Did: tshark pulled out all of the DNS domains asked for, isolated workstation hostname (common pattern), stats report for endpoints (ether and IP), decoded one packet for the src IP and addr (checked it was right), pulled out all of the HTTP request URIs and no referrers were seen
$tshark -n -r 2015-07-11-traffic-analysis-exercise.pcap -Y dns.qry.name -T fields -e dns.qry.name -q | grep '-' | head -1 > mta-20150711-id
$tshark -n -r 2015-07-11-traffic-analysis-exercise.pcap -Y dns.qry.name -T fields -e dns.qry.name | sort -u > mta-20150711-dns-domains
$tshark -n -r 2015-07-11-traffic-analysis-exercise.pcap -z endpoints,ip -q | head -2 >> mta-20150711-id
$tshark -n -r 2015-07-11-traffic-analysis-exercise.pcap -z endpoints,ether -q >> mta-20150711-id
$tshark -n -r 2015-07-11-traffic-analysis-exercise.pcap -c1 -V | grep -i src >> mta-20150711-id
$tshark -n -r 2015-07-11-traffic-analysis-exercise.pcap -Y http -T fields -e http.request.full_uri -e http.referer | sort -u > mta-20150711-http
Got workstation name, IP and MAC, IPs involved, along with the DNS questions and HTTP requests seen.
$ cat mta-20150711-id
Pyndrine-PC
================================================================================
IPv4 Endpoints
================================================================================
Ethernet Endpoints
Filter:<No Filter>
| Packets | | Bytes | | Tx Packets | | Tx Bytes | | Rx Packets | | Rx Bytes |
00:21:9b:5b:d1:7a 3965 3317234 1462 142807 2503 3174427
a8:b1:d4:ac:fe:7d 3889 3310728 2503 3174427 1386 136301
ff:ff:ff:ff:ff:ff 34 3844 0 0 34 3844
01:00:5e:00:00:16 26 1560 0 0 26 1560
01:00:5e:00:00:fc 16 1102 0 0 16 1102
================================================================================
Ethernet II, Src: 00:21:9b:5b:d1:7a, Dst: 01:00:5e:00:00:16
Internet Protocol Version 4, Src: 192.168.137.83, Dst: 224.0.0.22
Num Src: 0
$ cat mta-20150711-dns-domains
docs233.com
download.windowsupdate.com
google.com
icanhazip.com
isatap
isatap.mshome.net
_ldap._tcp.dc._msdcs.mshome.net
mx.docs233.com
Pyndrine-PC
statsfe2.update.microsoft.com
stun.sipgate.net
teredo.ipv6.microsoft.com
time.windows.com
wpad
wpad.mshome.net
www.bing.com
www.download.windowsupdate.com
www.msftncsi.com
www.update.microsoft.com
$ cat mta-20150711-http
http://38.65.142.12:12572/WY22/PYNDRINE-PC/0/61-SP1/0/FGBFHKBEHLBMG
http://38.65.142.12:12572/WY22/PYNDRINE-PC/41/5/4/FGBFHKBEHLBMG
http://62.210.114.67/ml1from2.tar
http://download.windowsupdate.com/v9/windowsupdate/redir/muv4wuredir.cab?1507101531
http://download.windowsupdate.com/v9/windowsupdate/redir/muv4wuredir.cab?1507101546
http://icanhazip.com/
http://statsfe2.update.microsoft.com/ReportingWebService/ReportingWebService.asmx
http://www.bing.com/favicon.ico
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
http://www.msftncsi.com/ncsi.txt