Contents

Introduction ..................................................................................................................................... 2
Table 1.1 show the metadata of the live capture provided.......................................................... 3
URLS Visited. ................................................................................................................................. 3
The table 2.1 below illustrates the websites accessed on the live capture provided................... 5
Videos Accessed ............................................................................................................................. 5
The table 3.1 below shows the videos accessed .......................................................................... 6
Files Downloaded ........................................................................................................................... 6
The table 4.1 below shows the files downloaded ........................................................................ 7
Chain of Custody........................................................................................................................... 7
Table 5.1 shows the chain of custody of the packet capture. ...................................................... 8
Graphical Representation of Traffic ........................................................................................... 8
Figure 1.1Time-Sequence Graph ................................................................................................ 9
Appendix ...................................................................................................................................... 10
Figure 2.1 HTTP Export Objects .............................................................................................. 10
TCP Zero Window ...................................................................................................................... 10
The figure 3.1 displays packets with TCP zero window ............................................................ 11
TCP Window Full ....................................................................................................................... 11
The figure 4.1 shows TCP window full display. ........................................................................ 12
Conclusion ................................................................................................................................... 12
Reference ..................................................................................................................................... 13

1
Introduction
The packet live capture was received from organization containing 373781 frames for analyzing
and identifying any possibility of illegal activities or associations to organized crime. This work
is being carried out on the bases of suspicious member of the organization who has been
suspected to be having malicious behaving and staying back behind working hours to use the
business network for personal use. The
organization has used Wireshark to
capture live packet, which helps to
analyze the network activities, intrusion
and threat related issues. A detailed
packet capture was handed to a wireless
network security specialist with
metadata as shown in table 1.1 for
investigation and report the issues
identified, by using the same analytical
tool. This report outlines the URLs
visited, the videos accessed, files
downloaded and incidents occurred. The report has registered all the visited sites, including once
that are linked to issues regarding organized crime. This has been achieved by showing different
levels of traffic and various protocols (Barker, 2016) (Wireshark.org, 2016).

2
Table 1.1 show the metadata of the live capture provided.

URLS Visited.
The table 2.1 below outlines the website visited on the live capture provided.

Filter expression/Time Description Content accessed

tcp.stream eq 117 Internal host: KrysUltrabook.local Access of web content
Frame Number: 157726 (192.168.88.252) was used to www.lifehacker.com
to browse external web sites, some of how-to-crack-wep-and-
161957 which contained hacking materials wpa-wi-fi-passwords
From about that were detected and logged.
05:08:40.163487000 to
10:08:55.554688000 Feb
24, 2017 W. Australia
Standard,
tcp.stream eq 117 Internet Protocol Version 4, Src: Viewed the content on
Arrival Time: Feb 24, KrysUltrabook.local website www.pcmag.com
2017 (192.168.88.252), Dst: SG01SL03-
05:05:20.553318000 SYD01.inscname.net
(103.243.12.70)
tcp.stream eq 1343 Host 192.168.88.252 Viewed content on
Feb 24, 2017 communicated to 104.97.239.38 website dailylifetech.com
05:07:23.017562000
ip.src ==192.168.88.252 Source address: Routerbo_32:82:b2 View a list of http traffic
&& http (4c:5e:0c:32:82:b2) Internet and websites visited
Arrival Time: Feb 24, Protocol Version 6, Src: http://wifipasser.com/

3
2017 wifipasser.com
05:08:36.597579000 (2400:cb00:2048:1::681b:b6c8),
Epoch Time: Port: http (80)
1487902116.597579000 Destination: KrysUltrabook.local
seconds (2400:6980:10ca:73:4934:553b:e2f:
Frame Number: 157186 8f)
Port: 56011 (56011)
tcp.stream eq 2174 Source address: (5c:51:4f:ea:04:84)
Feb 24, 2017 Internet Protocol Version 4, Src:
05:13:08.178094000 KrysUltrabook.local
Frame Number: 256200 (192.168.88.252),
Epoch Time: Destination address:
1487902388.178094000 Routerbo(4c:5e:0c:32:82:b2)
seconds Dst: www.taringa.net
(104.16.255.64)
tcp.stream eq 341
Feb 24, 2017
10:03:56.663145000
tcp.stream eq 1696 Internet Protocol Version 6, Src:
Arrival Time: Feb 24, KrysUltrabook.local
2017 (2400:6980:10ca:73:d00c:1ef4:735
10:10:38.246771000 a:a72a),
Epoch Time: Dst: accounts-cctld.l.google.com
1487902238.246771000 (2404:6800:4006:805::2003)
seconds Port: 56372, Dst Port: http (80
Frame Number: 181236
From Wireshark Allows all the packets containing
interface HTTP to be displayed and listed
File Export Objects down. These enable easy viewing
HTTP of UDP streams and to also follow
up the conversations linking to
At 2.25am 7:4:2017 the same packet stream. Precisely
lists all URLs website that could
have been viewed and their
associated hosts. Ultimate check for
any sites or files downloaded
udp.stream eq 103 Internet Protocol Version 4, Src:
KrysUltrabook.local
(192.168.88.252), Dst:
192.168.88.255 (192.168.88.255)
4
Server: cloudflare-nginx
File Data: 24586 bytes
http://www.taringa.net/pos
ts/links/14308981/Descarg
ar-wifiway-3-4-iso-
tutorial-wpa.html
https://www.geotrust.com/
resources/repository
The link below shows that
KrysUltrabook device
accessed a gmail account.
http://www.google.com.au
/accounts/Logout2?hl=en
&service=mail&ilo=1&ils
=s.AU&ilc=2&continue=
https%3A%2F%2Fmail.g
oogle.com%2Fmail&zx=2
9495523
The figure 3.1 below
displays the list of the
conversation that the host
device made.
Dropbox LAN sync
Discovery Protocol was
identified.
Number value:
 102179954530198685452
470386753124833699

