Network Analysis



Description

An important part of computer security is determining the baseline behaviour of the systems that are to be protected. This includes understanding the normal communication patterns. Moreover, during and after a computer security incident it may prove necessary to closely inspect the network communication that has been used during an attack. In this exercise, you will perform an analysis of two packet captures: one from an Information Technology (IT) network and a second from an Operation Technology (OT) network. The goal of this exercise is to familiarize you with several widely-used communication protocols and the Wireshark tool, which can be used to perform detailed analyses of network data.


IT Network Traffic Analysis

Instructions

From the Anshar CERT Analyst Client, open the PCAP file called itsamplecapture.pcapng using the Wireshark tool. The file can be found in the Packet Captures folder on the desktop of the client. Spend a moment to familiarize yourself with the file and answer the questions that are shown below. When you have entered the required details in the fields, please press the submit button to finish the exercise.


Useful Display Filters

The following display filters may help you to answer the following questions about the OT communications that are captured in the PCAP file.

Display Filter Description
dns Used to filter network traffic that is using the Domain Name System (DNS)
dhcp Used to filter network traffic that is using the Dynamic Host Configuration Protocol (DHCP)
arp Used to filter network traffic that is using the Address Resolution Protocol (ARP)
smb Used to filter network traffic that is using the Server Message Block (SMB)
telnet Used to filter network traffic that is using the Telnet protocol
http Used to filter network traffic that is using the Hypertext Transfer Protocol

IT Network Analysis Findings

Exercise Control

IT Network Analysis Findings

  • Form submitted
  • Exercise completed

OT Network Traffic Analysis

Instructions

From the Anshar CERT Analyst Client, open the PCAP file called OT-communication-capture.pcapng using the Wireshark tool. The file can be found in the Packet Captures folder on the desktop of the client. Spend a moment to familiarize yourself with the file and answer the questions that are shown below. When you have entered the required details in the fields, please press the submit button to finish the exercise.


Useful Display Filters

The following display filters may help you to answer the following questions about the OT communications that are captured in the PCAP file.

Display Filter Description
modbus Used to filter network traffic that is using the Modbus protocol

OT Network Analysis Findings

Exercise Control

OT Network Analysis Findings

  • Form submitted
  • Exercise completed