use some learning tools such as the UMGC library, Google search
engine, YouTube, and others for external resources such as videos, peer review articles, white papers,
trade magazines, and online documentation. However, be mindful of digital rights infringement and cite
sources to credit authors where appropriate to support your work.
NOTE: There are active hyperlinks (URLs) to external sources in this lab instructions. Hence, for best user experience
if a weblink does not automatically open in another tab, right-click and open it in a new tab. Be aware that this
behavior can change depending on the specific types and settings of your browser and platform being used.
PART 1: CONNECTING TO THE WINDOWS DESKTOP VM
To access any Virtual Machine (VM), follow the instructions contained in the Lab Reference Guide, Common Lab
Setup Guide, or simply the Common Lab Guide, to help you get yourself acquainted with the general MARS virtual
environment, along with the lab-specific setup exercise. The Common Guide will help you navigate and connect to
the MARS virtual environment, perform any lab setup activities, as well as connect to your allocated VMs.
Specifically, it will help you with frequently performed tasks, such as logging in to the MARS, opening a VM, taking
screenshots, accessing and downloading files, and transferring files to and from your local machine.
To access any Virtual Machine (VM), follow the instructions in the Lab Reference Guide, Common Lab Setup
Guide, or simply the Common Lab Guide. The Reference Guide will help you get yourself acquainted with the
general MARS virtual environment, along with the lab-specific setup exercise. Additionally, the Guide will help you
navigate and connect to the MARS virtual environment, perform any lab setup activities, as well as connect to your
allocated VMs. Specifically, it will help you with frequently performed tasks, such as logging in to the MARS,
opening a VM, taking screenshots, accessing and downloading files, and transferring files to and from your local
â€¢ Please be reminded that you are highly recommended to fully read the Reference Guide and any
other UMGC-specific materials before starting the lab. This document is linked to all the project
callout boxes, which are located in the respective project steps. This Guide is a great asset to help
you seamlessly conduct your lab exercises.
Listed below are the main sections of the MARS Reference Guide [Common Lab Guide]:
â€¢ SECTION 1: Understanding the UMGC MARS Virtual Environment
â€¢ SECTION 2: Connecting and Navigating the MARS Virtual Environment
â€¢ SECTION 3: Installing OpenVPN and Remote Desktop Protocol (RDP)
â€¢ SECTION 4: Connecting and Starting the Windows Virtual Desktop
â€¢ SECTION 5: Accessing Your Courses
â€¢ SECTION 6: Downloading the Project/Lab Files
â€¢ SECTION 7: Understanding the CST Lab Alerts
â€¢ SECTION 8: Getting Help Using the Lab Support Form
Task 1: MARS Virtual Environment
As you did in the project 1 lab, you will launch your Windows Desktop via RDP connection. You are required to
complete this first task in order to accomplish the tasks associated with the lab. Make sure your virtual machines
are running by logging into MARS and starting the Windows Desktop (VM) if it is not already running.
1. Launch your Windows Desktop from the Virtual Desktops1 tab of the MARS portal by clicking the Start2
button to automatically start the VM and any VM you have access to for any course. If not, manually start
the Linux Desktop when necessary. Notice that Virtual Desktops is the selected tab.
2. You can then connect to the Windows Desktop using the RDP application after it starts running. When
prompted, enter the password that was initially retrieved from your student portal for Windows. After
successful authentication, and accepting and acknowledging any messages, the Windows Desktop will
appear as shown below.
â€¢ You are encouraged to examine the user interfaces of both VM to be familiar with the operating
â€¢ Use the scroll bars to scroll as needed. Your virtual desktop should now work just like any other
â€¢ Please refer to the MARS Reference Guide to help you connect to the MARS virtual environment,
perform any lab setup activities, and connect to your allocated VMs.
PART 2: STARTING THE LAB | HANDS-ON WALK-THROUGH INSTRUCTIONS
You are required to complete each of the following tasks based on the stated objectives to produce the required
deliverables in this lab. You will use Windows Desktop, which has the required preloaded Nmap and Wireshark to
complete the lab. Carefully read and follow the step-by-step instructions provided below to complete the lab
Task 1: A Brief Overview of the Wireshark User Interface
Wiresharkâ€”a network protocol analyzerâ€”is an open-source tool for capturing and analyzing network traffic or
network packets. The tool can also be used for network troubleshooting, protocol development, and other similar
tasks. Additionally, Wireshark is a network packet analyzer presenting captured packet data in as much detail as
The Wireshark user interface (UI) contains three main sections: the packet list pane, the packet details pane, and
the packet bytes pane.
Packet List Pane: This pane is located at the top of the user interface and displays all active packets captured with
Wireshark. Notice that each line or row is assigned a specific number. This number is the packet number in the
capture file and does not change. When a packet is selected in the top pane, corresponding details appear in the
other panes: packet details and packet bytes/status.
Packet Details Pane: This pane, located in the middle, displays the protocols and associated fields of the selected
packet in a collapsed format. Each frame, protocol, or detail in each row can be expanded in the form of the plus
sign (“+”) or right arrow symbol (“>”) to display additional details. You can set filters, based on protocol type, by
right-clicking on the desired item within this pane.