The table 2.1 below illustrates the websites accessed on the live capture provided.

Videos Accessed

The table 3.1 below shows the videos accessed on live packet capture together with related
protocol.

Filter expression Descriptions Video accessed

udp.stream Name: t.teads.tv plugin.mediavoice.com
Arrival Time: Feb 24,
2017 User Datagram Protocol,
05:06:55.637317000 Src Port: 57269, Dst
Port: 53
ipv6.host contains Src: Help to filter all ipv6 packets containing
"video (2404:6800:4006:804::20 videos
Arrival Time: Feb 24, 0e), Dst: r2.sn-55goxu-2xge.googlevideo.com
2017 KrysUltrabook.local Data:
10:04:56.458640000 (2400:6980:10ca:73:4934 41773c24d956e27f75221a4dd9c7b6fd39
:553b:e2f:8f) 1d4dcaad9aca09...

tcp.stream eq 983 host device; Video content was viewed on the link;
Arrival Time: Feb 24, fp1.ads.stickyadstv.com.a http://sky.sync.yume.com/tracker/dynami
2017 kadns.net Src Port: http GET /auto-user-sync HTTP/1.1
05:06:03.197297000 (80)on Transmission Host: ads.stickyadstv.com
Epoch Time: Control Protocol User-Agent: Mozilla/5.0 (Windows NT
1487901963.197297000 209.58.181.199, linked 10.0; WOW64; rv:51.0) Gecko/20100101
seconds video content to Firefox/51.0
Frame Number: 106027 Destination device: Accept: */*
KrysUltrabook.local Accept-Language: en-US,en;q=0.5
which was on Dst Port: Accept-Encoding: gzip, deflate
55372 and Transmission Referer:
Control Protocol http://www.dailymotion.com/embed/vide
192.168.88.252 o/x3g05uu
Seq: 3565, Ack: 8657,
udp.stream eq 472 Src: KrysUltrabook.local www.youtube.com
Arrival Time: Feb 24, (192.168.88.252), Port:
2017 60192 connect to
05:03:50.170122000 Dst: (192.168.2.50)
Epoch Time: Dst Port: domain (53)
1487901830.170122000

5
seconds
udp.stream eq 1499 Src: 192.168.88.1
Arrival Time: Feb 24, Port: domain (53),
2017 Dst: KrysUltrabook.local
05:06:14.562422000 Dst Port: 51428
34.199.23.51
ip.addr==192.168.88.25 Src: KrysUltrabook.local
2 && dns 192.168.88.252, Dst:
192.168.2.50
The table 3.1 below shows the videos accessed
Files Downloaded
The table 4.1 below shows the files downloaded on live packet capture provided. The packet
number, time and host are included.
Filter expression Descriptions
tcp.stream eq 0 Internet Protocol Version
Arrival Time: Feb 24, 4, Src: KrysUltrabook.local
2017 (192.168.88.252), Dst: 4-c-
5:03:04.195956000 0003.c-msedge.net
Epoch Time: (13.107.4.52)
1487901784.19595600 Transmission Control
0 seconds Protocol, Src Port: 63314
(63314), Dst Port: http
(80), Seq: 112, Ack: 823,
Len: 0
HTTP/1.1 200 OK
Content-Length: 22
Content-Type: text/plain
Last-Modified: Fri, 04 Mar
2016 06:55:03 GMT
6
Video content was viewed on this
website videoamp.com
Name Server: ns-1702.awsdns-20.co.uk
usersync.videoamp.com:
Lists all activity related to DNS protocol.
Allows for searching of videos accessed.
Plain text
ETag: "0x8D343F9E96C9DAC"
Server: Microsoft-IIS/7.5
x-ms-request-id: ffbd8b48-0001-006b-
3e8b-8bd4f2000000
x-ms-version: 2009-09-19
x-ms-meta-CbModifiedTime: Tue, 01
Mar 2016 21:41:22 GMT
X-ECN-P: RD0003FF838204
F7F04245017041138DB9CD254688E89
7 Ref B: PER01EDGE0113 Ref C: Thu
Feb 23 18:03:04 2017 PST
X-MSEdge-Ref-OriginShield: Ref A:
6E997EA28A5D436E81E963C238D22F
88 Ref B: MEL01EDGE0506 Ref C:
Wed Feb 22 19:55:47 2017 PST
Date: Fri, 24 Feb 2017 02:03:04 GMT
tcp.stream eq 1140 Src: 192.168.88.252, Viewed and downloaded an image
Feb 24, 2017 Source Port: 55561 vg3j8l.jpg on website Wifiway.org
05:06:54.578721000 communicated with device
on
Destination address:
Routerbo_32:82:b2(4c:5e:0
c:32:82:b2) Internet
Protocol Version 4, Dst:
209.17.68.209
Destination Port: 80
tcp.stream eq 1407 Source address: Access a gzip compressed image nav-
Arrival Time: Feb 24, KrysUltrabook.local black.png Source device Request URI:
2017 (5c:51:4f:ea:04:84) ip /images/nav-black.png from Host:
05:07:34.290374000 192.168.88.252, Source www.backtrack-linux.org
Epoch Time: Port: 55863 connected to Which responded with URI:
1487902054.29037400 Destination: http://www.backtrack-
0 seconds Routerbo_32:82:b2 linux.org/images/nav-black.png
Frame Number: (4c:5e:0c:32:82:b2) Ip
136466 address (192.124.249.8)
Port: http (80)

