viii. What filter syntax would you enter to display only the last message of the TCP opening session (Hint: use Hex values)? ix. How many of these packets are displayed? x. There should be an equal number of (SYN) and (ACK) packets for each successful TCP session opening, but is that true for this lab capture? xi. When a TCP session open is attempted on a port that is not open, a reset and acknowledgment (RST, ACK) may be the response seen. What filter syntax would you enter to display only the rest message of the TCP opening session? xii. How many (RST, ACK) packets are displayed? xiii. If you have a high number of TCP opening messages and a high number of (RST, ACK) responses, what type of scan might this indicate that is occurring on the network? 2. As you learned in chapter 8 the transport layer protocol TCP consists of responses and replies, you will look at those message types and create a visual representation of said traffic to help you better analyze what you know about HTTP. a. Use the Endpoints under Statistics to figure out more about the devices generating traffic in the capture. i. How many unique devices are there? ii. Who are the 6 "top talkers?" b. Use the Conversation under Statistics to learn more about the communication between the devices in the capture. i. Using the Conversation window, look at the TCP communications; how many conversations are there? c. Hackers tend to favor stealthy scans, which usually test a TCP port to see if it is open. Sort the conversations based on the number of packets per conversation; notice the conversations that consist of only 2 packets. Some of these are opening attempts followed by a reset message. Take notice of what system is initiating these conversations; this is likely the address of the system the attacker is using. i. What are the IP address and the MAC address of the attacker?