Packet Bytes/Status Pane: This pane, located at the bottom, displays the raw data of the selected packet from the
packet list pane in a hexadecimal dump format. This is useful in identifying suspicious packet contents, as some
content will be easily viewed in ordinary ASCII characters.
You may refer to the Wireshark, Wireshark Documentation, Wireshark Training, and NMap websites for official
documentation, white papers, APIs, user manuals, FAQs, webcast slides, online videos, and online presentations.
Ensure that you thoroughly review the Wireshark resources to learn more about the tool before proceeding.
Task 2: Launching Wireshark
In the next few steps, you will conduct packet capture analysis using the Wireshark program installed in Windows
VM to complete the exercises. You will analyze HTTP web traffic and then the given Wireshark file,
CST610Project2Lab1.pcap, already pre-captured.
TIP: Keep in mind that packet capture may be examined using other sniffer tools such as PRTG network
monitor, ManageEngine, NetFlow analyzer, WinDump, and TCPdump.
1. First, First, launch the Wireshark application either from Windows Desktop1 (if there is a shortcut) or from your
Windows Start1,2 menu as shown in A and B below.
TIP: You may also open Wireshark using the Windows search box in the Taskbar and typing â€œWiresharkâ€. If
you prefer, create a Wireshark shortcut on the desktop of the Windows VM.
2. You should see the main Wireshark user interface as shown. Select the Ethernet 4 network interface on
the Wireshark for scanning. Take note of the various menus of the interface user interface.
NOTE: You may refer to the Reference Resources section for official documentation, white papers, APIs, user
manuals, FAQs, webcast slides, online videos, and others to get familiar with the tool..
Task 3: Loading the Given PCAP file into Wireshark for Analysis
In the next few steps, you will conduct packet capture analysis using the Wireshark program installed in Windows
VM to complete the exercises. First, you will load the PCAP file into Wireshark for analysis. Follow the steps below
to accomplish this task.
â€¢ Please be reminded that the lab instructions, related screenshots and files, and any requirements in the
CST610 course also apply to the DFC610 course.
â€¢ CST610 and DFC610 are two courses with the same content; for this reason, CST610Project2Lab1.pcap
file also applies to DFC610. You do not need a separate file, but you can choose to use
DFC610Project2Lab1.pcap in the DFC610 folder if you want.
1. Now, locate CST610Project2Lab1.pcap file from the CST610 folder in the File Explorer window as shown
below. You may also locate DFC610Project2Lab1.pcap file from the DFC610 folder if you want but they are
different file names with the same content.
2. Next, follow the steps below to load the PCAP file:
a. Click File and then the Open1 option under the File drop-down menu on the left side of the
b. Navigate to the CST610 folder (b) and select the CST610Project2Lab1.pcap2 file. Then click Open3
to load it. Wireshark will load this file and get it ready to be analyzed.
3. Notice that Wireshark loads and displays the packets listed in rows in three panes (packet list, packet
details, and packet byte/status panes). You may refer to the Wireshark user interface as outlined above in
the introduction to understand the details of each pane. In the next task, you will analyze the loaded PCAP
file in Wireshark to identify potential network attacks and intrusions.
â€¢ You may scroll through the capture file by using the scroll bar in the top pane that has the colored
rows of network traffic captured.
â€¢ When a packet is selected in the packet list (top) pane, the corresponding details appear in the
packet details and packet byte panes in the middle and bottom panes respectively.
â€¢ The top pane contains an overview of captured network traffic. The middle pane shows details for
the selected row. Notice the triangles at the left of Frame 1, Ethernet II, Internet Protocol Version 4,
User Datagram Protocol (UDP), Domain Name System (DNS), etc. Each of these can be expanded to
examine the detailed contents.
â€¢ The pane at the bottom of the screen (packet bytes) displays the raw data in a column of
hexadecimal side-by-side with a column of the data in ASCII format. This is useful in identifying
suspicious packet contents, as some content will be easily viewed in ordinary ASCII characters, but
some suspicious content may not be represented in ASCII characters at all but can be identified in
the corresponding hexadecimal representation.
Task 4: Filtering, Inspecting, and Analyzing the PCAP File
It is now time to analyze the pre-captured network traffic in the loaded PCAP file (CST610Project2Lab1.pcap) in
Wireshark to identify potential network attacks and intrusions. You will accomplish this by filtering and inspecting
individual packets now that Wireshark has loaded packet capture and displayed them in a human-readable format.
The tool allows you to dig into the network traffic and inspect individual packets as needed for potential
The following step-by-step instructions will guide you on how to use the Wireshark Statistics menu to analyze the
PCAP file and explore both HTTP web traffic and TCP Protocol information.
Task 4a: Using the Statistics tool to analyze the PCAP file
1. Using the Statistics menu, analyze the PCAP file by using filtering techniques. To filter, click on the
Statistics>IPv4 Statistics>Destination and Ports from the Wireshark toolbar.
2. When the Destination and Ports window opens, look for the IP address with the highest count under the
Count column. Record the IP address and take a screenshot for evidence. You will later answer questions
regarding packet counts and potential security incidents.
