Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
20 views4 pages

CSW222

cyber security file

Uploaded by

Tanya Singh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
20 views4 pages

CSW222

cyber security file

Uploaded by

Tanya Singh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

Experiment No.

Aim: Detecting Suspicious Activity: Analyse network tra c to identify suspicious patterns, such
as repeated connection attempts or unusual communication between hosts.

Brief Description: HTTPS tra c analysis : The Hypertext Transfer Application Layer Protocol
(HTTP) utilises the internet to establish protocols whenever the HTTP client/server transmits/
receives HTTP requests.

TCP tra c analysis : A standard port scan takes advantage of the TCP three-way handshake. The
attacker sends the SYN packet to the target port. The port is considered open when he gets
SYN+ACK as a response, whereas the arrival of RST shows the port is closed.

Step 1: Start Capturing Packets:

Click on the 'Start' button or use the Ctrl + E shortcut to commence packet capture.

Step 2: Analyse Network Tra c:

Wireshark will begin capturing packets in real-time. Observe the captured packets in the main
window,

Fig 1 : Analyse Network Tra c

Step 3: Identify Suspicious Patterns:

Look for unusual or suspicious patterns in the network tra c. Some common suspicious activities
to watch out for include:

• Unusual volume of tra c: Sudden spikes or unusual patterns in data transfer rates may indicate
malicious activity such as a DDoS attack.
ffi
ffi
ffi
ffi
ffi
ffi
ffi
• Repeated connection attempts: Numerous connection attempts to a speci c host or port could
be a sign of port scanning or brute force attacks.

• Unusual protocols: Detection of unfamiliar or uncommon protocols may indicate attempts to


evade detection by using non-standard communication methods..

• Unusual packet sizes: Large packets or abnormally small packets may suggest data ex ltration
or network scanning.

• Unauthorised access attempts: Look for packets containing login attempts, authentication
failures, or access to restricted resources,

• Unusual communication patterns: Analyse the communication between hosts to identify any
abnormal behaviours such as communication between hosts that typically do not interact.

Step 4: Use Filters:

Apply lters in Wireshark to focus on speci c types of tra c that may be indicative of suspicious
activity. For example: o Filter for TCP SYN packets (tep. ags.syn-1) to identify TCP connection
attempts. o Filter for large packets (frame.len size) to detect potential data ex ltration attempts.

Fig 2 : Use Filters

Step 5: Follow TCP Streams:

Follow TCP streams for suspicious connections to analyse the full conversation between hosts
and identify any malicious payloads or commands being transmitted.
fi
fi
ffi
fl
fi
fi
fi
Fig: 3 Inspect tra c

Step 6: Inspect DNS Tra c:

DNS tra c can often reveal malicious activity such as domain generation algorithms (DGAS) used
by malware. Look for patterns in DNS requests that may indicate malicious domain names.

Step 7: Stop Capturing Packets:

Once you have gathered su cient data for analysis, stop the packet capture by clicking on the
'Stop' button or using the Ctrl+E shortcut.

Step 8: Analyse Captured Data:

Fig 4 : Analyse Data


ffi
ffi
ffi
ffi
Review the captured packets and analyse then in detail to con rm any suspicions of malicious
activity.

Step 9: Document Findings:

Document your ndings, including any suspicious patterns or activities observed during the
packet analysis.

By following these steps, detect and analyse suspicious activity on your network.

Fig 5: Analysis details


fi
fi

You might also like