Support This Book
Part III: Hands-On Labs Chapter 1

Network Analysis Labs

Practical packet capture, Wireshark mastery, traffic analysis techniques, and protocol deep-dive exercises

Chapter 1: Network Analysis Labs

Lab Overview

These labs build foundational packet analysis skills essential for both network troubleshooting and security analysis. You’ll learn to capture, filter, and interpret network traffic at the packet level.

Lab 1.1: Wireshark Fundamentals

Objective

Master basic Wireshark capture, filtering, and navigation.

Difficulty: Beginner | Time: 30 minutes

Prerequisites

  • Wireshark installed
  • Network interface with traffic

Instructions

Part 1: Capture Traffic

# Start Wireshark on your interface
# GUI: Click interface → Start capture
# Or command line:
tshark -i eth0 -w basic_capture.pcap

# Generate some traffic
ping google.com
curl http://example.com

Part 2: Display Filters

Practice these display filters:

# Protocol filters
tcp
udp
icmp
dns
http
tls

# IP filters
ip.addr == 192.168.1.100
ip.src == 192.168.1.100
ip.dst == 8.8.8.8

# Port filters
tcp.port == 80
tcp.dstport == 443
udp.port == 53

# Combining filters
ip.addr == 192.168.1.100 and tcp.port == 80
http or dns
tcp.flags.syn == 1 and tcp.flags.ack == 0

# Excluding traffic
not arp
!(ip.addr == 192.168.1.1)

Part 3: Following Streams

1. Find an HTTP request in the capture

1. Find an HTTP request in the capture
2. Right-click → Follow → TCP Stream
3. Observe the complete conversation
4. Note the stream index number

Also try:
- Follow → HTTP Stream (reconstructs HTTP)
- Follow → TLS Stream (if decryption available)

Verification

  • Captured packets successfully
  • Applied at least 5 different filters
  • Followed a TCP stream
  • Exported a stream to file

Challenge Extension

Create a display filter that shows only:

  • TCP packets with SYN flag set but not ACK
  • From your machine to any destination
  • On ports 80 or 443

Lab 1.2: TCP Three-Way Handshake Analysis

Objective

Observe and understand TCP connection establishment.

Difficulty: Beginner | Time: 30 minutes

Instructions

Part 1: Capture Handshake

# Start capture with filter
tshark -i eth0 -f "tcp port 80" -w handshake.pcap &

# Generate TCP connection
curl http://example.com

# Stop capture
killall tshark

Part 2: Analyze in Wireshark

Filter tcp.flags.syn == 1 or tcp.flags.fin == 1

Filter: tcp.flags.syn == 1 or tcp.flags.fin == 1

Identify the three-way handshake:
1. SYN (Client → Server)
   - tcp.flags.syn == 1 and tcp.flags.ack == 0
   - Note: Initial Sequence Number (ISN)
   
2. SYN-ACK (Server → Client)
   - tcp.flags.syn == 1 and tcp.flags.ack == 1
   - Note: Server ISN, Ack = Client ISN + 1
   
3. ACK (Client → Server)
   - tcp.flags.syn == 0 and tcp.flags.ack == 1
   - Note: Seq = Client ISN + 1, Ack = Server ISN + 1

Part 3: Document Findings

Record in your notes:

  • Client IP and port
  • Server IP and port
  • Client ISN
  • Server ISN
  • TCP options negotiated (MSS, Window Scale, SACK)

Expected Output

Packet 1: SYN
    Source: 192.168.1.100:54321
    Dest: 93.184.216.34:80
    Seq: 1000000 (relative: 0)
    Flags: SYN

Packet 2: SYN-ACK
    Source: 93.184.216.34:80
    Dest: 192.168.1.100:54321
    Seq: 2000000 (relative: 0)
    Ack: 1000001 (relative: 1)
    Flags: SYN, ACK

Packet 3: ACK
    Source: 192.168.1.100:54321
    Dest: 93.184.216.34:80
    Seq: 1000001 (relative: 1)
    Ack: 2000001 (relative: 1)
    Flags: ACK

Verification

  • Identified all three handshake packets
  • Recorded ISN values
  • Verified sequence/ack number progression
  • Noted negotiated TCP options

Lab 1.3: DNS Traffic Analysis

Objective

Analyze DNS queries and responses, identify query types.

