TryHackMe: Wireshark 101 Room Writeup

Learn the basics of Wireshark and how to analyze various protocols and PCAPs

Task 7

What is the Opcode for Packet 6?

request(1)

What is the source MAC Address of Packet 19?

80:fb:06:f0:45:d7

What 4 packets are Reply packets?

use this display filter:

arp.opcode == 2

and the result is here:

76,400,459,520

What IP Address is at 80:fb:06:f0:45:d7?

Below you can see the MAC address is paired with IP 10.251.23.1:

10.251.23.1

Task 8

What is the type for packet 4?

8

What is the type for packet 5?

0

What is the timestamp for packet 12, only including month day and year?

note: Wireshark bases it’s time off of your devices time zone, if your answer is wrong try one day more or less.

In the above picture you can see that the timestamp is May 31, 2013, but it’s based on my timezone, which is in China. So the answer may be shifted one day back or forth.

May 30, 2013

What is the full data string for packet 18?

Unfold the data panel and copy the value:

08090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637

Task 10

What is being queried in packet 1?

Copy and paste the query value:

8.8.8.8.in-addr.arpa

What site is being queried in packet 26?

www.wireshark.org

What is the Transaction ID for packet 26?

Transaction ID is the identifier chosen by the client when it’s sending a question to the server. The server then will responds along with that ID.

0x2c58

Task 11

What percent of packets originate from Domain Name System?

Go to Statistics - Protocol Hierarchy:

4.7

What endpoint ends in .237?

Go to Statistics - Endpoints:

145.254.160.237

What is the user-agent listed in packet 4?

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113

Looking at the data stream what is the full request URI from packet 18?

http://pagead2.googlesyndication.com/pagead/ads?client=ca-pub-2309191948673629&random=1084443430285&lmt=1082467020&format=468x60_as&output=html&url=http%3A%2F%2Fwww.ethereal.com%2Fdownload.html&color_bg=FFFFFF&color_text=333333&color_link=000000&color_url=666633&color_border=666633

What domain name was requested from packet 38?

www.ethereal.com

Looking at the data stream what is the full request URI from packet 38?

Refer to the above image for the URI.

http://www.ethereal.com/download.html

Task 12

Before doing the answers, we need to setting up the RSA key to decrypt the HTTPS data.

Go to Edit > Preferences > Protocols > TLS > RSA keys list, fill in the blanks as below:

Looking at the data stream what is the full request URI for packet 31?

https://localhost/icons/apache_pb.png

Looking at the data stream what is the full request URI for packet 50?

https://localhost/icons/back.gif

What is the User-Agent listed in packet 50?

Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2