Course: NET-101, Week 11
Time: ~45 minutes (paired with lab-11-2 for one 90-minute session)
Tools: Academy pcap-tools workbench at /pcap-tools/
Captures: Any from the catalog; suggestions given per exercise
Overview
This lab requires you to write display filters that answer specific analytical questions. For each exercise: write the filter, apply it to the indicated capture, and record the packet count. A correct filter is one that (a) is syntactically valid, (b) matches exactly the packets it should, and (c) excludes exactly the packets it should not.
Part 1: Basic protocol and field filters (~20 minutes)
Load tall-100-frames.pcap for exercises 1-5 unless instructed otherwise.
Filter 1 -- New TCP connection attempts:
Write a filter that shows only TCP SYN packets where ACK is NOT set (i.e., the first packet of a new connection, not part of a handshake response).
- Filter: ___________________________________
- Packet count: ___
Filter 2 -- DNS queries for a specific domain:
Write a filter that shows only DNS queries (not responses) for names containing the string "example."
- Filter: ___________________________________
- Packet count: ___
Filter 3 -- All traffic to or from a specific port:
Write a filter that shows all packets where either the source or destination port is 53 (DNS).
- Filter: ___________________________________
- Packet count: ___
Filter 4 -- HTTP error responses:
Load http-get.pcap. Write a filter that shows only HTTP responses with status codes in the 4xx or 5xx range.
- Filter: ___________________________________
- Packet count: ___
Filter 5 -- TLS ClientHellos:
Load tls-handshake.pcapng. Write a filter that shows only TLS ClientHello handshake messages.
- Filter: ___________________________________
- Packet count: ___
Part 2: Compound filters (~20 minutes)
Filter 6 -- TCP traffic NOT on common ports:
Write a filter that shows TCP traffic where neither the source port nor the destination port is 80, 443, or 22.
- Filter: ___________________________________
- Test on
tall-100-frames.pcap. Packet count: ___
Filter 7 -- ARP requests only (not replies):
Load arp-storm.pcap. Write a filter that shows only ARP requests sent from a specific source MAC address (choose the MAC responsible for most of the storm traffic).
- Filter: ___________________________________
- Packet count: ___
Filter 8 -- Retransmissions combined with their source:
Write a filter that shows retransmitted TCP segments from a specific source IP (you may use 192.0.2.10 as the source IP if working with the fundamentals captures, or adjust to an IP you see in tall-100-frames.pcap).
- Filter: ___________________________________
- Packet count: ___
Filter 9 -- ICMP errors only:
Write a filter that shows only ICMP packets where the type is 3 (Destination Unreachable) OR type 11 (Time Exceeded). These are the error messages -- not echo requests or replies.
- Filter: ___________________________________
- Test on
fundamentals-icmp-ping.pcap. Packet count: ___ (expected: 0, since the fundamentals capture has only echo request/reply)
Filter 10 -- Large packets:
Write a filter that shows all packets with a total IP length greater than 500 bytes. This is a useful filter for finding packets that carry real payload (rather than control traffic).
- Filter: ___________________________________
- Test on
fundamentals-http-get.pcap. Packet count: ___
Part 3: Reflection on filter design (~10 minutes)
- Filter 6 excludes common ports. What is the risk of applying this filter in a real investigation? (Hint: attackers do not always use common ports.)
- Filter 7 finds ARP requests from one MAC. What if you did not know which MAC was the offender -- how would you start? What filter or Wireshark feature would help?
- You wrote 10 display filters in this lab. Which one do you think would be most useful in a real NSM investigation? Why?
Artifact
Create lab-11-1.md in your net-101/ Git repo with:
- All 10 filters (exact text) with their packet counts
- Answers to questions 11-13
Commit with a meaningful commit message.