Difficulty: Beginner | Time: 30 minutes

Instructions

Part 1: Capture DNS Traffic

# Capture DNS
tshark -i eth0 -f "udp port 53" -w dns_capture.pcap &

# Generate queries
nslookup google.com
dig example.com ANY
host -t MX gmail.com
dig +short TXT _dmarc.google.com

Part 2: DNS Query Analysis

Wireshark filters:

# All DNS
dns

# Queries only
dns.flags.response == 0

# Responses only
dns.flags.response == 1

# Specific query types
dns.qry.type == 1      # A record
dns.qry.type == 28     # AAAA record
dns.qry.type == 15     # MX record
dns.qry.type == 16     # TXT record
dns.qry.type == 255    # ANY query

# Failed queries (NXDOMAIN)
dns.flags.rcode == 3

Part 3: Extract Information

For each query/response pair, document:

  • Query name
  • Query type
  • Response code
  • Answer records
  • TTL values

DNS Record Types Reference

TypeCodePurpose
A1IPv4 address
AAAA28IPv6 address
CNAME5Canonical name
MX15Mail exchanger
TXT16Text record
NS2Nameserver
SOA6Start of authority
PTR12Reverse lookup

Verification

  • Captured queries and responses
  • Identified at least 3 different record types
  • Analyzed MX record response
  • Found TTL values

Lab 1.4: HTTP/HTTPS Traffic Analysis

Objective

Analyze HTTP transactions and understand TLS encryption effects.

Difficulty: Intermediate | Time: 45 minutes

Instructions

Part 1: HTTP (Unencrypted)

# Capture HTTP
tshark -i eth0 -f "tcp port 80" -w http_capture.pcap &

# Generate HTTP traffic
curl -v http://httpbin.org/get
curl -v http://httpbin.org/post -d "test=data"

# View in Wireshark
# Filter: http
# Follow HTTP stream

Part 2: Analyze HTTP Request

HTTP Request Components:

GET /get HTTP/1.1
Host: httpbin.org
User-Agent: curl/7.81.0
Accept: */*

Document:
- Request method (GET, POST, etc.)
- Request URI
- HTTP version
- Headers present
- Any body content

Part 3: HTTPS Comparison

# Capture HTTPS
tshark -i eth0 -f "tcp port 443" -w https_capture.pcap &

# Generate HTTPS traffic
curl -v https://httpbin.org/get

# Analyze in Wireshark
# Filter: tls

Part 4: TLS Analysis

Identify TLS Handshake Messages:

1. ClientHello
   - Filter: tls.handshake.type == 1
   - Note: Supported cipher suites, TLS version
   - SNI (Server Name Indication)

2. ServerHello
   - Filter: tls.handshake.type == 2
   - Note: Selected cipher suite

3. Certificate
   - Filter: tls.handshake.type == 11
   - Note: Server certificate details

4. Application Data
   - Filter: tls.record.content_type == 23
   - Note: This is encrypted - can't see HTTP inside

Key Observation

HTTP shows complete request/response in plaintext. HTTPS shows TLS handshake but application data is encrypted. This is why HTTPS matters for security.

Verification

  • Captured and analyzed HTTP traffic
  • Followed HTTP stream, saw request/response
  • Captured TLS handshake
  • Identified cipher suite negotiated
  • Confirmed application data is encrypted

Lab 1.5: Network Troubleshooting with Packet Analysis

Objective

Use packet analysis to diagnose common network issues.

Difficulty: Intermediate | Time: 45 minutes

Instructions

Scenario 1: Connection Timeout

Symptoms: Connection times out
Analysis approach:

1. Filter: tcp.flags.syn == 1 and tcp.flags.ack == 0
   - Do you see SYN packets leaving?

2. Filter: tcp.flags.syn == 1 and tcp.flags.ack == 1
   - Do you see SYN-ACK responses?

3. No SYN-ACK = Server unreachable or firewall blocking
   - Check: icmp.type == 3 (Destination Unreachable)
   
4. SYN-ACK but no ACK = Local firewall issue

Scenario 2: Slow Transfers

Symptoms Transfers are slow

Symptoms: Transfers are slow
Analysis approach:

