Security Blue Team activities designed for the introductory TCPDump module can also be effectively completed using Wireshark. This provides an alternative if the TCPDump installation did not work on your machine or an additional simple practice option since you explore new display filter arguments and examine the packets.

---

PCAP 4

How many UDP packets have been captured?

Apply the following display filter: udp. The answer can be found in the bottom-right corner of the Wireshark window as the number of displayed packets.

Answer: 3290

How many TCP packets have both the SYN and ACK flags set?

Apply the following display filter: tcp.flags.ack==1 && tcp.flags.syn==1. The answer can be found in the bottom-right corner of the Wireshark window as the number of displayed packets.

Answer: 20

Which version of Chrome was used to connect to securityblue.team?

Using "Find a packet" function, search for chrome string in the packet bytes. Examine the values under the "Hypertext Transfer Protocol" field of the packets you found. The Chrome version will be listed in the User-Agent.

Answer: 80.0.3987.87

How many packets have a TTL value of 38?

Apply the following display filter: ip.ttl == 38. The answer can be found in the bottom-right corner of the Wireshark window as the number of displayed packets.

Answer: 710

---

PCAP 5

What is the name of the PNG file on the webserver at 192.168.56.111?

Using "Find a packet" function, search for png string in the packet bytes. In the information about the packet, scroll down and expand the “Line-based text data” field. You will find the name of the PNG file on the 7th line.

Answer: proprietary.png

Which version of OpenSSH is running on the server?

Apply the following display filter: ssh. Examine the SSH packet info sent by the server before the key exchange initiation.

Answer: 7.9p1

On which port is the .zip file being served?

Using "Find a packet" function, search for zip string in the packet bytes. This would first bring us to the HTTP packet we used to answer the first question, so click “Find” to go to the next packet. Not much at the first glance, but the TCP segment data is highlighted - right click it and choose the “Show packet bytes…” option.

The ZIP file is indeed there. To find the port on whiche the file is served, examine the info of the packet:

3016 → 50159 [PSH, ACK] Seq=1 Ack=1 Win=29056 Len=206 TSval=71010977 TSecr=649163791

When we say a file is "being served", we mean:

A server (like a web server) is making the file available for download over a network, typically in response to a client request (e.g., a web browser downloading a file).

This packet containing the ZIP file bits means that the file is being thansported inside this packet. To answer the question we need to look at the source port of the packet, since this is the port that the server is providing it from.

Answer: 3016

When was a packet with a TCP checksum value of 53203 captured? (Format: xx:xx:xx.xxxxxx)

Apply the following display filter: tcp.checksum == 53203. The answer can be found in the “Time” column.

On the platform, your answer might be marked incorrect if you are not completing this exercise in the UTC-5 timezone. Wireshark shows packet times based on your local system time by default - in my case, this is UTC+2, which shows the packet at 13:04:46. When I switch Wireshark to display times in UTC, the same packet appears at 11:04:46. You can verify your understanding by comparing the minutes and seconds, and this should be sufficient for your peace of mind. :)

If your “Time” column is showing only the seconds value (40.897827, for example), you can change that in the View - Time Display settings.

Answer: 06:04:46.207925 (expected by the platform, your hour field might differ)