diff options
Diffstat (limited to 'netsec-assignment2-S4498062/exercise3')
| -rw-r--r-- | netsec-assignment2-S4498062/exercise3/exercise3a | 4 | ||||
| -rw-r--r-- | netsec-assignment2-S4498062/exercise3/exercise3b | 72 | ||||
| -rw-r--r-- | netsec-assignment2-S4498062/exercise3/exercise3c | 10 | ||||
| -rw-r--r-- | netsec-assignment2-S4498062/exercise3/exercise3d | 68 | ||||
| -rw-r--r-- | netsec-assignment2-S4498062/exercise3/exercise3e | 10 |
5 files changed, 164 insertions, 0 deletions
diff --git a/netsec-assignment2-S4498062/exercise3/exercise3a b/netsec-assignment2-S4498062/exercise3/exercise3a new file mode 100644 index 0000000..e587296 --- /dev/null +++ b/netsec-assignment2-S4498062/exercise3/exercise3a @@ -0,0 +1,4 @@ +There doesn't seem too much useful because we only see 802.11 protocol stuff. +Wireshark cannot distinguish other protocols because we didn't give it the key +to decrypt the encrypted Wi-Fi packets. + diff --git a/netsec-assignment2-S4498062/exercise3/exercise3b b/netsec-assignment2-S4498062/exercise3/exercise3b new file mode 100644 index 0000000..0245301 --- /dev/null +++ b/netsec-assignment2-S4498062/exercise3/exercise3b @@ -0,0 +1,72 @@ +The comments summary: + +Summary created by Wireshark (Git Rev Unknown from unknown) + + File: + Name: /.../netsec-assignment2-S4498062/exercise3/outputnetsec-01.cap + Length: 161961977 bytes + Format: Wireshark/tcpdump/... - pcap + Encapsulation: IEEE 802.11 Wireless LAN + Packet size limit: 65535 bytes + + + Time: + First packet: 2015-09-11 08:52:12 + Last packet: 2015-09-11 09:16:57 + Elapsed: 00:24:45 + + + Capture: + + Unknown interface: + Dropped packets: unknown + Capture filter: unknown + Link type: IEEE 802.11 Wireless LAN + Packet size limit 65535 bytes + + Statistics: + Packets: 543544 + Between first and last packet:1485.708 sec + Avg. packets/sec: 365.849 + Avg packet size: 281.974 bytes + Bytes: 153265265 + Avg bytes/sec: 103159.778 + Avg Mbit/sec: 0.825 + +In Statistics > Conversations, we see the most active clients: + + "Address A","Address B","Packets","Bytes","Packets A→B","Bytes A→B","Packets A←B","Bytes A←B","Rel Start","Duration","bps A→B","bps A←B" + "Allnet_0c:f7:8c","Allnet_0c:f7:93","94165","80983864","55537","77358388","38628","3625476","-0.000004000","1485.6989","416549.48","19522.00" + "Allnet_0c:ee:ed","Allnet_0c:f7:93","109921","67395252","65601","6130612","44320","61264640","-0.000003000","1485.7076","33011.14","329888.01" + "Allnet_0c:ee:ed","Allnet_0c:f7:8c","8739","999840","4098","479032","4641","520808","0.066556000","1485.1628","2580.36","2805.39" + "AsustekC_89:8c:10","IntelCor_25:1b:e2","1080","106920","1080","106920","0","0","6.014339000","1476.0891","579.48","N/A" + "AsustekC_89:8c:10","Azurewav_8d:55:58","292","28908","292","28908","0","0","47.326149000","1380.3753","167.54","N/A" + "AsustekC_89:8c:10","IntelCor_ed:f2:0b","233","23067","233","23067","0","0","40.717828000","1408.6099","131.01","N/A" + "AsustekC_89:8c:10","LgElectr_65:c2:1e","186","18414","186","18414","0","0","196.765954000","1089.9483","135.16","N/A" + "AsustekC_89:8c:10","50:a7:2b:79:98:e7","134","13266","134","13266","0","0","1037.606722000","60.9406","1741.50","N/A" + "AsustekC_89:8c:10","HonHaiPr_4a:b3:b3","76","7524","76","7524","0","0","21.791043000","1329.0226","45.29","N/A" + "IntelCor_a3:19:61","AsustekC_89:8c:10","76