Note: The results for the Destination and Ports stats can take about a minute or two to complete. Exercise
patience and allow it to populate so you can analyze the entire statistics.
â€¢ Think of the fact that a DoS attack tries to make a web resource unavailable to legitimate users by
flooding the target URL/host with more requests to overwhelm the server. What can you infer from the
statistical information in the Destination and Ports window as far as a DoS attack is concerned?
â€¢ Cybercriminals can illegitimately use DoS attacks to extort money from companies. They may also use
ransomware vis social engineering. Determine if this is a Distributed Denial of Service (DDoS) or DoS
attack [hint: a DDoS attack originates from multiple sources almost simultaneously].
â€¢ What is your point of view on the Rate and Percent columns of the Statistics output with respect to the
Count column? Does this information indicate any possibility of a compromise? If so, why?
Task 4b: Using the Conversations tool to analyze the PCAP file
Another approach for analyzing this information is to use the Conversations tool.
1. Click Statistics > Conversations1 in Wireshark to uncover additional details about the IP packet. The
Conversations1 tool show a summary of the IP addresses found within the capture and the number of
packets and bytes being sent to and from different source and destination endpoints/IPs in the
2. From the Conversations window, you should be able to see the communication between IP addresses.
Click the IPv4-102 tab to see the communications3 between source and destination IP addresses (hosts).
Find the one with the highest packet count.
3. Address A3 under IPv4-10 is the source IP address and address B3 is the destination or target IP address.
The bad actor is the source address with the highest packet count.
â€¢ Note the different tabs in the above screenshot (Ethernet.13, IPV4.10, IPV6, TCP.516, and
UDP.25564). The number denotes the number of rows (e.g., Ethernet.13 has 13 rows). Examine each
tab to review the different details to help your analysis.
â€¢ The results for the Conversation stats can also take a while to complete. Therefore, exercise patience
and allow it to populate so you can analyze the relevant details.
â€¢ Besides the DDoS attack, do you see any indication of an attack such as brute force, or SQL injections
attack upon analyzing the web traffic? Why or why not?
â€¢ How is this indication different from the Statistics information retrieved earlier and from the
perspective of this attack?
â€¢ What legitimate or illegitimate role does the host/user with the 192.168.10.111 IP address play in the
Task 4c: Capturing and Exploring HTTP Traffic in Wireshark
You can apply a Wireshark display filter to limit your view to the HTTP traffic or specified traffic only. For example,
while a user agent can be set up correctly, it can be spoofed or compromised, making it possible for an attacker to
retrieve web content intended for legitimate users or hosts. Cookies, for example, a key part of the HTTP protocol,
enable a web server to send data to the client and then store and resubmit data to the server periodically when
needed. They can also be used to transmit sensitive data in web applications.
1. Prior to analyzing the captured PCAP files, letâ€™s first capture live HTTPS traffic. Open the Chrome browser
from the taskbar and either go to twitter.com or google.com or both sites. You may also use any website
of your choice.
NOTE: Before capturing the web traffic, it may be a good idea to clear your browserâ€™s cache. However, for the
purpose of this exercise, you donâ€™t have to do this.
2. You will now launch Wireshark and begin to access real-time web traffic. Be sure you select the Wireshark
Ethernet 4 network interface before initiating the scan using the blue Start button to start the capture.
3. Notice that Wireshark displays the packets listed in rows in three panes (packet list, packet details, and
packet byte/status panes). You can go back to the Twitter page and refresh the site or click to access
another site. Next, to stop capturing traffic, go back to the Wireshark interface, and click on the red Stop
button to stop the capture.
4. You will analyze the web traffic (involving TCP, UDP, TLS, DNS, etc.) by filtering and inspecting individual
packets. To filter, follow the following steps in sequence:
a. Type dns in the Apply Display Filter bar and press enter.
b. Click on twitter.com at row 322 in the Packet List Pane. The row number in this case may be
different for you. Note the twitter.com or google.com row detail. You will analyze the packet
details in the Packet Details and Packet Bytes/Status Panes.
c. Alternatively, you can use the blue arrow button at the top right side of the Wireshark interface.
d. Next, type frame contains google in the filter box to filter rows containing only the word â€œgoogleâ€.
Alternatively, you can try this for twitter too.
â€¢ Wireshark’s display filter bar located at the top allows you to type specific expressions to filter the
frames, IP packets, or TCP segments that can be displayed from a PCAP file.
â€¢ Examples of Wireshark apply filter search strings or filter expressions:
o tcp contains twitter | tcp.analysis | udp contains google | icmp contains google or simply dns,
udp, frame, etc. | ip.addr eq 10.138.15.15 and ip.addr == 192.168.41.2 | http.request &&
ip.addr == 192.168.10.195: http.request | http.response | dns.qry.name contains microsoft or
dns.qry.name contains windows | http.request or tls.handshake.type == 1
5. Now select www.goole.com query. Expand and pay close attention to the Packet Details from the middle
of the window from Protocol, Frame, Ethernet, and, more importantly, Internet Protocol version 4 (IPv4),
User Datagram Protocol (UDP), and Domain Name System (DNS). These packets encapsulate additional
details of the network packets. You will later be asked to analyze and answer questions based on this
Task 4d: Exploring Web traffic and HTTP Protocol from the PCAP file
We now explore web traffic and HTTP protocol based on our pre-captured PCAP file for malicious intent. As per the
previous task for the TCP segment, you can apply a Wireshark display filter to limit your view to the HTTP traffic only. In
this task, you will do an in-depth analysis of the web traffic to find out if no sensitive data in web applications is
1. Search HTTP in the filter box. You may also manually scroll down in the packet list pane until you
encounter an HTTP GET/Request. As before, click on the HTTP information in the packet details/middle
pane and view the contents of the HTTP header in detail.
