WIRESHARK PACKET ANALYSIS
NETWORK TRAFFIC ANALYSIS TRAINING LAB
PCAP ANALYSIS ยท DISPLAY FILTERS ยท TCP STREAMS ยท CREDENTIAL HUNTING
Loading capture file: apexlab_incident.pcap...

OBJECTIVES

Apply a display filter
Find FTP credentials in plaintext
Find HTTP Basic Auth credentials
Follow a Telnet stream
Identify the DNS exfiltration attempt
Detect the port scan in traffic
View protocol statistics
Submit the analysis report
๐Ÿฆˆ
Wireshark
๐Ÿ“Š
Statistics
๐Ÿ“–
Reference
๐Ÿ“
Notepad
๐Ÿ“‹
Report
WIRESHARK LAB
Wireshark
TCP Stream
Statistics
Reference
Notepad
Report
--:--:--
PHASE 1 โ€” PACKET CAPTURE ANALYSIS
MISSION BRIEF
NETWORK SECURITY โ€” TRAFFIC ANALYSIS

WIRESHARK โ€” PACKET ANALYSIS

PCAP: apexlab_incident.pcap โ€” 847 packets

SCENARIO

The network team captured traffic on the APEXLAB internal segment during a 15-minute window flagged by the IDS. Analyse apexlab_incident.pcap to identify cleartext credentials, suspicious protocols, and anomalous traffic patterns.

NETWORK SEGMENT

HostIP
Workstation10.10.14.22
FTP server10.10.14.50
Web server10.10.14.100
Telnet device10.10.14.200
DNS server10.10.14.1
External185.220.101.45

HOW TO USE

  • Type display filters in the filter bar and click Apply
  • Click any packet to inspect its fields in the detail pane
  • Right-click any packet and select Follow TCP Stream to view the full conversation
  • Use Statistics for protocol breakdown

USEFUL FILTERS

FilterShows
ftpFTP traffic
httpHTTP traffic
telnetTelnet sessions
dnsDNS queries
tcp.flags.syn==1SYN packets (scans)
ftp contains "PASS"FTP passwords
http contains "Authorization"HTTP auth
WIRESHARK โ€” apexlab_incident.pcap
847 packets | Showing all
No.
Time
Source
Destination
Proto
Info
Select a packet to inspect
Hex dump appears here
FOLLOW TCP STREAM
Stream:
Select a stream to follow the conversation...
STATISTICS
Protocol Hierarchy
Conversations
Endpoints
REFERENCE โ€” WIRESHARK
DISPLAY FILTER SYNTAX
ftp http dns telnet tcp udp icmp
ip.src == 10.10.14.22 ip.addr == 10.10.14.50 tcp.port == 21 ftp contains "PASS" http contains "Authorization" tcp.flags.syn == 1 and tcp.flags.ack == 0
PLAINTEXT PROTOCOLS
FTP (port 21) โ€” USER and PASS sent as cleartext commands

HTTP Basic Auth โ€” credentials Base64 encoded in the Authorization header. Decode to recover user:password

Telnet (port 23) โ€” entire session including passwords is plaintext. Follow TCP Stream to see all keystrokes

DNS โ€” queries can encode exfiltrated data in subdomain labels
PORT SCAN DETECTION
Nmap SYN scan: many TCP SYN packets from one IP to sequential ports on the same destination with no prior connection. Filter: tcp.flags.syn==1 and look for the pattern.
DNS EXFILTRATION
Attackers encode data in DNS query names โ€” e.g. aGVsbG8=.evil.com where the subdomain is Base64 data. Look for long subdomains, many NXDOMAIN responses, or high query volume to an external domain.
NOTEPAD
ANALYSIS REPORT
FINDINGS
Score: 0 / 8
Packet #0
๐Ÿ”„ Follow TCP Stream
๐Ÿ“‹ Copy Info
๐Ÿ”– Mark Packet
๐Ÿ’พ Export Packet (disabled)