Skip to content

Contact sales

By filling out this form and clicking submit, you acknowledge our privacy policy.
  • Labs icon Lab
  • A Cloud Guru
Google Cloud Platform icon
Labs

Using Wireshark to Identify Malicious Network Activity

In this lab, we will learn how to use Wireshark to identify malicious network traffic. We will download two packet captures and analyze them, checking for signs of beaconing and exfiltration via DNS tunneling.

Try for free Contact sales
Google Cloud Platform icon
Labs

Path Info

Level
Clock icon Beginner
Duration
Clock icon 30m
Published
Clock icon Mar 18, 2019

Contact sales

By filling out this form and clicking submit, you acknowledge our privacy policy.

Table of Contents

  1. Challenge

    Install Wireshark.

    1. Use your preferred VNC client to connect to the host using the provided public IP on port 5901.
    2. Run the commands sudo apt-get update and sudo apt-get install -y wireshark.
    3. When asked if you want to allow non-superusers to capture packets, select Yes.

  2. Challenge

    Download and analyze packet captures.

    Download the following PCAP files to the Downloads directory:

    • https://github.com/linuxacademy/content-cysa-wiresharkanalysis/blob/master/dns-tunneling.pcap
    • https://github.com/linuxacademy/content-cysa-wiresharkanalysis/blob/master/beaconing.pcap

  3. Challenge

    Create the firewall rules.

    1. Use Gedit to create a file named firewall-rules.txt and save it on the Desktop.
    2. Review the two packet captures and identify the source and destination involved in beaconing and DNS tunneling, and create a rule for each of the two activities.
    3. The firewall-rules.txt file should contain two access lists which following the format outlined in the Guide. Remember Linux is case sensitive.
    4. The firewall rule to block beaconing is:
      access-list BLOCK deny TCP 192.168.122.212/32 188.120.247.14/32 eq 80
    5. The firewall rule to block DNS tunneling is:
      access-list BLOCK deny UDP 10.0.2.30/32 10.0.2.20/32 eq 53
A Cloud Guru - Labs - Using Wireshark to Identify Malicious Network Activity
Author
A Cloud Guru

The Cloud Content team comprises subject matter experts hyper focused on services offered by the leading cloud vendors (AWS, GCP, and Azure), as well as cloud-related technologies such as Linux and DevOps. The team is thrilled to share their knowledge to help you build modern tech solutions from the ground up, secure and optimize your environments, and so much more!

What's a lab?

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Provided environment for hands-on practice

We will provide the credentials and environment necessary for you to practice right within your browser.

Guided walkthrough

Follow along with the author’s guided walkthrough and build something new in your provided environment!

Did you know?

On average, you retain 75% more of your learning if you get time for practice.

Start learning by doing today

View Plans