","7524","0","0","76","7524","697.795714000","679.1029","N/A","88.63" + "IntelCor_e2:52:c0","AsustekC_89:8c:10","48","4752","0","0","48","4752","159.485889000","1289.6303","N/A","29.48" + "Azurewav_4a:18:ef","AsustekC_89:8c:10","47","4653","0","0","47","4653","110.878660000","1320.6467","N/A","28.19" + "34:fc:ef:a4:20:02","AsustekC_89:8c:10","42","4158","0","0","42","4158","298.310273000","949.5807","N/A","35.03" + "AsustekC_89:8c:10","Jolla_01:30:c6","40","3960","40","3960","0","0","569.697859000","197.4624","160.44","N/A" + "AsustekC_89:8c:10","SonyMobi_44:eb:da","30","2970","30","2970","0","0","61.584704000","60.0957","395.37","N/A" + "SamsungE_34:6b:88","AsustekC_89:8c:10","26","2574","0","0","26","2574","253.012801000","408.3589","N/A","50.43" + "AsustekC_89:8c:10","SamsungE_55:3b:c3","23","2277","23","2277","0","0","200.722946000","856.3267","21.27","N/A" + "SamsungE_6e:9a:01","AsustekC_89:8c:10","17","1683","0","0","17","1683","11.333827000","304.7486","N/A","44.18" + "AsustekC_89:8c:10","SamsungE_41:25:74","13","1287","13","1287","0","0","904.035331000","20.4690","503.00","N/A" + "AsustekC_89:8c:10","Apple_35:43:18","9","891","9","891","0","0","259.246274000","501.2417","14.22","N/A" + "SimTechn_64:6a:a5","AsustekC_89:8c:10","7","693","0","0","7","693","596.423938000","654.5950","N/A","8.47" + "SamsungE_8f:28:47","AsustekC_89:8c:10","7","693","0","0","7","693","1276.488448000","0.0077","N/A","721875.00" + "AsustekC_89:8c:10","Apple_9c:bc:42","6","594","6","594","0","0","1376.221698000","0.0159","299395.16","N/A" + "Htc_76:de:49","AsustekC_89:8c:10","3","297","0","0","3","297","890.820803000","0.0205","N/A","116009.96" + "HuaweiTe_ba:27:00","AsustekC_89:8c:10","3","297","0","0","3","297","1163.479234000","0.0036","N/A","662576.69" + "AsustekC_89:8c:10","SamsungE_27:7b:4a","2","198","2","198","0","0","851.540162000","0.0195","81418.66","N/A" + "AsustekC_89:8c:10","Broadcast","1","105","1","105","0","0","0.000003000","0.0000","N/A","N/A" + "AsustekC_89:8c:10","Motorola_2c:ab:db","1","99","1","99","0","0","1004.081411000","0.0000","N/A","N/A" + "AsustekC_89:8c:10","IntelCor_4f:b6:a9","1","99","1","99","0","0","1148.830019000","0.0000","N/A","N/A" + +Clearly, Allnet_0c:{f7:8c,ee:ed,f7:93} are the most active. + +The protocol hierarchy only shows 802.11 and its data. We're using an encrypted capture, so Wireshark cannot distinguish the different protocols (as explained in exercise3a). + diff --git a/netsec-assignment2-S4498062/exercise3/exercise3c b/netsec-assignment2-S4498062/exercise3/exercise3c new file mode 100644 index 0000000..88b70fd --- /dev/null +++ b/netsec-assignment2-S4498062/exercise3/exercise3c @@ -0,0 +1,10 @@ +$ airdecap-ng -l -b 48:5B:39:89:8C:10 -w 37:00:9C:49:21:61:1E:4A:1A:44:6E:2F:20 outputnetsec-01.cap +Total number of packets read 543544 +Total number of WEP data packets 200052 +Total number of WPA data packets 0 +Number of plaintext data packets 0 +Number of decrypted WEP packets 200052 +Number of corrupted WEP packets 0 +Number of decrypted WPA packets 0 + +Now we use the decrypted capture, so Wireshark is able to distinguish other protocols than 802.11. diff --git a/netsec-assignment2-S4498062/exercise3/exercise3d b/netsec-assignment2-S4498062/exercise3/exercise3d new file mode 100644 index 0000000..26dea2d --- /dev/null +++ b/netsec-assignment2-S4498062/exercise3/exercise3d @@ -0,0 +1,68 @@ +The comments summary: + + Summary created by Wireshark (Git Rev Unknown from unknown) + + File: + Name: /.../netsec-assignment2-S4498062/exercise3/outputnetsec-01-dec.cap + Length: 140897136 bytes + Format: Wireshark/tcpdump/... - pcap + Encapsulation: IEEE 802.11 Wireless LAN + Packet size limit: 65535 bytes + + + Time: + First packet: 2015-09-11 08:52:12 + Last packet: 2015-09-11 09:16:57 + Elapsed: 00:24:45 + + + Capture: + + Unknown interface: + Dropped packets: unknown + Capture filter: unknown + Link type: IEEE 802.11 Wireless LAN + Packet size limit 65535 bytes + + Statistics: + Packets: 200052 + Between first and last packet:1485.708 sec + Avg. packets/sec: 134.651 + Avg packet size: 688.302 bytes + Bytes: 137696296 + Avg bytes/sec: 92680.617 + Avg Mbit/sec: 0.741 + +The IP conversations: + + "Address A","Address B","Packets","Bytes","Packets A→B","Bytes A→B","Packets A←B","Bytes A←B","Rel Start","Duration","bps A→B","bps A←B" + "192.168.84.40","192.168.84.79","4743","550188","2791","323756","1952","226432","0.000000000","1485.2227","1743.88","1219.65" + "192.168.84.51","192.168.84.68","97598","57695108","61316","5156724","36282","52538384","-0.000003000","1485.7076","27767.10","282900.27" + "192.168.84.10","192.168.84.62","85260","78089584","51881","75285124","33379","2804460","-0.000004000","1485.6989","405385.64","15101.10" + "192.168.84.10","192.168.84.47","5570","646120","2788","323408","2782","322712","0.066556000","1485.1628","1742.07","1738.33" + "192.168.84.10","192.168.84.60","4682","543112","2721","315636","1961","227476","0.975936000","1484.1761","1701.34","1226.14" + "192.168.84.10","192.168.84.56","1832","150164","919","66168","913","83996","1.014845000","1482.2693","357.12","453.34" + +Conversation .10 and .62: + + These clients only use TCP. The data seems to be hexadecimal ascii + characters. I did not convert that to see what they're sending. + +Conversation .51 and .68: + + This is similar to the one above. + +The protocol hierarchy looks more interesting now (percentages are given in % +packets): + + - There's some ARP messages (0.18%) + - But mostly IP (99.82%) + - Of which most are TCP (92.32%) + - But also some ICMP (7.5%) + +NOTE: +As it turns out, there was something wrong with the network when I sniffed. Another student had the same problem, but retrying later gave +him UDP packets with something like "Insert your student number here". I did not have the time to sniff again and look at the details again. +As a result, I didn't understand what was the point of exercise 4b (see note there as well). +As a proof, I can send you the cap file. Because of its size I will only do that on request (info@camilstaps.nl). + diff --git a/netsec-assignment2-S4498062/exercise3/exercise3e b/netsec-assignment2-S4498062/exercise3/exercise3e new file mode 100644 index 0000000..e195f2c --- /dev/null +++ b/netsec-assignment2-S4498062/exercise3/exercise3e @@ -0,0 +1,10 @@ +In the Conversations > TCP view, we see many very short (few packets) +conversations between 192.168.84.56 (several ports) and 192.168.86.10:21057. I +would guess then that .56 is being rejected by .10. +Using the filter + + ip.addr==192.168.84.56 and ip.addr==192.168.84.10 + +this is confirmed. We see many TCP packets from .56 with SYN, but .10 +continuously repeats with RST, ACK. + |