SECTION 1 NETSTAT

i). What is netstat and what is it used for?

Netstat is a command-line tool used to display network connections and network statistics on a system.
It provides information about the network connections, listening ports, routing tables, and network
interface statistics.

ii). What parameters for netstat should you use to show all the TCP connections established? Include a
printout of this list for your machine. Be sure to explain what all fields are.

Paramet
Description
er
–a Displays all connections and listening ports
–e Displays Ethernet statistics
Displays addresses and port numbers in numerical form instead of
–n
using friendly names
–s Displays statistics categorized by protocol
–p proto Shows connections for the specified protocol, either TCP or
col UDP
–r Displays the contents of the routing table
Displays selected statistics, pausing interval seconds between each
display; press [Ctrl]C to stop displaying statistics

netstat -q

Lists all connections, all listening TCP ports, and all open TCP ports
that are not listening
-p protocol
Print the protocol type

netstat –n -p TCP | findstr “ESTABLISHED”

Displays the connections for the specified protocol, in this

- Local Address: The IP address and port number on the local machine.

- Foreign Address: The IP address and port number of the remote machine.

- State: The state of the connection (e.g., ESTABLISHED, LISTENING, TIME_WAIT).

iii). How can use netstat to detect malicious software

Netstat can be used to detect malicious software or suspicious network connections by looking for
unusual or unauthorized connections.

- Look for unfamiliar IP addresses or domain names in the "Foreign Address" column. If you see
connections to suspicious or unknown destinations, it might indicate malicious activity.

- Pay attention to established connections that don't correspond to any known programs or processes
running on your machine. This could be a sign of a hidden or unauthorized application.

- Check for listening ports that are not associated with any known services. Listening ports can indicate
potential entry points for attackers.

- Monitor the state of connections. For example, if you notice multiple connections in the TIME_WAIT
state from the same IP address, it could be a sign of a DoS (Denial of Service) attack or other malicious
activity.

2. TRACEROUTE

i). Explain in detail how traceroute works.

Traceroute is a network diagnostic tool used to track the route that packets take from a source to a
destination over an IP network. It works by sending a series of ICMP (Internet Control Message Protocol)
or UDP (User Datagram Protocol) packets with increasing TTL (Time to Live) values. The TTL value
determines the maximum number of hops (routers) the packet can traverse before being discarded.
When the first packet is sent, the TTL value is set to 1. The first router encountered on the path
decrements the TTL value by 1 and discards the packet, generating an ICMP "Time Exceeded" message
back to the source. This message indicates that the TTL has expired. The traceroute program then
captures the source IP address of the router that sent the "Time Exceeded" message and records it as
the first hop.

The process is repeated with increasing TTL values, allowing traceroute to build a list of all the routers
(hops) between the source and the destination. By analyzing the sequence of routers and their response
times, traceroute provides information about the network path and latency between the two points.

ii). Perform a traceroute from your machine to two different locations

In Europe

IN USA
Include a copy of the output and explain what happened including a description of what each of the
field’s means

Syntax
tracert [-d] [-h <MaximumHops>] [-j <Hostlist>] [-w <timeout>] [-R] [-S <Srcaddr>] [-4][-6] <TargetName>

 Hop Number - This is the first column and is simple the number of the hop in the
network pathway from your computer to the remote device. The highest this will
go to will be no more than the Windows tracert of 30, or what you define using
the -h switch.
 Round Trip Times (RTT) - Expressed in milliseconds (ms), these three columns
report the time it took for a data packet to go from your computer to the hop and
back to your computer (sometimes refer to as latency). By default, Windows
tracert sends three packets to each hop. Thus, each hop line in the report will
show three round trip times. In the illustration below, these are highlighted as
RTT1, RTT2, and RTT3.
 Host Name / IP - This last column shows the hostname and the IP address of
the hop.

iii). traceroute to www.kca.ac.ke, and identify each hop by using whois command. Note that
whois takes IP addresses as parameter.

identify each hop by using whois command.

i). Wireshark is a powerful network protocol analyzer tool. Its purpose is to capture and analyze network
traffic in real-time. It allows users to examine network packets, understand protocols, and troubleshoot
network issues. Wireshark supports a wide range of protocols and provides detailed information about
each packet, including source and destination IP addresses, port numbers, protocol headers, and
payload data.

ii). To capture and view network traffic using Wireshark, follow these steps:
Download and install Wireshark from the official website (https://www.wireshark.org) onto your
computer.

Launch Wireshark and select the network interface you want to capture traffic from. It could be your
Ethernet adapter, Wi-Fi interface, or any other network interface available on your machine.

Click on the "Capture" button to start capturing network packets.

Wireshark will start capturing packets in real-time. You will see a list of captured packets displayed in the
main window.

To stop the capture, click on the "Stop" button.

You can analyze captured packets by examining the details of each packet in the packet list. Click on a
packet to view its expanded details in the lower part of the window.

iii). To view the detailed contents of specific packet types in hexadecimal format (IP, TCP, ARP), follow
these steps:

Capture network traffic using Wireshark as mentioned in the previous steps.

Locate a packet of the desired type (IP, TCP, or ARP) in the packet list.

Right-click on the packet and select "Open Packet in New Window" or simply double-click on the packet.

In the new window that opens, switch to the "Hex View" tab to view the packet's contents in
hexadecimal format.

You can scroll through the packet to see the individual bytes represented in hexadecimal values.

iv). To follow a TCP stream in Wireshark, you can use the "Follow TCP Stream" feature. Here's how:
Locate a TCP packet in the packet list that represents the start of the TCP stream you want to follow.

Right-click on the TCP packet and select "Follow" > "TCP Stream".

A new window will open, displaying the captured packets related to that TCP stream.

The window will show the sequence of packets exchanged between the source and destination IP
addresses and ports for that particular TCP stream.
Double click on the network you want to capture network traffic

Wifi