1. Statistics → TCP Stream Graphs → Round Trip Time
   - High RTT = Network latency

2. Statistics → TCP Stream Graphs → Throughput
   - Throughput vs capacity

3. Filter: tcp.analysis.retransmission
   - High retransmissions = Packet loss

4. Filter: tcp.analysis.window_update
   - Window scaling issues
   
5. Filter: tcp.analysis.zero_window
   - Receiver can't keep up

Scenario 3: DNS Failures

Symptoms: Name resolution failing
Analysis approach:

1. Filter: dns
   - Are queries being sent?

2. Filter: dns.flags.response == 1 and dns.flags.rcode != 0
   - Non-successful responses
   
3. Common response codes:
   - 0 = No error
   - 2 = Server failure
   - 3 = Name does not exist (NXDOMAIN)
   - 5 = Refused

4. Check if responses arrive at all
   - No response = DNS server unreachable

Part 4: Create Troubleshooting Checklist

Document a checklist for common issues:

Connection Issues:
□ SYN packets leaving?
□ SYN-ACK received?
□ ACK sent?
□ RST received? (Connection refused)
□ ICMP errors?

Performance Issues:
□ Retransmission rate?
□ Round-trip time?
□ Window size issues?
□ Duplicate ACKs?

DNS Issues:
□ Query sent?
□ Response received?
□ Response code?
□ Correct server responding?

Verification

  • Analyzed a timeout scenario
  • Identified retransmissions
  • Analyzed DNS failure
  • Created troubleshooting checklist

Lab 1.6: Protocol Deep Dive - ARP

Objective

Understand ARP at the packet level.

Difficulty: Beginner | Time: 20 minutes

Instructions

# Clear ARP cache
sudo ip neigh flush all

# Start capture
tshark -i eth0 -f "arp" -w arp_capture.pcap &

# Generate ARP traffic
ping -c 1 192.168.1.1  # Your gateway

# Stop capture

Analyze ARP Packets

ARP Request:
- Opcode: 1 (Request)
- Sender MAC: Your MAC
- Sender IP: Your IP
- Target MAC: 00:00:00:00:00:00 (unknown)
- Target IP: Gateway IP

ARP Reply:
- Opcode: 2 (Reply)
- Sender MAC: Gateway MAC
- Sender IP: Gateway IP
- Target MAC: Your MAC
- Target IP: Your IP

Document

Record the complete ARP transaction including all MAC and IP addresses.

Lab 1.7: Capture Filter vs Display Filter

Objective

Understand the difference and appropriate use of capture and display filters.

Difficulty: Intermediate | Time: 30 minutes

Instructions

Capture Filters (BPF Syntax)

# Capture filters use Berkeley Packet Filter syntax
# Applied DURING capture - reduces file size

# Examples:
tshark -i eth0 -f "tcp port 80"
tshark -i eth0 -f "host 192.168.1.100"
tshark -i eth0 -f "net 192.168.1.0/24"
tshark -i eth0 -f "port 53"
tshark -i eth0 -f "tcp and port 443"
tshark -i eth0 -f "not port 22"

Display Filters (Wireshark Syntax)

# Display filters applied AFTER capture
# More powerful, can filter on any field

# Examples:
tcp.port == 80
ip.addr == 192.168.1.100
tcp.flags.syn == 1
http.request.method == "GET"
dns.qry.name contains "google"

Comparison Exercise

Capture FilterDisplay Filter Equivalent
host 192.168.1.100ip.addr == 192.168.1.100
port 80tcp.port == 80 or udp.port == 80
tcptcp
not arp!arp

When to Use Each

  • Capture filters: When you need to limit capture size, know exactly what you need
  • Display filters: When exploring traffic, need to filter on application-layer details

Lab Summary

Skills Acquired

  • Basic Wireshark capture and navigation
  • Display filter creation and application
  • TCP handshake analysis
  • DNS query/response analysis
  • HTTP/HTTPS traffic interpretation
  • Network troubleshooting methodology
  • ARP protocol understanding

Next Steps

  • Practice with your own network traffic
  • Analyze captures from malware-traffic-analysis.net
  • Move to Lab 2: Layer 2 Attack Labs

Additional Resources