One of our business partners had a significant event(s) on their office network. Fortunately they
had Wireshark running when the event(s) occurred and have provided a series of packet
capture files for us to help determine what happened.
1) Open the provided packet capture files using any tools you see fit(Wireshark/Network
Miner/SNORT)
2) Perform an analysis on the captured traffic. Some things you should consider are the
following(not all of these happened and may not be all inclusive either):
a. How long did the session captures last?
b. Can the packet captures be correlated?
c. How many packets were captured in each session?
d. How many bytes were captured?
e. What protocols were observed?
f. What does the office enclave look like?
g. Is there any events that rise to the level of being classified as an “event” or even
an attack?
3) What “story” do the capture files tell?
4) Run the capture files through SNORT. What alerts are triggered?
Provide a lab report which will includes an analysis of the packet capture files.
Identify key events and either prove or disapprove that a malicious event occurred.
When referencing the answer to questions or providing proof of your analysis it might be
helpful to reference the actual packet number that proves your point as well a screen shots
within your appendix data.
