Information

Author(s) Olivier Bonaventure
Deadline No deadline
Submission limit No limitation

Tags

Sign in

Analyzing a packet trace

Network engineers often need to analyze packet traces. Here is a 2 minutes long packet trace that was collected on a Linux host that used Chrome, Firefox, thunderbird and the brave browser. By analyzing the trace with wireshark, can you answer the following questions ?

https://inginious.org/course/cnp3/q-tcpdump-trace/tcpdump-long.pcap


Question 1: Number of packets

How many packets does this trace contains ?

Question 2: Connection on port 5228

The trace contains a connection on an unusual port number, 5228. Looking at this this connection, it appears that it uses TLS. What is the name of the server that was contacted ?

Question 3: The IPv4 address of the captured host

The packets in this trace were captured from a single host. What is the IPv4 address of this host ? Note that you will find many addresses in the trace, look for DNS requests or establishments of TCP connections (SYN packets) to find the client address.

Question 4: The IPv6 address of the captured host

The packets in this trace were captured from a single host. What is the IPv6 address of this host ? Note that you will find many addresses in the trace, look for DNS requests or establishments of TCP connections (SYN packets) to find the client address.

Question 5: TCP ports

What is the most frequent TCP destination port used in this trace ? (Hint: the "Conversations" tool in the "Statistics" tab can be helpful)

Question 6: The DNS resolver

What is the IPv6 address of the DNS resolver used by this host ?

Question 7: TCP connections on port 80

How many connections were established on port 80 ?

Question 8: Mailserver

This trace contains one connection on port 587, which is used by a client to send an email to a mailserver. What is the name of the server contacted by this client ?

Question 9: Connections on port 993

The trace contains four connections on port 993. What is the name of the server that was contacted ?

Question 10: Connections to IPv6 servers on TCP port 80

The trace contains four connections to an IPv6 server on TCP port 80. By looking at the content of the packets, can you infer the application that created those connections ?