2. Notice additional WordPress GET requests for resources that seem abnormal for standard browsing
activity and requesting resources that may or may not exist. While analyzing additional HTTP packet
captures, note the requests based on destination server IP addresses, ports used, HTTP response code,
and others. Follow the sequence below.
a. Search HTTP in the filter box. You may also manually scroll down in the packet list pane until you
encounter an HTTP GET/Request. As before, click on the HTTP information in the packet
details/middle pane and view the contents of the HTTP header in detail.
b. Also, notice the packet details pane (middle). Click the arrow next to each of the Frame, Ethernet
II, Internet Protocol version 4 (IPv4), or Transmission Control Protocols (TCP) to expand it and
review the details individually.
c. Now click on one of the WordPress GET traffic shown in the packet list pane (top). Then go to the
packet details pane and click the arrow next to the HTTP protocol to expand it and review the
details of the HTTP packet.
3. An alternative way of finding the HTTP packet counts being used is the Packet Counter. Click Statistics >
HTTP > Packet Counter.
4. In the Packet Counter window, check the item with the highest count. Compare the counts for both the
HTTP Request Packets and HTTP Response Packets.
5. Next, you will analyze network traffic by filtering and inspecting individual packets. To filter, click on the
Statistics tab and then Protocol Hierarchy to open the Wireshark Protocol Hierarchy window. Notice the
packet counts corresponding to the HTTP protocol.
NOTE: Please pay close attention to the protocol hierarchy from Protocol, Frame, Ethernet, and, more
importantly, Transmission Control Protocol (TCP), and Hypertext Transfer Protocol (HTTP), which are all
encapsulated within the Internet Protocol Version 4 (IPv4) packet. There will be questions for you to answer later.
6. You will now filter and inspect network traffic based on the HTTP protocols. To filter the protocol, for
example, right-click on Hypertext Transfer Protocol, select Apply as Filter, and then click Selected. Finally,
click Close to return to the Wireshark main interface.
7. As before, you can see the filtered results in the packet list (top) pane. In the Protocol column, notice that
HTTP, as well as other protocols, are encapsulated within the TCP segments. Also, note the triangle to the
left of HTTP in the packet details (middle) pane. Clicking it will expand to show the content of the HTTP
â€¢ Alternatively, you can simply type http in the filter/search bar1 on the top left and then press Enter/Return
to filter. You can also click Apply display2 filter to the right to filter.
â€¢ Click the Clear display filter (the white X button next to the arrow2 in the screenshot above) to clear the
â€¢ Notice that the corresponding raw data (in hexadecimal alongside an ASCII representation) is highlighted in
the packet bytes/status (bottom) pane. A signature or anomaly-based detection system, for potentially
suspicious activity or a known active attack, may compare the header or payload contents of a TCP segment
to a hexadecimal or specific ASCII sequence. A typical example is when security analysts use Wireshark to
analyze hexdump for data recovery, reverse engineering, secure code development, and others.
â€¢ Take note of the details of the HTTP GET packet and review the encapsulated packets within the TCP
payload (refer to the Statistics and the Conversations for the TCP window above).
â€¢ Pay close attention as there will be questions for you to answer below and elsewhere.
8. In a similar manner, search the Internet Control Message Protocol (ICMP) packets in the filter box. As
before, click on the ICMP information in the packet details/middle pane and view the contents of the
a. Now click on one of the WordPress GET traffic shown in the packet list pane (top). Then go to the
packet details pane and click the arrow next to the ICMP protocol to expand it and review the
details of the ICMP packet.
b. Also, notice the packet details pane (middle). Click the arrow next to each of the Frame, Ethernet
II, Internet Protocol version 4 (IPv4), or Transmission Control Protocols (TCP) to expand it and
review the details individually.
Use your analysis and understanding to help you answer the following questions. Also, don’t forget to use this
information to complete the report.
a. If malicious actors got into your network to access your network security logs, how could they use the
packet details to their advantage? Specifically, what utilities within Wireshark can you count on?
b. Provide examples of IP addresses, hostnames, and mac addresses based on your analysis of the PCAP
files in Wireshark. What do you think is happening so far in your view?
c. From the details of the packet details pane above, why do you think there are several ICMP destination
ports unreachable? Does this suggest an indication of an attack? Please comment on your observations.
Task 4e: Additional use of the Apply Display Filter tool for Web-Based infection traffic
Generally, security professionals find a creative way of applying display filters in Wireshark where there is a
security incidence of attack or the suspicion of malicious web traffic. They hunt for indicators of compromise
(IOC), which consist of information derived from network traffic that relates to infected traffic. Security Analysts
often document IOCs related to network traffic such as IP addresses, protocols, ports, sockets, URLs, domain
names, and a host of others. Effective use of the Wireshark display filter feature by security professionals can help
in a swift detection of attacks or indicators.
