An important part of computer security is determining the baseline behaviour of the systems that are to be protected. This includes understanding the normal communication patterns. Moreover, during and after a computer security incident it may prove necessary to closely inspect the network communication that has been used during an attack. In this exercise, you will perform an analysis of two packet captures: one from an Information Technology (IT) network and a second from an Operation Technology (OT) network. The goal of this exercise is to familiarize you with several widely-used communication protocols and the Wireshark tool, which can be used to perform detailed analyses of network data.
From the Anshar CERT Analyst Client, open the PCAP file called itsamplecapture.pcapng using the Wireshark tool. The file can be found in the Packet Captures folder on the desktop of the client. Spend a moment to familiarize yourself with the file and answer the questions that are shown below. When you have entered the required details in the fields, please press the submit button to finish the exercise.
The following display filters may help you to answer the following questions about the OT communications that are captured in the PCAP file.
Display Filter | Description |
---|---|
dns |
Used to filter network traffic that is using the Domain Name System (DNS) |
dhcp |
Used to filter network traffic that is using the Dynamic Host Configuration Protocol (DHCP) |
arp |
Used to filter network traffic that is using the Address Resolution Protocol (ARP) |
smb |
Used to filter network traffic that is using the Server Message Block (SMB) |
telnet |
Used to filter network traffic that is using the Telnet protocol |
http |
Used to filter network traffic that is using the Hypertext Transfer Protocol |
From the Anshar CERT Analyst Client, open the PCAP file called OT-communication-capture.pcapng using the Wireshark tool. The file can be found in the Packet Captures folder on the desktop of the client. Spend a moment to familiarize yourself with the file and answer the questions that are shown below. When you have entered the required details in the fields, please press the submit button to finish the exercise.
The following display filters may help you to answer the following questions about the OT communications that are captured in the PCAP file.
Display Filter | Description |
---|---|
modbus |
Used to filter network traffic that is using the Modbus protocol |