FRS401_LAB12_IA1262_LongNN_SE63194.docx - [FRS401_LAB12_IA1262_LongNN_SE63194 LAB 12 NETWORK FORENSICS DATA HIDING 1 Analysis of Trace Files using

FRS401_LAB12_IA1262_LongNN_SE63194.docx -...

This preview shows page 1 - 5 out of 38 pages.

[FRS401_LAB12_IA1262_LongNN_SE63194] LAB 12: NETWORK FORENSICS & DATA HIDING 1. Analysis of Trace Files using ProfSIMS Toolkit: - Run the Toolkit (ProfSims), select the Packet Capture->Open TCPDump tab. This shows various .pcap traffic capture files created by TCPDump which we will analyze. Open the FTP traffic capture, using the Open TCPDump button, as shown in Figure 1 - At the same time run Wireshark, and open the capture files from the C:\netwsimsToolkit\log directory, using File>Open.
Image of page 1
2. Analysis of Trace Files using Text Editor: - To compare this to the raw TCPDump output (text file), also open the C:\netwsimsToolkit\log\ftp.txt file in a text editor, as shown below. It is very important to be able to read and understand this type of text trace, as in many situations this might be all that is available.
Image of page 2
3. FTP Analysis: - FTP connections begin with a TCP handshake, and then clients can issue commands, and the server should respond with numerical codes. Secondary channels are used to transfer data. - What size are packets 1, 2, 3 and 4 (in bytes)? o 1: Frame 1: 42 bytes. o 2: Frame 2: 42 bytes. o 3: Frame 3: 74 bytes. o 4: Frame 4: 78 bytes. - Which 2 of the 3 analysis tools showed this? o Text Editor. o WireShark. - What are the 3 different protocols used in the first 6 packets?
Image of page 3
- How does Ethernet header > Type field differ for these protocols? o ARP -> Type: ARP o TCP & FTP -> Type: IPv4 - Host src TCP port (Hint: Examine the Source Port on Packet 3): 3655. - Server src TCP port (Hint: Examine the Destination Port on Packet 3): 21. - Host src IP address (Hint: Examine the Source IP on Packet 3): - Server src IP address (Hint: Examine the Dest IP on Packet 3): - What is the MAC address of the server (Hint: Examine the reply for Packet 2): Identify the packets used for the SYN, SYN/ACK and ACK sequence (Hint: packets 3 to 5 look interesting): - Which users access the FTP server in the trace? (Hint… Search the text trace or Wireshark (Edit>Find) for the FTP client command USER) -
Image of page 4
Image of page 5

You've reached the end of your free preview.

Want to read all 38 pages?

  • Fall '15

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern

Ask Expert Tutors You can ask You can ask ( soon) You can ask (will expire )
Answers in as fast as 15 minutes