In the next few steps, you will emulate these techniques to analyze potential incidence of attacks. Recall that you
have previously used tcp contains twitter, dns, tcp, tcp, and http contains google when you analyzed live web
traffic in the early stages of this lab (i.e. using twitter.com and google.com).
1. Go ahead and type http.request or tls.handshake.type == 1 in the Apply Display Filter bar and press enter
or filter button to filter traffic based on the prescribed search string.
2. Next, type http.request && ip.addr == 192.168.10.111 in the filter bar and press enter.
3. Finally, type tcp.flags.syn==1 in the filter bar and press enter. Analyze the TCP stream output for any sign
of indicators for any attack (e.g. DDoS or SQL injections).
a. Click on Follow > TCP Stream to bring the TCP stream output.
Notice that in all three (3) cases, there are some indicators of infected traffic/hosts, which might have tried to
connect with a webserver offline, refused a TCP connection, or have been hijacked by potential DoS/DDoS attacks.
You may scroll down the packet list pane and expand the Frame, Ethernet II, Internet Protocol version 4 (IPv4),
and Transmission Control Protocols (TCP) and review some interesting details individually.
â€¢ The http.request part of the command indicates URLs for HTTP requests, while ssl.handshake.type ==
1 reveals domain names used in HTTPS or TLS traffic.
â€¢ Similarly, http.request part of the command indicate HTTP requests, while ip.addr == 192.168.10.111
specify the host. The && is logical operator indicating both terms.
â€¢ Below are examples of Wireshark apply filter search string or filter expressions:
o tcp contains twitter | tcp.analysis | udp contains google | icmp contains google or simply dns,
udp, frame, etc. | ip.addr eq 192.168.10.111 and ip.addr == 192.168.41.2 | http.request &&
ip.addr == 192.168.10.0: http.request | http.response | dns.qry.name contains microsoft or
dns.qry.name contains windows | http.request or tls.handshake.type == 1
â€¢ If possible, continue to practice the Wireshark filters by applying these display filter strings. You may do
your own research for additional apply filter expressions.
Task 4f: Analyzing Firewall Rules from the PCAP file
As a cybersecurity professional such as cybersecurity analysts and network security admins in the field, you may
be required to oversee or create command-line access controls list (ACL) rules for a variety of firewall products,
including Cisco IOS, Linux Netfilter (iptables), OpenBSD pf, and Windows Firewall. Wireshark supports firewall
rules for MAC addresses, IPv4 addresses, TCP and UDP ports, and sockets. It is assumed that the rules will be
applied to both inbound and outbound traffic.
1. Use the following steps to complete this task in sequence:
a. Now type http in the filter bar and select/highlight the GET /favicon.ico HTTP/1.1 get packet.
b. Choose Tools from the Menu and then select Firewall ACL Rules (Tools > Firewall ACL Rules).
c. You will see the Firewall ACL Rules window pop up. Review the details such as source and
destination IP addresses, network interfaces, input rules, etc.
d. If possible, copy/paste firewall/ACL rules and include them in your analysis for submission.
NOTE: If the cybersecurity analyst of the network admins finds the packets that need to be to be blocked by
the firewall, these firewall/ACL rules can be edited and copied/pasted into the internal firewall configurations.
You should see the type of ACL for denying traffic. You may play around to see how this works in the real
Task 5: Running Network Scans Using Zenmap (Nmap GUI)
Most recent cyberattacks could have been avoided if cybersecurity analysts had been monitoring connected
devices and networks in an efficient and consistent manner. Nmap is a security scanner used to discover hosts and
services on a computer network. Based on network conditions, it sends packets with specific information to the
target host/device/endpoint and then evaluates the responses. To hack into a computer system, an attacker must
target a machine and identify which ports the machine is listening to. The attacker can sweep networks and locate
vulnerable targets using an Nmap scanner. Nmap also uses TCP stack fingerprinting to accurately determine the
type of system being scanned.
Unlike the Wireshark network protocol analyzer, which is used for capturing and analyzing network traffic or
network packets, Nmap can be used to scan a host for listening ports, discover services on a network, and others.
With Wireshark, one can log network traffic for detailed analysis. Nmap is used by network administrators to map
their networks by being able to find live hosts on a network, perform port scanning, ping sweeps, OS detection,
In this task, you will learn how to use this tool for simple network scans and understand what the tool can do, as
well as the most basic commands used for scanning. During this exercise, you will use the Windows VM to scan
two other systems such as Kali Linux and WSL Kali VMs. In addition to the command-line interface, Nmap scans
can be performed using Zenmap, which provides a graphical user interface for Nmap.
1. First, launch the Nmap – Zenmap GUI application from your Windows Start menu as shown in (a) and (b)
NOTE: You may open Zenmap using the Windows search box in the Taskbar.
2. You should see the main Zenmap user interface shown below without any targets. Make sure to
understand the various menus/fields. If needed, refer to the lab resources section for additional details.
