Packet Analysis Lab

1

Reading TCP Packets

15 minutes

Objective: Analyze a TCP three-way handshake capture and identify source/destination information.

Captured Packets

No. Time Source Destination Protocol Info 1 0.000000 192.168.1.105 93.184.216.34 TCP 54321 > 443 [SYN] Seq=0 Win=65535 2 0.023451 93.184.216.34 192.168.1.105 TCP 443 > 54321 [SYN, ACK] Seq=0 Ack=1 Win=65535 3 0.023890 192.168.1.105 93.184.216.34 TCP 54321 > 443 [ACK] Seq=1 Ack=1 Win=65535 4 0.024100 192.168.1.105 93.184.216.34 TLSv1.3 Client Hello 5 0.048200 93.184.216.34 192.168.1.105 TLSv1.3 Server Hello, Certificate, Finished 6 0.049000 192.168.1.105 93.184.216.34 TLSv1.3 Finished 7 0.050100 192.168.1.105 93.184.216.34 TLSv1.3 Application Data [443 bytes]

Questions

Q1: What is the client's IP address?

Q2: What destination port is being used? What service runs there?

Q3: Which packets form the TCP three-way handshake? (packet numbers)

Q4: What TLS version is negotiated?

2

DNS Query & Response Analysis

15 minutes

Objective: Examine DNS queries and responses to understand name resolution and detect anomalies.

DNS Traffic Capture

No. Time Source Destination Protocol Info 1 0.000000 192.168.1.105 8.8.8.8 DNS Standard query A www.example.com 2 0.015230 8.8.8.8 192.168.1.105 DNS Standard query response A 93.184.216.34 3 0.100000 192.168.1.105 8.8.8.8 DNS Standard query A mail.example.com 4 0.118400 8.8.8.8 192.168.1.105 DNS Standard query response CNAME mx1.example.com A 93.184.216.50 5 1.200000 192.168.1.42 185.220.101.1 DNS Standard query TXT aGVsbG8gd29ybGQ=.evil-c2.net 6 1.250000 185.220.101.1 192.168.1.42 DNS Standard query response TXT "Y21kPXdob2FtaQ==" 7 2.300000 192.168.1.42 185.220.101.1 DNS Standard query TXT bHMgLWxh.evil-c2.net 8 2.350000 185.220.101.1 192.168.1.42 DNS Standard query response TXT "ZGF0YT0vc2VjcmV0cy50eHQ="

Analyst Tip: DNS TXT records with Base64-encoded subdomains querying unknown domains are a classic indicator of DNS tunneling / C2 communication.

Questions

Q1: What DNS server is being queried by the legitimate traffic?

Q2: What IP address resolved for www.example.com?

Q3: Which host is exhibiting suspicious DNS behavior?

Q4: What type of attack do packets 5-8 suggest? (DNS ____)

3

HTTP Traffic Analysis

20 minutes

Objective: Analyze HTTP requests and responses to spot suspicious activity and identify SQL injection attempts.

HTTP Request/Response Capture

--- Packet 12: HTTP Request --- GET /api/users?id=1 HTTP/1.1 Host: app.example.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Accept: application/json Cookie: session=eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoiam9obiJ9 --- Packet 13: HTTP Response --- HTTP/1.1 200 OK Content-Type: application/json Content-Length: 89 {"id":1,"name":"John Doe","email":"john@example.com","role":"user"} --- Packet 18: HTTP Request (SUSPICIOUS) --- GET /api/users?id=1 OR 1=1-- HTTP/1.1 Host: app.example.com User-Agent: sqlmap/1.7.2 Accept: */* --- Packet 19: HTTP Response --- HTTP/1.1 200 OK Content-Type: application/json Content-Length: 1847 [{"id":1,"name":"John Doe","email":"john@example.com","role":"user"}, {"id":2,"name":"Admin","email":"admin@example.com","role":"admin","password_hash":"$2b$12..."}, {"id":3,"name":"Jane Smith","email":"jane@example.com","role":"user"}, ...]

Questions

Q1: What type of attack is being attempted in packet 18?

Q2: What automated tool is the attacker using? (check User-Agent)

Q3: Was the attack successful? (yes/no)

Q4: What sensitive data was exposed in the response?

4

ARP Traffic & Spoofing Detection

15 minutes

Objective: Analyze ARP traffic to understand MAC-to-IP resolution and detect ARP spoofing attacks.

ARP Reference

How ARP Works

ARP (Address Resolution Protocol) maps IP addresses to MAC addresses on a local network. A device broadcasts "Who has 10.0.0.1?" and the owner replies "10.0.0.1 is at AA:BB:CC:DD:EE:01". Results are cached in the ARP table.

ARP Traffic Capture

No. Time Source MAC Dest MAC Op Info 1 0.000000 AA:BB:CC:11:22:01 FF:FF:FF:FF:FF:FF REQ Who has 10.0.0.1? Tell 10.0.0.100 2 0.000450 AA:BB:CC:11:22:99 AA:BB:CC:11:22:01 REP 10.0.0.1 is at AA:BB:CC:11:22:99 3 0.500000 AA:BB:CC:11:22:02 FF:FF:FF:FF:FF:FF REQ Who has 10.0.0.1? Tell 10.0.0.101 4 0.500300 AA:BB:CC:11:22:99 AA:BB:CC:11:22:02 REP 10.0.0.1 is at AA:BB:CC:11:22:99 --- 5 seconds later: Suspicious gratuitous ARP --- 5 5.100000 AA:BB:CC:66:77:88 FF:FF:FF:FF:FF:FF REP 10.0.0.1 is at AA:BB:CC:66:77:88 6 5.200000 AA:BB:CC:66:77:88 FF:FF:FF:FF:FF:FF REP 10.0.0.1 is at AA:BB:CC:66:77:88 7 5.300000 AA:BB:CC:66:77:88 FF:FF:FF:FF:FF:FF REP 10.0.0.1 is at AA:BB:CC:66:77:88 8 5.400000 AA:BB:CC:66:77:88 AA:BB:CC:11:22:01 REP 10.0.0.1 is at AA:BB:CC:66:77:88 9 5.500000 AA:BB:CC:66:77:88 AA:BB:CC:11:22:02 REP 10.0.0.1 is at AA:BB:CC:66:77:88

Questions

Q1: What is the legitimate MAC address for the gateway (10.0.0.1)?

