Writing Wireshark filter expressions for packet capture The focus of the class project, writing Wireshark filter expressions for packet capture is not about Wireshark. The focus of this project is the data collected by the scans that is being accomplished using Wireshark. It is the use of the tool Wireshark to accomplish the project. The completed project shall not focus on Wireshark but on what Wireshark will be filtering, collecting the data for analysis of the scans to produce the report and, therefore, the eventual report, presentations developed, and the oral summary comprising your final exam. Overview In module 1, instructions were provided to navigate to Wireshark.org in order to download the software, install the software, and then run the tool and become familiar with its functions. It will be that familiarity through the use of the Wireshark tool in order to develop filters and use the tool effectively. Wireshark was to be downloaded and installed on your computer during the first week of CTEC 335. If this has not been completed, ensure that this step is completed before any attempt is made to perform this exercise. You may refer to Module 1 in MindTap or search for any online tutorial, or Web posting for downloading Wireshark and installing it on your computer hard drive or setting up a virtual environment using Oracle VirtualBox, Hyper-V, or Virtualization Software for Max running the Monterey version. If you have not done so as outlined in week 1 of the course, you will need to ensure that Wireshark is installed in order to complete this evolution. Note: Wireshark can also be used to monitor and sniff wireless traffic 1. The Project The class project is based on writing and applying filters to scan network traffic based on the criteria instructions provided. Step 1. the exact packet filter expression that will accomplish the following data during an active scan. (a) Login into Facebook and capture "ALL TCP" traffic that flows to and from a Facebook account. (b) While logged into Facebook, capture all "HTTP" traffic to/from Facebook from the time an account was logged into. (c) Using YouTube, or CNN.com locate a YouTube or news video. Run the video and capture all traffic to and from YouTube or CNN. 2 Upon completion of Step 1., ensuring the appropriate data has been collected the following: 2. Write a DISPLAY filter expression to: a) count all TCP packets (captured under Step 1, No. 1) that have the following flags SYN, PSH, and RST set. Display a segment or fraction of the data (packets that had each flag set). b) Apply a DISPLAY filter expression that separates the packets sent by your system versus those received from Facebook and CNN or YouTube in Step 1. No. 2 and 3 above. Display the segments or the fractions for each type. Note: While scanning for TCP packets various other packets will be received as follows. TCP packets SSL packets HTTP packets This occurs because the HTTP and SSL are running over the TCP and the HTTP, and the SSL are captured by default. Those packets are a subclass of the TCP packets, and they are to be captured and exported to excel for analysis. Apply the display filters that are appropriate so as to separate subsets of the TCP packets. The subsets of the TCP packets are also HTTP packets and can be filtered only on Port 80. Observe that during the scanning sessions, you will notice that Facebook may be applying secure HTTP, HTTP/SSL, or HTTPS and using port 443. 3. Analysis of the Captured Data When the data capture evolution has been completed, count how many TCP packets have been received from or sent to Facebook or YouTube/CNN, and how many of the packets were also HTTP packets. Observe and determine any flags that are identified as TCP packets that have the SYN, or PSH flags that were sent from the host system or that were received from the specified sites, Facebook, CNN, or YouTube. Analyze the count and make a determination on the flags that are tcp.flags.push. Make a determination of the flags that are tcp.flags.syn and if the flag is set. Decide on the TCP packets that have tcp.flags.reset applied. Must demonstrate all counts in a table Using PowerPoint, Quickdraw, or other graphics application, draw a rough sketch with a timeline of your YouTube session (roughly 5 minutes, or whatever the duration of your chosen videos are) and indicate approximately when during the session the packets with SYN or PSH flags occurred. Your timeline should start at the time when the first video packet is received and end when the last video packet is received. You don't need to draw a precise timeline just illustrate the relationships. 3 Analyze if during a video session your client connected to multiple YouTube servers. Indicate approximately on the timeline where this occurred. Did packets with SYN or PSH flags occur at about the same time when your server changed? Provide some explanation as to why SYN/PSH packets were sent at all and if they were correlated with the server switching. Analyze the YouTube packet sizes. Using Excel, create a histogram showing how many packets were received within a range of sizes. E.g., how many packets had lengths 0 - 100 bytes, 100 - 200 bytes, 200 - 300 bytes, etc. Indicate the packet size units (in bytes) on the horizontal axis. 4. Report Preparation and Submission The report cover should contain the following information in the appropriate format: 1. Location where the scans were run (University Campus/Lab, Home, Other) and the type of computer used to affect the scan. 2. Identify the computer specifications of the device applied. Device (e.g., tablet, desktop, mobile phone, etc.) Processor (e.g., 64-bit operating system, x64-based processor) Installed Ram Operating System o Edition o Version 3. Write Wireshark filters used for capture and display. To improve the readability of your report, provide the filter expressions in separate lines and use the Courier font or New Times Roman to write the filters. 4. Explanation for every component of your filter expressions. 5. The exact URL for all YouTube videos that you visited for this exercise. 6. A table of observed statistics for counting the set flags in captured TCP packets. 7. Histogram of the YouTube packet lengths. 8. Sketch of the timeline of your YouTube session. 9. The list of references used during the data analysis and report preparation, such as websites, blogs, books, etc. You may include your Wireshark *.pcap files as an appendix to your report When presenting a figure in your report, do not just say "see Figure 5". Tell us where to look in Figure 5 and what should we see. If you don't tell us where to look and what to see, we may not see interesting or important features that you wanted to highlight and as a result, you will not receive credit for your analysis. To receive credit, it is not enough just to attach the raw Wireshark data to your report. You must analyze and discuss the data and include diagrams and charts. It is critical that your report summarizes the captured data in diagrams, and the narrative provides discussion and explanation of the observations. 4 The items listed above form just a minimum requirement for the report and can be satisfied to a different degree. Only the students who have performed the greatest number of scans and provided the most extensive analysis and discussion of their results shall receive a higher score (100%). The reports that have satisfied all the required items, but only to a bare minimum, shall receive a score appropriate to the level of work accomplished out of 100% of the maximum score. Each group should submit a single project report as a PDF document (no other formats will be accepted). If any other document format is used, we will consider that the report was not submitted. While analytical reports are not all the same, there are elements that are shared between the different styles of reports. In writing analytical reports, the common elements will more likely remember the following: a title page, a table of contents, an introduction, a methodology section, body sections with titles and sub-titles, body sections, conclusions and recommendations, and a bibliography (citations), and an appendices section. The cover page (not the same as the title page) of the report shall be an APAv6 Cover Page and include the following: The project titles The group/team members Course title and number Department Institution Submission dates The report shall include the following elements at a minimum. 1. Title page 2. Table of contents 3. Methodology Section 4. Body Sections 5. Conclusions and Recommendations 6. Bibliography (works cited e.g., Trade Journals, Peer-Reviewed Journals, Books, etc.) 7. Appendices Section (Figures, Tables, etc.)