3. Let’s assume our local subnet/network is 10.138.0.0/24. You will run a scan on this network later. For now,
you will run a scan on Windows Desktop with an IP address of 10.138.15.15, as shown in the Target field
of the interface. Use the ipconfig in the Windows PowerShell1 cmdlet to find the IP address of the
Windows VM. Remember that this IP address may be different for you. Enter 10.138.15.15 as shown in
the Target2 field and press the Scan3 button to start canning.
NOTE: Be sure to launch both Kali Linux and WSL Kali VMs on the Windows Desktop before running the scans.
4. The scan results for host 10.138.15.15 display. Ensure that you review all the details to understand the
resultsâ€”the IP and the command in the Target and the Command fields (the green box), the Nmap
Output, Ports/Hosts, Topology, Host Details, and the Scans tabs (the blue box), as well as the results in
the red box.
5. Next, run the Nmap port scan targeting the Windows VM by typing nmap â€“Pn 10.138.15.15 in the
Command field and pressing Enter. After correctly typing this command in the Command field, notice that
the Target field should be automatically populated with the correct target hostname or IP address).
6. Select the Host Details tab. What can you say about the security implications of the output of this tab?
Comment on the data of interest in your findings such as host status and ports used.
Based on the output from the screen captures above, answer the following questions:
â€¢ What can you say about the results and the security implications of the output of this tab? Comment
on the data of interest in your findings such as host status and ports used.
â€¢ How many ports are reported by the scans, and how many are open ports?
â€¢ What is one most impactful security vulnerability in your opinion? Recommend a good mitigation
strategy to address any vulnerabilities identified.
Task 6: Scanning Multiple Hosts and a Network Using Zenmap
In this task, you will scan multiple IP addresses and network subnets instead of just one host, (i.e., Windows or the
Kali VM). This lab environment is set up to use dynamic IP addresses instead of static IP addresses. For this
reason, the assigned IP addresses to your specific lab VMs are likely to be different from what you see in the given
screenshots. Make sure you are using the IP addresses that reflect your allocated VM.
1. Type nmap -sP 10.138.15.15 10.138.17.14 169.254.6.31 and press Enter to execute a ping scan of these
selected host IP addresses. The 10.138.17.14 and 169.254.6.31 are the IP addresses of the Kali Linux and
WSL Kali respectively. Notice the list of IP addresses of the hosts in the screenshot below.
a. Notice that there is one space between each IP address.
2. You can now scan the subnet. Now type nmap â€“O -v 10.138.17.0/24 and press Enter to scan the entire
10.138.17.0/24 network and to detect the operating system (-O) of the network with plenty of details (-v).
Notice that only host 10.138.17.14 is up with the rest of the 255 hosts down. Why do you think this is the
â€¢ The middle part of the screen capture above is truncated due to the number of hosts (i.e. 255) within
â€¢ If necessary, refer to the resources section to learn more about IP addressing.
Based on the output from the two screen captures above, answer the following questions:
â€¢ What can you say about the results when scanning multiple hosts and/or a subnet compared with the
individual host scans?
â€¢ How many ports are reported by the scans, and how many are opened?
â€¢ Recommend a good mitigation strategy to address any vulnerabilities identified.
â€¢ In your opinion, why are some hosts reported as down? Do you recognize any security concerns? [Hint:
use the ping utility to see if any IP within the range is reachable from the Windows machine].
â€¢ If this is the first time running this command, this setup process may take a while to complete with a
lengthy output due to a large number of NVTs. You need to be patient to allow the GVM setup run to
completion. From experience, the complete setup process can take between 8 minutes and 15 minutes
â€¢ If you get a permission error, run the above commands with sudo, which is an acronym for superuser do
that runs an elevated prompt without a need to change your identity.
â€¢ The web interface of the OpenVAS is configured to run locally on localhost with specific port (i.e. 9392),
which can be assessed through https://localhost:9392 URL.
This brings you to the end of the lab. Please close all open applications, exit the virtual lab, and document your
findings, making sure to complete all required actions in each step of the lab and respond to all questions. Be sure
to include your findings in your final project report for submission to your instructor.
â€¢ The Project 2 Lab Experience Report Template is a Word document located in the Lab Files (Project 2)
folder under the Folders & Files tab in your MARS student portal. Download and use it for your lab.
â€¢ Please refer to the MARS Reference Guide for guidance if necessary.
 Wireshark (2022). Wireshark User Guide – What is Wireshark? Retrieved from
Any academic writer who wishes to join our team of professional writers must possess all the following qualities:
To write an exemplary academic paper, you must have good critical thinking skills, possess the proper knowledge of the discipline, and be knowledgeable about applying an academic writing style.
As such we have a rigorous recruitment process. We only collaborate with professional academic writers. We believe in offering the highest quality academic writing services. Our writers pass various grammar and academic writing tests. They have to provide documents about their personal information and credentials to prove their level of expertise.
As a result, our clients receive papers that are thoroughly-researched, properly cited, and written within academic standards. We are proud that any academic writer from our writer's team can complete the paper at a high standard.
