Gary Jones
Gary Jones
WiresharkTracerouteICMPCybersecurity

Wireshark and Traceroute Analysis

Wireshark and Traceroute Analysis
0 views
3 min read
#Wireshark#Traceroute#ICMP#Cybersecurity
Table Of Content

Wireshark and Traceroute Analysis Report

Situation:

This project focused on using Wireshark and traceroute to analyze ICMP traffic and understand the behavior of hosts when responding to network probes. The goal was to track the paths to specified destinations (plunder.pr0b3.com and ns.artstailor.com), identify packet behavior, and retrieve the sixth encryption key.

Obstacles:

  1. Unexpected ICMP Packets: Traceroute sent packets to unexpected destinations, requiring investigation to verify their purpose.
  2. Null Responses: Several ICMP requests received no reply, making it necessary to explore alternative methods for probing.
  3. Firewall Blocking: Potential ICMP blocking by firewalls required consideration of other protocols for traceroute.

Actions Taken:

  1. Executed ifconfig to identify the active Ethernet interface for packet capture in Wireshark.
  2. Started a Wireshark session and executed traceroute -I plunder.pr0b3.com to analyze the path to the host using ICMP echo packets.
  3. Filtered Wireshark packets for ICMP traffic and documented packet sources, destinations, and behavior (e.g., TTL and port unreachable replies).
  4. Repeated traceroute to ns.artstailor.com to identify its path and compare packet behavior.
  5. Developed a contingency strategy to use UDP or TCP packets with traceroute and test specific ports if ICMP was blocked.
  6. Retrieved sections of the sixth encryption key from ICMP packet data in Wireshark.

Results:

  1. Packet Analysis:
    • plunder.pr0b3.com: 57 ICMP packets sent, 7 received null responses, with packets from 3 sources to 3 destinations.
    • ns.artstailor.com: 50 ICMP packets sent, 3 received null responses, also involving 3 sources and destinations.
    • Traceroute sent out approximately 28 pings but stopped when sufficient responses were received.
  2. Key Found: KEY006-DqyhqMKZIfctuGGA2/6rEw==.
  3. Behavior Observed:
    • Some packets triggered TTL-exceeded responses or port unreachable replies, indicating arrival at the destination.
    • When ICMP responses were absent, traceroute could be configured to use UDP or TCP, or specific ports could be tested incrementally with the -p flag.

Tool Purpose Overview

Wireshark:

  • Packet analysis tool used to capture and inspect network traffic. It provided detailed insights into ICMP packet sources, destinations, and behavior.

Traceroute:

  • Network diagnostic tool for tracing the path packets take to a destination. The -I flag was used to send ICMP echo packets instead of default UDP.

ifconfig:

  • Command used to identify active network interfaces for packet capture in Wireshark.

ICMP, UDP, and TCP Probing:

  • ICMP: Default protocol used by traceroute for this exercise.
  • UDP/TCP: Suggested alternatives for probing hosts that block ICMP traffic.

View PDF Document