The table 4.1 below shows the files downloaded

Chain of Custody

Packet Capture: CSG5308_Ass01 Investigator ID: 10435926 (Charles Njuguna). The table 5.1
below shows the chain of custody.

Filename Date and steps taken Description of Evidence MD5 Hash of File
Krishnun Feb-24-2017 2.01:46 A newly captured live packet 3cacf5bb62487a7b6df
AM - 2.17:00 AM capture from the 5005c733426
organizations network, with
Live Packet Capture
file name Kismet-Feb-24-
Analysis/Kismet-Feb-
2017-2.dump.
24-2017.dump.
completed
Krishnun 8 March 2017 4:46:13 The live packet captured, 3cacf5bb62487a7b6df
Sansoorah available at ECU secure 5005c733426
Live Packet Capture
network.
uploaded to ECU

7
 secured blackboard to be
accessed by Network
Security Specialist
Charles 13 March 2017 4:46:13 Accessed and downloaded 3cacf5bb62487a7b6df
Njuguna the captured packet from 5005c733426
Open the ECU secure
ECU secure network.
network blackboard and
viewed capture file.

Table 5.1 shows the chain of custody of the packet capture.

Graphical Representation of Traffic

The Figure 1.1 Time-sequence graph below shows a graphical representation of the packets.
This includes; source IP address directing traffic against time, which associates DNS and TCP
activity. The correlation indicates the use of this specific IP address in response to related
activity.

8
Figure 1.1Time-Sequence Graph

Appendix

The figure 2.1 below illustrates the HTTP Export objects list, as stated above. This utility

precisely outlines all HTTP associated objects, easily showing URLs accessed.

9
Figure 2.1 HTTP Export Objects

TCP Zero Window

The expression tcp.analysis.zero_window indicated that the device KrysUltrabook.local

(192.168.88.252) Window size remains at zero for Epoch Time: 1487902409.449337000

10
seconds. The device was unable to receive further information at that moment, and the TCP
transmission was halted. When the device initiates TCP connection to the server; it informs the
server the amount of data it can receive by the Window Size. The figure 3.1 below displays
packets with TCP zero window. Most of the Windows machines have value of about 64515
bytes. The size decrease as the TCP sessions get initiated and server start sending data.
Whenever, TCP Window Size get down to 0, the client device cannot be able to receive any
more data until it processes and opens the buffer up again.

The figure 3.1 displays packets with TCP zero window

TCP Flow Graph

11
Wireshark identified there were many bytes being sent to the receiver with port number 80 the
handshake shows some PSH before an acknowledgement. The figure 4.1 below shows TCP flow
graph in different segments.

The figure 4.1 shows TCP window full display.

Conclusion

12
The report has investigated the legality of activity in the packet capture and possibility of relating
to an organized crime that could cause damage to the organizations network. Live packet done
using the Wireshark has been analyzed by wireless network specialists for investigation. There
were many files accessed, viewed and downloaded that relate to how Wi-Fi password can be
hacked, security articles were also accessed and downloaded which shows interest in cracking
passwords. Behavior relating to this is reported in the figure 3.1 above, including intention to
window full the system and TCP zero window.

In this report network traffic from a live network is shown by taking various traces and
monitoring and analysis is done on that captured files and then statistics is built. Detailed
analysis and summary as well as conversations between two end points are shown. One
interesting option which Wireshark give is export objects captured or say user who are on the
network using whatever listed sites. Graphs of captured files are shown and other expressions
used to analyze specific traffic in the network. The output graph generated through captured
packets provides details of network and insight into the problems that lead network interference.

Although the activity is not incriminating on its own, it is highly suspicious and may indicate
other activity. Therefore it may be entirely for educational purposes. The information may be
handed to more appropriate authorities for further investigation in relation to criminal activity.

Reference

Wireshark.org. (2016). Wireshark Frequently Asked Questions.

https://www.wireshark.org/faq.html
Barker, k. (producer). (2016). CBN Nuggets Wireshark.
https://www.cbtnuggets.com/it-training/wireshark-training-videos.

13