We work with the student’s budget because we know that students are usually on a budget majority of the time. We do not compromise on quality because of low prices. On the contrary, we love to foster a good relationship with our clients. That is why we charge our clients reasonable prices, and we are willing to negotiate and work with their budget.
It may be quite disturbing to decide whether to hire an academic writing company. We care about our client’s privacy and confidentiality. We never disclose your information to third parties. We never publish your paper online. You can use our academic writing service without any fear or anxiety.
Many students struggle with writing academic papers. Some barely have time to do their assignments because of their job and family responsibilities. Others have difficulty applying critical thinking skills or meeting time or assignment requirements. Whatever the reason is, you can always have time to do the things you love and other important things. All you need is a reliable and quality academic writing service. Unfortunately, even if you strongly desire to write the paper yourself, you sometimes face unexpected challenges. As we all know, life is unpredictable! Your teacher may be unconcerned about helping students and may not answer your questions. The good news is that there is a way out! You can hire an online academic writer to help you with your assignments. All you need to do is stipulate your paper requirements in the order form, and you can spend your time as you like.
Our company commits towards delivering high-quality custom papers to our clients. We seek to offer reliable essay writing services to our customers in various subject areas. Our customers are very valuable to us. As such, we commit to ensuring that they derive the utmost satisfaction from the essays we deliver. We have a mission to promote our clients' educational and professional lives by providing high-quality essays for their use. We also have a mission to offer a convenient essay writing system where our customers can easily order and pay for the services. We value quality and professionalism in our company.
We write papers on any subject area, and we also write various types of papers for various purposes. We have a team of able writers who are eager to help our customers with writing services of exceptional quality. We offer custom writing services for customers across the globe and charge affordable prices for our services. We are the best essay writing company offering personalized services to all our customers. We ensure our customers receive maximum satisfaction from the essays we deliver. Our website is the place to be if you are seeking high-quality essays.
By using our academic writing service, we match your paper subject with a writer with a degree in the subject. The writer is able to apply their skills, knowledge, and expertise to the paper. You receive an original, unique, well-research paper, properly cited and formatted. As such, you are assured of a high-quality paper.
Truth be told, writing assignments can be stressful and difficult for any student. There is no shame in getting academic writing help. When you search the term “get academic writing help” there are numerous sites that pop up on the results and our website is among them. So, why is it a great idea to choose us?
During your course, your instructor will assign various types of homework. Our academic writers can prepare essays, presentations, speeches, case studies, research papers, dissertations, thesis papers, and more. Our writer’s department is capable of tackling any assignment of any complexity easily. All you need is to give us detailed instructions to help our experts understand the task.After doing so, you can rest assured that everything is in control, and we will deliver a paper of unmatchable quality.
Are you a college or university student pursuing your Bachelor’s , Masters, PhD, or Doctorate degree? Sometimes juggling schoolwork with work, family and hobbies can seem like a daunting task. You have to sacrifice one or the other. The sole purpose of our website is to alleviate your academic burdens. We ensure that you do not fail in your classes and you get good grades consistently. We understand that there is a need for academic help.
We acknowledge that our clients are not dumb or lazy but only need academic life need help in order to live a balanced life and make ends meet. We make it our core priority to ensure that all assignments are done and submitted before the stipulated deadlines. All our writers are graduates. They are competent in handling the clients’ assignments. We step in to help you with any and all of your assignments. Our assignment help service ensures that you never miss a grade or deadline.
Students barely have time to read. We got you! Have your literature essay or book review written without having the hassle of reading the book. You can get your literature paper custom-written for you by our literature specialists.
Do you struggle with finance? No need to torture yourself if finance is not your cup of tea. You can order your finance paper from our academic writing service and get 100% original work from competent finance experts.
While psychology may be an interesting subject, you may lack sufficient time to handle your assignments. Don’t despair; by using our academic writing service, you can be assured of perfect grades. Moreover, your grades will be consistent.
Engineering is quite a demanding subject. Students face a lot of pressure and barely have enough time to do what they love to do. Our academic writing service got you covered! Our engineering specialists follow the paper instructions and ensure timely delivery of the paper.
In the nursing course, you may have difficulties with literature reviews, annotated bibliographies, critical essays, and other assignments. Our nursing assignment writers will offer you professional nursing paper help at low prices.
Truth be told, sociology papers can be quite exhausting. Our academic writing service relieves you of fatigue, pressure, and stress. You can relax and have peace of mind as our academic writers handle your sociology assignment.
We take pride in having some of the best business writers in the industry. Our business writers have a lot of experience in the field. They are reliable, and you can be assured of a high-grade paper. They are able to handle business papers of any subject, length, deadline, and difficulty!
We boast of having some of the most experienced statistics experts in the industry. Our statistics experts have diverse skills, expertise, and knowledge to handle any kind of assignment. They have access to all kinds of software to get your assignment done.
Writing a law essay may prove to be an insurmountable obstacle especially when you need to know the peculiarities of the legislative framework. Take advantage of our top-notch law specialists and get superb grades and 100% satisfaction.
Our prices depend on the urgency of your assignment, your academic level, the course subject, and the length of the assignment. Basically, more complex assignments will cost more than simpler ones. The level of expertise is also a major determinant of the price of your assignment.
