Classroom Public page

NET-101 Capstone Specification

890 words

The capstone is a "Network Snapshot": a real packet capture you take from a network you control, analyzed by protocol and conversation, with a structured written report. You document what you saw, what was normal, what was anomalous, and what you could not decode.

What you ship

A Git repository containing:

  1. lab-capture.pcap (or lab-capture.pcapng): the traffic capture you analyzed. Must be from a network you own or are authorized to capture on. Keep it under 50 MB; filter at capture time if needed.
  2. decoding-report.md: the written analysis report (600-1000 words across five sections -- see below).
  3. At least 3 commits in the Git history: you should not do all the work in a single commit.

Repository naming convention: net101-capstone-{your-name} (lowercase, hyphens, no spaces). Example: net101-capstone-alex-jones.

If your lab environment does not support live capture (some cloud or VM environments suppress ARP and DHCP), you may substitute the missing protocols from the academy pcap-tools catalog fixtures. Note the substitution in your report.

What the capture must contain

Your capture must include enough traffic to let you trace all five required protocols:

  1. ARP: at least one request-reply pair. If ARP is not visible (your network suppresses broadcasts), substitute fundamentals-arp-request-reply.pcap from the pcap-tools catalog and note this.
  2. DHCP: at least one DISCOVER/OFFER/REQUEST/ACK exchange. If DHCP is not visible, substitute fundamentals-dhcp-handshake.pcap and note this.
  3. DNS: at least 3 query-response pairs.
  4. TCP: at least one complete session (three-way handshake + data + teardown or RST).
  5. TLS: at least one ClientHello through to application data.

A 10-15 minute capture of normal web browsing on your home network will contain all five.

The decoding report

Write decoding-report.md in plain English. Structure it with these five sections:

1. What I captured (50-100 words)

Describe the network you captured on (home network, lab VM, class lab environment), the capture tool used (tcpdump, Wireshark, tshark), the capture duration, and the total number of packets. Do not include any personally identifying network information (your external IP address, MAC addresses of real devices) if you prefer to keep those private; you may anonymize.

2. Protocol inventory (100-150 words)

What protocols appear in your capture? Use Statistics > Protocol Hierarchy to get a percentage breakdown. List at least 5 protocols and their approximate share of the traffic. Note any surprising or unexpected protocols.

3. Key conversations (250-350 words)

Trace one conversation for each of the five required protocols:

  • ARP: who asked, what IP, who replied, what MAC
  • DHCP: the DORA exchange summary (or substitute from catalog)
  • DNS: at least 3 queries -- name, type, response value, TTL
  • TCP: the three-way handshake SEQ/ACK arithmetic; what happened at teardown
  • TLS: the ClientHello SNI value; the negotiated TLS version and cipher suite

For each: use display filters and the packet detail pane in pcap-tools or Wireshark. Write in plain English; do not paste raw bytes or Wireshark field dump -- summarize in prose.

4. What was anomalous (100-150 words)

Identify at least one thing in your capture that does not match your expectation of "completely normal" traffic. This could be:

  • An ARP rate higher than expected
  • A DNS query to an unexpected resolver
  • A TCP connection that never completed (SYN with no SYN-ACK)
  • A TLS session to an unexpected hostname
  • Any protocol you did not expect to see

Describe: what you observed (including the display filter you used to isolate it), why it looks anomalous, and what you would investigate next if this were a real security event.

5. What I could not decode (75-150 words)

What traffic in your capture remains opaque to you? Examples: encrypted TLS application data (expected -- you cannot read it without the session key), an unfamiliar protocol you do not recognize, traffic you ran out of time to investigate. What would you need to learn to decode it? What course or resource would help?

Success criteria

Your capstone is graded on:

Criterion Points Notes
Capture present and contains all 5 required protocol types 20 Substitutions from catalog noted explicitly count; missing protocols without noting the substitution do not
Section 3 conversations: all 5 traced with correct technical detail 30 SEQ/ACK arithmetic, field values, display filters applied correctly
Section 4 anomaly: identified and explained with specifics 20 Vague ("I noticed some unusual traffic") does not earn full marks; specific filter + what the filter showed does
Section 1, 2, 5: complete and accurate 20 Present; word-count targets met; factually correct
Git repository hygiene 10 At least 3 commits; all files present; meaningful commit messages
Total 100

What the capstone does NOT require

  • No live exploitation or attack traffic
  • No decoding of TLS application data (the session content)
  • No decoding of the entire capture file (trace the required conversations only)
  • No custom tool development (pcap-tools, Wireshark, tcpdump are sufficient)
  • No minimum capture complexity; a clean home-network snapshot with all 5 protocols is enough

Submission

Push your repository to GitHub or GitLab and email the URL to interested@virtuscyberacademy.org with subject NET-101 capstone, {your-name}. The course team replies within 7 days with the grade and brief feedback.

Capture ethics reminder

All captures in this capstone must come from a network you own or have explicit permission to capture. Do not submit captures of public Wi-Fi, university networks, workplace networks, or any network where you do not have the right to intercept traffic. Unauthorized interception of network traffic violates computer fraud and wiretapping laws in most jurisdictions.

Capstone specification v0.1.