Classroom Public page

Lab 12-1: Capstone Lab

794 words

Course: NET-101, Week 12 Time: ~7 hours total across days 2-5 of the week Tools: tcpdump or Wireshark for capture; pcap-tools or Wireshark for analysis; Git for submission Output: Network Snapshot report submitted as a Git repository

Overview

This lab IS the NET-101 capstone. See CAPSTONE.md in this course directory for the full specification, grading rubric, and submission instructions.

This file is a structured checklist for the week. Use it alongside CAPSTONE.md to stay on pace.

Day 1: Capture and first look (~1-2 hours)

Step 1 -- Set up your capture:

You need a network you are authorized to capture traffic on. Options:

  • Your home network (you own it; you are authorized)
  • The class-provided virtual lab network (your instructor will distribute credentials)
  • A dedicated test network you set up (two laptops connected directly, or a VM with a NAT interface)

Step 2 -- Capture traffic:

# On Linux/macOS with tcpdump:
sudo tcpdump -i eth0 -w lab-capture.pcap

# On Windows (Git Bash or WSL2):
# Use Wireshark GUI: Capture > Start on your main interface

# Run for 5-15 minutes while doing normal browsing/activity
# Then Ctrl+C to stop tcpdump

If you want to limit file size to just the required protocols:

sudo tcpdump -i eth0 -w lab-capture.pcap 'port 53 or port 80 or port 443 or arp or port 67 or port 68'

Step 3 -- First look:

Load your capture in pcap-tools or Wireshark.

  • What protocols appear in Statistics > Protocol Hierarchy?
  • How many packets are in the capture?
  • What is the time range of the capture?
  • Can you see ARP packets? DHCP packets? DNS queries? TCP connections? TLS sessions?

Write 3-4 sentences in your report's introduction section describing what the capture contains.

Day 2: ARP and DHCP annotation (~1-2 hours)

Step 4 -- Trace ARP:

Apply arp in pcap-tools.

  • Find at least one ARP request-reply pair
  • Record: who asked, what IP they asked for, who replied, what MAC they provided
  • Note: is there any anomalous ARP traffic? (unusual rate, unusual sender?)

Write a paragraph in your report for ARP.

Step 5 -- Trace DHCP:

Apply dhcp in pcap-tools.

  • Find the DORA sequence (or the REQUEST/ACK if your capture started after DISCOVER/OFFER)
  • Record: what IP was assigned; what lease time; what DNS server was advertised

Write a paragraph in your report for DHCP.

Day 3: DNS and TCP annotation (~1-2 hours)

Step 6 -- Trace DNS:

Apply dns in pcap-tools.

  • Find at least 3 DNS queries and their responses
  • For each: queried name, record type, returned value, TTL
  • Note: are there any NXDOMAIN responses? Any queries to unexpected resolvers?

Write a section in your report for DNS.

Step 7 -- Trace a TCP session:

Apply tcp.flags.syn == 1 and tcp.flags.ack == 0 to find new connection starts.

Pick one TCP session (not TLS -- find a plain TCP session if possible, or use the TLS handshake packets before the encrypted application data).

  • Record the three-way handshake: SEQ and ACK numbers at each step
  • Record what application-layer protocol appears on top of TCP (HTTP, TLS, SSH, etc.)
  • Note: is there a clean teardown (FIN/ACK) or a RST?

Write a section in your report for the TCP session.

Day 4: TLS and anomaly identification (~1-2 hours)

Step 8 -- Trace a TLS session:

Apply tls.handshake.type == 1 to find ClientHellos.

Pick one TLS session.

  • Record: SNI value, TLS version negotiated, cipher suite chosen
  • What happened after the Finished messages? (application data records)

Write a section in your report for TLS.

Step 9 -- Find an anomaly:

Look for something that does not fit the expected pattern. Examples:

  • An ARP request rate that is higher than one request per few minutes
  • A DNS query to an unexpected resolver IP (not your router or 8.8.8.8/1.1.1.1)
  • A TCP connection that was immediately reset (SYN, RST -- never established)
  • A TLS connection where the SNI does not match any domain you browsed to
  • A packet with an unexpected protocol on a well-known port

Write a section in your report describing: what you observed, why it looks anomalous, and what you would investigate next.

Day 5: Write-up, review, and submit (~1 hour)

Step 10 -- Write the report:

Your decoding-report.md must have these 5 sections (see CAPSTONE.md for word-count targets):

  1. What I captured (the network, conditions, tools, duration)
  2. Protocol inventory (protocols present; time range; packet counts)
  3. Key conversations (ARP + DHCP + DNS + TCP + TLS traces you performed)
  4. What was anomalous (the anomaly from Step 9)
  5. What I could not decode (what remains opaque, and what you would need to learn next)

Step 11 -- Check your repository:

  • Is lab-capture.pcap in the repo? (or a note explaining you used a class-provided capture)
  • Is decoding-report.md present and complete?
  • Do you have at least 3 commits? Check with git log --oneline
  • Are the commit messages meaningful?

Step 12 -- Submit:

Push your repository to GitHub or GitLab and email the URL to interested@virtuscyberacademy.org with subject NET-101 capstone, {your-name}.

Notes

  • You do NOT need to decode encrypted TLS application data; only the handshake (which is visible in the clear) is required
  • If you cannot capture ARP or DHCP (many cloud lab environments suppress them), note this in your report and substitute from a catalog PCAP fixture
  • Keep your capture file under 50 MB; filter at capture time if needed