Q2: What is the attacker's MAC address?

Q3: What type of attack is shown in packets 5-9?

Q4: Why is the attacker sending unsolicited ARP replies? What is the goal?

Q5: What Layer 2 security feature prevents this attack on managed switches?

Defense Tip: Enable Dynamic ARP Inspection (DAI) on managed switches. DAI validates ARP packets against the DHCP snooping binding table and drops packets with forged source MAC/IP pairs.

5

ICMP Traffic & Reconnaissance

15 minutes

Objective: Identify normal vs. suspicious ICMP traffic. Detect ping sweeps, oversized packets, and ICMP tunneling.

ICMP Traffic Capture

No. Time Source Destination Type Code Bytes Info 1 0.000000 192.168.1.50 10.0.0.5 8 0 64 Echo Request id=0x1234 seq=1 2 0.012300 10.0.0.5 192.168.1.50 0 0 64 Echo Reply id=0x1234 seq=1 3 1.001000 192.168.1.50 10.0.0.5 8 0 64 Echo Request id=0x1234 seq=2 4 1.014500 10.0.0.5 192.168.1.50 0 0 64 Echo Reply id=0x1234 seq=2 --- Suspicious ICMP Activity --- 5 5.000000 192.168.1.42 10.0.0.1 8 0 64 Echo Request seq=1 6 5.000010 192.168.1.42 10.0.0.2 8 0 64 Echo Request seq=1 7 5.000020 192.168.1.42 10.0.0.3 8 0 64 Echo Request seq=1 8 5.000030 192.168.1.42 10.0.0.4 8 0 64 Echo Request seq=1 9 5.000040 192.168.1.42 10.0.0.5 8 0 64 Echo Request seq=1 ... 260 5.025500 192.168.1.42 10.0.0.254 8 0 64 Echo Request seq=1 --- Anomalous ICMP --- 300 10.000000 192.168.1.42 45.33.32.156 8 0 1400 Echo Request [data: 1336 bytes payload] 301 10.050000 45.33.32.156 192.168.1.42 0 0 1400 Echo Reply [data: 1336 bytes payload]

ICMP Type Reference

Type	Code	Description
0	0	Echo Reply (ping response)
3	0-15	Destination Unreachable
8	0	Echo Request (ping)
11	0-1	Time Exceeded (traceroute)

Questions

Q1: Packets 1-4 show normal ping traffic. What ICMP types are request and reply?

Q2: What type of reconnaissance is happening in packets 5-260?

Q3: Normal ping payloads are ~32-56 bytes. Packet 300 has 1336 bytes. What does this suggest?

Q4: What host is performing reconnaissance?

Q5: How many hosts are being scanned in the ping sweep? (10.0.0.1 to 10.0.0.254)

6

Attack Chain: Pattern Recognition

20 minutes

Objective: Analyze a mixed traffic capture to identify the full attack chain: reconnaissance, exploitation, and command-and-control.

Mixed Traffic Capture

No. Time Source Destination Protocol Bytes Info 1 08:01:00 192.168.1.50 10.0.0.5 TCP 60 22 > 49152 [SYN,ACK] 2 08:01:01 192.168.1.50 10.0.0.5 SSH 200 Encrypted packet 3 08:15:30 192.168.1.42 10.0.0.1 TCP 60 SYN > port 21 4 08:15:30 192.168.1.42 10.0.0.1 TCP 60 SYN > port 22 5 08:15:30 192.168.1.42 10.0.0.1 TCP 60 SYN > port 23 6 08:15:30 192.168.1.42 10.0.0.1 TCP 60 SYN > port 25 7 08:15:30 192.168.1.42 10.0.0.1 TCP 60 SYN > port 80 8 08:15:31 192.168.1.42 10.0.0.1 TCP 60 SYN > port 443 9 08:15:31 192.168.1.42 10.0.0.1 TCP 60 SYN > port 445 10 08:15:31 192.168.1.42 10.0.0.1 TCP 60 SYN > port 3306 11 08:15:31 192.168.1.42 10.0.0.1 TCP 60 SYN > port 3389 12 08:16:00 192.168.1.42 10.0.0.2 TCP 60 SYN > port 21 ... 45 08:30:00 192.168.1.42 45.33.32.156 TCP 60 49200 > 4444 [SYN] 46 08:30:01 45.33.32.156 192.168.1.42 TCP 60 4444 > 49200 [SYN,ACK] 47 08:30:05 192.168.1.42 45.33.32.156 TCP 1500 PSH,ACK [1460 bytes] port 4444

Analysis Questions

Q1: What type of reconnaissance is 192.168.1.42 performing in packets 3-11?

Q2: What well-known port is targeted that could indicate database access?

Q3: Port 4444 in packets 45-47 is associated with what common tool?

Q4: What is the likely attack sequence? (scan -> ??? -> C2)

Q5: Map this to the Cyber Kill Chain. Which 3 phases are visible?

SOC Analyst Tip: The attack chain here is: Reconnaissance (port scan) → Exploitation (compromised a service) → Command & Control (reverse shell on port 4444). This is a textbook Lockheed Martin Cyber Kill Chain example.