Project #3, Part 1: Packet Traces

Project 3 part 2 is available here.

The trace files (300M) needed for this project are available here.

Overview

In the world of network security, it is very likely that you will find yourself peering at a collection of raw packets (a file of which is typically called a packet trace). Packet traces are often used for network forensics, analyzing (or reverse engineering) protocols, and (as you will soon find out) debugging and trouble shooting during network development.

The purpose of this portion of the assignment is to get you comfortable looking at packet traces. Your job is to use a packet analyzer to go through the trace files we give you (available here) and answer the following questions.

Trace 1: HTTP Trace

Analyse the packets from the source IP "128.12.173.14".

• What sites did we visit?
• What did we search for?
• Also list the IP addresses for all major sites visited by us.

Trace 2: HTTPS Trace

Analyse the packets from the source IP "128.12.173.14".

• What domain names were resolved and what were their IP Addresses?
  
  Observe the first https protocol trace.
  
• What was the name of the certificate issuing authority?
• Name the encryption algorithm used.
• What was the key and the size of the key used during encryption?
• What was the expiration date and time on the issued certificate?
• Give the complete cipher suite that the browser supports.
• Give the cipher suite that the server supports.

Trace 3: FTP Trace
• What was the login name and password used for connecting to the ftp server?
• Identify exactly where there are passive and active ftp connections in the trace.Explain briefly the difference between active and passive FTP.
• What file(s) were downloaded? Give their complete download path and their sizes.

Trace 4: TraceRoute

Analyse the packets from the source IP "128.12.173.14".

• TraceRoute tool is run to find the route to which site?
• List the IP addresses observed in the route from source to destination during the TraceRoute.

Trace 5: POP3 Trace
• Give the login name and password we used.
• How many e-mails have been received by the account? Give details about fields such as 'from:','subject:' and 'date:' for every mail.

Traces 6,7,8 & 9 represent attacks on the network.
• Identify each attack and explain what they hope to achieve briefly.
• What were the target domains in each of the attacks?

To poke through the trace file, you are going to want to enlist the help of Wireshark. We highly recommend that you use Wireshark because it has much more comprehensive functionality for decoding packets.

Hint:

• Use filtering. Most of the questions above can be answered easily if you know which filter string to pass your packet parsing tool.

Deliverables