Work on MTA exercise 2015-07-11-traffic-analysis-exercise.pcap

mta-20150711-id.md

Did: tshark pulled out all of the DNS domains asked for, isolated workstation hostname (common pattern), stats report for endpoints (ether and IP), decoded one packet for the src IP and addr (checked it was right), pulled out all of the HTTP request URIs and no referrers were seen

$tshark -n -r 2015-07-11-traffic-analysis-exercise.pcap -Y dns.qry.name -T fields -e dns.qry.name -q | grep '-' | head -1 > mta-20150711-id
$tshark -n -r 2015-07-11-traffic-analysis-exercise.pcap -Y dns.qry.name -T fields -e dns.qry.name | sort -u > mta-20150711-dns-domains
$tshark -n -r 2015-07-11-traffic-analysis-exercise.pcap -z endpoints,ip -q | head -2 >> mta-20150711-id 
$tshark -n -r 2015-07-11-traffic-analysis-exercise.pcap -z endpoints,ether -q >> mta-20150711-id 
$tshark -n -r 2015-07-11-traffic-analysis-exercise.pcap -c1 -V | grep -i src >> mta-20150711-id 
$tshark -n -r 2015-07-11-traffic-analysis-exercise.pcap -Y http -T fields -e http.request.full_uri -e http.referer | sort -u > mta-20150711-http

Got workstation name, IP and MAC, IPs involved, along with the DNS questions and HTTP requests seen.

$ cat mta-20150711-id 
Pyndrine-PC
================================================================================
IPv4 Endpoints
================================================================================
Ethernet Endpoints
Filter:<No Filter>
                       |  Packets  | |  Bytes  | | Tx Packets | | Tx Bytes | | Rx Packets | | Rx Bytes |
00:21:9b:5b:d1:7a           3965       3317234       1462          142807        2503         3174427   
a8:b1:d4:ac:fe:7d           3889       3310728       2503         3174427        1386          136301   
ff:ff:ff:ff:ff:ff             34          3844          0               0          34            3844   
01:00:5e:00:00:16             26          1560          0               0          26            1560   
01:00:5e:00:00:fc             16          1102          0               0          16            1102   
================================================================================
Ethernet II, Src: 00:21:9b:5b:d1:7a, Dst: 01:00:5e:00:00:16
Internet Protocol Version 4, Src: 192.168.137.83, Dst: 224.0.0.22
        Num Src: 0
        
$ cat mta-20150711-dns-domains 
docs233.com
download.windowsupdate.com
google.com
icanhazip.com
isatap
isatap.mshome.net
_ldap._tcp.dc._msdcs.mshome.net
mx.docs233.com
Pyndrine-PC
statsfe2.update.microsoft.com
stun.sipgate.net
teredo.ipv6.microsoft.com
time.windows.com
wpad
wpad.mshome.net
www.bing.com
www.download.windowsupdate.com
www.msftncsi.com
www.update.microsoft.com

$ cat mta-20150711-http 
	
http://38.65.142.12:12572/WY22/PYNDRINE-PC/0/61-SP1/0/FGBFHKBEHLBMG	
http://38.65.142.12:12572/WY22/PYNDRINE-PC/41/5/4/FGBFHKBEHLBMG	
http://62.210.114.67/ml1from2.tar	
http://download.windowsupdate.com/v9/windowsupdate/redir/muv4wuredir.cab?1507101531	
http://download.windowsupdate.com/v9/windowsupdate/redir/muv4wuredir.cab?1507101546	
http://icanhazip.com/	
http://statsfe2.update.microsoft.com/ReportingWebService/ReportingWebService.asmx	
http://www.bing.com/favicon.ico	
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab	
http://www.msftncsi.com/ncsi.txt