If you need professional help with completing any kind of homework, is the right place to get it. Whether you are looking for essay, coursework, research, or term paper help, or with any other assignments, it is no problem for us. At our cheap essay writing service, you can be sure to get credible academic aid for a reasonable price, as the name of our website suggests. For years, we have been providing online custom writing assistance to students from countries all over the world, including the US, the UK, Australia, Canada, Italy, New Zealand, China, and Japan.
Our cheap essay writing service has already gained a positive reputation in this business field. Understandably so, since all custom papers produced by our academic writers are individually crafted from scratch and written according to all your instructions and requirements. We offer APA, MLA, or a Chicago style paper in almost 70 disciplines. Here, you can get quality custom essays, as well as a dissertation, a research paper, or term papers for sale. Any paper will be written on time for a cheap price.
Using our cheap essay writing help is beneficial not only because of its easy access and low cost, but because of how helpful it can be to your studies. Buy custom written papers online from our academic company and we won't disappoint you with our high quality of university, college, and high school papers. Although our writing service is one of the cheapest you can find, we have been in the business long enough to learn how to maintain a balance between quality, wages, and profit. Whenever you need help with your assignment, we will be happy to assist you.
It might seem impossible to you that all custom-written essays, research papers, speeches, book reviews, and other custom task completed by our writers are both of high quality and cheap. It is surprising, but we do have some tricks to lower prices without hindering quality.
To start using our services, it’s enough to place a request like “I need a writer to do my assignment” or “Please, write an essay for me.” We have a convenient order form, which you can complete within minutes and pay for the order via a secure payment system. The support team will view it after the order form and payment is complete and then they will find an academic writer who matches your order description perfectly. Once you submit your instructions, while your order is in progress and even after its completion, our support team will monitor it to provide you with timely assistance.
Hiring good writers is one of the key points in providing high-quality services. That’s why we have entry tests for all applicants who want to work for us. We try to make sure all writers working for us are professionals, so when you purchase custom-written papers, they are of high quality and non-plagiarized.
Our cheap essay writing service employs only writers who have outstanding writing skills. The quality of all custom papers written by our team is important to us; that is why we are so attentive to the application process and employ only those writers who can produce great essays and other kinds of written assignments. All our writers are graduates. They are competent in handling the clients’ assignments. We step in to help you with any and all of your assignments. Our assignment help service ensures that you never miss a grade or deadline.
All our cheap essays are customized to meet your requirements and written from scratch. Our writers have a lot of experience with academic papers and know how to write them without plagiarism. Moreover, at our academic service, we have our own plagiarism-detection software which is designed to find similarities between completed papers and online sources. You can be sure that our custom-written papers are original and properly cited.
Our essay writing service has a 0% plagiarism tolerance. We are well aware of the dangers of plagiarism. Plagiarism is academic suicide. Our essay writing service ensures that all papers are original. We do not sell pre-written papers. All papers are written from scratch as per the instructions. We pass our papers through powerful anti-plagiarism software such as SafeAssign and TurnItIn.
Our cheap essay writing service tries to always be at its best performance level, so each customer who pays money for paper writing can be sure that he or she will get what is wanted. On the off chance that you don’t like your order, you can request a refund and we will return the money according to our money-back guarantee.
There can be a number of reasons why you might not like your order. If we honestly don’t meet your expectations, we will issue a refund. You can also request a free revision, if there are only slight inconsistencies in your order. Your writer will make the necessary amendments free of charge. You can find out more information by visiting our revision policy and money-back guarantee pages, or by contacting our support team via online chat or phone.
We know how important any deadline is to you; that’s why everyone in our company has their tasks and perform them promptly to provide you with the required assistance on time. We even have an urgent delivery option for short essays, term papers, or research papers needed within 8 to 24 hours.
We appreciate that you have chosen our cheap essay service, and will provide you with high-quality and low-cost custom essays, research papers, term papers, speeches, book reports, and other academic assignments for sale. We beat all deadlines. We can also handle urgent orders with deadlines as short as 1 hour. Our urgent paper writing service does not compromise on quality due to the short deadline. On the contrary, our essay writers have a lot of experience which comes in handy in such situations.
We provide affordable writing services for students around the world. That’s why we work without a break to help you at any time, wherever you are located. Contact us for cheap writing assistance. Our impeccable customer support team will answer all your questions and help you out with any issues.Proceed to order page
Delivering a high-quality product at a reasonable price is not enough anymore.
That’s why we have developed 5 beneficial guarantees that will make your experience with our service enjoyable, easy, and safe.
You have to be 100% sure of the quality of your product to give a money-back guarantee. This describes us perfectly. Make sure that this guarantee is totally transparent.Read more
Each paper is composed from scratch, according to your instructions. It is then checked by our plagiarism-detection software. There is no gap where plagiarism could squeeze in.Read more
Thanks to our free revisions, there is no way for you to be unsatisfied. We will work on your paper until you are completely happy with the result.Read more
Your email is safe, as we store it according to international data protection rules. Your bank details are secure, as we use only reliable payment systems.Read more
By sending us your money, you buy the service we provide. Check out our terms and conditions if you prefer business talks to be laid out in official language.Read more