Classroom Public page

Lab 9-2: pcap-tools Workbench Tour

488 words

Course: NET-101, Week 9 Time: ~45 minutes (paired with lab-9-1 for one 90-minute session) Tools: Academy pcap-tools workbench at /pcap-tools/; browser

Overview

The academy pcap-tools workbench at https://virtuscyberacademy.org/pcap-tools/ runs a tshark WebAssembly engine in the browser. It lets you load packet captures from the curated catalog, apply Wireshark display filters, view the protocol decode tree, read raw bytes, and follow conversations -- all without installing Wireshark locally. This lab is a structured tour of every major feature.

Part 1: Catalog and load (~15 minutes)

Open /pcap-tools/ in your browser.

Exercise 1.1 -- Explore the catalog:

  1. How many captures are available in the catalog? List 5 of them by name.
  2. Which captures are tagged with the "NET-101" track?
  3. Load fundamentals-tcp-3way.pcap. What does the packet list look like? How many packets?

Exercise 1.2 -- Packet detail pane:

Click the first packet.

  1. What protocol layers appear in the packet detail tree?
  2. Click the "Internet Protocol Version 4" layer. What fields are shown?
  3. Click a field name (e.g., "Time to Live"). Does the corresponding bytes in the hex dump highlight?

Part 2: Display filter bar (~15 minutes)

With fundamentals-tcp-3way.pcap loaded:

Exercise 2.1:

  1. Type tcp.flags.syn == 1 in the display filter bar and press Enter. How many packets remain visible?
  2. Type tcp.flags.ack == 1 and tcp.flags.syn == 0 and press Enter. How many packets remain?
  3. Type tcp and press Enter. How many packets match? Is this the same as the total packet count?

Load arp-storm.pcap.

  1. Type arp.opcode == 1. How many ARP requests?
  2. Type arp.opcode == 2. How many ARP replies?
  3. Write a combined filter that shows only ARP requests from a specific source MAC (choose the most active source MAC from the packet list). How many packets match?

Part 3: Follow Stream and Statistics (~10 minutes)

Load fundamentals-http-get.pcap.

Exercise 3.1 -- Follow TCP Stream:

Right-click the HTTP GET packet. Select "Follow > TCP Stream" (or the equivalent in pcap-tools).

  1. Can you read the HTTP request in the stream view?
  2. Can you read the HTTP 200 OK response body?
  3. What color distinguishes client-to-server from server-to-client traffic?

Exercise 3.2 -- Protocol statistics:

Open Statistics > Protocol Hierarchy (if available in the workbench).

  1. What percentage of the capture is TCP?
  2. What percentage is HTTP?

Part 4: Recipe and AI tutor introduction (~10 minutes)

The pcap-tools workbench includes a "Recipes" feature: pre-built analysis workflows for common protocols, and an AI Tutor for guided learning.

  1. Navigate to the Recipes section. What is the first recipe listed? What protocol does it analyze?
  2. Apply the DNS recipe to fundamentals-dns-query.pcap. What does the recipe tell you about the capture?
  3. Open the AI Tutor (non-lab mode). Ask it: "What display filter should I use to find retransmitted TCP segments?" Record the filter it suggests. (You will verify it in week 11.)

Artifact

Create lab-9-2.md in your net-101/ Git repo with:

  • Answers to all questions
  • Screenshots are optional; written answers are sufficient

Commit with a meaningful commit message (can be combined with the lab-9-1 commit).