Skip to main content

Network Traffic Analysis with Wireshark

Network traffic analysis is a critical skill for any IT professional, especially those working in cybersecurity. Understanding how to analyze network traffic can help you identify security threats, troubleshoot network issues, and optimize network performance. One of the most popular tools for network traffic analysis is Wireshark, a free and open-source packet analyzer. Here we will utilize Wireshark to capture and analyze network traffic.

The Google Cybersecurity course provides a scenario that I'll outline here.

Network Traffic Analysis - Activity Instructions

Activity Overview

In this activity, you will consider a scenario involving a customer of the company that you work for who experiences a security issue when accessing the company’s website. You will identify the likely cause of the service interruption. Then, you will explain how the attack occurred and the negative impact it had on the website.

Scenario

Review the following scenario. Then complete the step-by-step instructions.

You work as a security analyst for a travel agency that advertises sales and promotions on the company’s website. The employees of the company regularly access the company’s sales webpage to search for vacation packages their customers might like.

One afternoon, you receive an automated alert from your monitoring system indicating a problem with the web server. You attempt to visit the company’s website, but you receive a connection timeout error message in your browser.

You use a packet sniffer to capture data packets in transit to and from the web server. You notice a large number of TCP SYN requests coming from an unfamiliar IP address. The web server appears to be overwhelmed by the volume of incoming traffic and is losing its ability to respond to the abnormally large number of SYN requests. You suspect the server is under attack by a malicious actor.

You take the server offline temporarily so that the machine can recover and return to a normal operating status. You also configure the company’s firewall to block the IP address that was sending the abnormal number of SYN requests. You know that your IP blocking solution won’t last long, as an attacker can spoof other IP addresses to get around this block. You need to alert your manager about this problem quickly and discuss the next steps to stop this attacker and prevent this problem from happening again. You will need to be prepared to tell your boss about the type of attack you discovered and how it was affecting the web server and employees.

Step-By-Step Instructions

The below template will be used to complete the activity.

1. Cybersecurity Incident Report

Section 1: Identify the type of attack that may have caused this network interruption
One potential explanation for the website's connection timeout error message is: The logs show that: This event could be:
Section 2: Explain how the attack is causing the website to malfunction
When website visitors try to establish a connection with the web server, a three-way handshake occurs using the TCP protocol. Explain the three steps of the handshake: 1. 2. 3. Explain what happens when a malicious actor sends a large number of SYN packets all at once: Explain what the logs indicate and how that affects the server:

2. Resources

I'll be using these Wireshark Log resources to complete the activity.

3. Identify the type of attack causing this network interruption

Here are some questions to consider when determining what type of attack occurred:

  • What do you currently understand about network attacks?

  • Which type of attack would likely result in the symptoms described in the scenario?

  • What is the difference between a denial of service (DoS) and distributed denial of service (DDoS)?

  • Why is the website taking a long time to load and reporting a connection timeout error?

Try to identify patterns in the logged network traffic. Analyze the patterns to determine which type of network attack occurred. Write your analysis in section one of the Cybersecurity incident report template provided.

4. Explain how the attack is causing the website to malfunction

Review the Wireshark reading from step 2, then write your analysis in section two of the Cybersecurity incident report template provided.

When writing your report, discuss the network devices and activities that are involved in the interruption. Include the following information in your explanation:

  • Describe the attack. What are the main symptoms or characteristics of this specific type of attack?

  • Explain how it affected the organization’s network. How does this specific network attack affect the website and how it functions?

  • Describe the potential consequences of this attack and how it negatively affects the organization.

  • Optional: Suggest potential ways to secure the network so this attack can be prevented in the future.

Be sure to address the following in your completed activity:

  • The name of the network intrusion attack

  • A description of how the attack negatively impacts network performance

Wireshark Log Analysis

Steps to Arrive at the Solution

Questions to Consider:

What do you currently understand about network attacks?

  • Network attacks are malicious attempts to disrupt, steal, or damage a network or system.
  • The goals of network attacks can vary, including data theft, service disruption, or system damage.
  • Network attacks can target various network layers or specific devices or services.
  • Common network attacks include denial-of-service (DoS) attacks, distributed denial-of-service (DDoS) attacks
  • Network attacks can be launched by individuals, groups, or organizations with malicious intent.

Which type of attack would likely result in the symptoms described in the scenario?

  • The symptoms described in the scenario, including a large number of TCP SYN requests from an unfamiliar IP address, suggest a SYN flood attack.
  • A SYN flood attack is a type of DoS attack that targets the three-way handshake process of the TCP protocol.
  • In a SYN flood attack, the attacker sends a large number of SYN packets to the target server, overwhelming its resources and preventing legitimate connections from being established.
  • Since the web server is losing its ability to respond to the abnormally large number of SYN requests, it is likely under a SYN flood attack.
  • Given that the attacks have a single source IP address, it is more likely a DoS attack than a DDoS attack.

What is the difference between a denial of service (DoS) and distributed denial of service (DDoS)?

  • A denial-of-service (DoS) attack is a type of cyber attack that aims to disrupt the normal operation of a network, system, or service by overwhelming it with a flood of illegitimate traffic.
  • In a DoS attack, the attacker typically uses a single source to generate the malicious traffic, making it easier to identify and block the attacker.
  • A distributed denial-of-service (DDoS) attack is a more sophisticated form of DoS attack that involves multiple sources (botnets) coordinating to flood the target with traffic.
  • DDoS attacks are more challenging to mitigate because they come from multiple sources, making it harder to distinguish legitimate traffic from malicious traffic.

Why is the website taking a long time to load and reporting a connection timeout error?

  • The website is taking a long time to load and reporting a connection timeout error because the web server is overwhelmed by the volume of incoming SYN requests.
  • When a client tries to establish a connection with the web server, it initiates a three-way handshake using the TCP protocol -- SYN followed by SYN-ACK and ACK.
  • In a SYN flood attack, the attacker sends a large number of SYN packets to the target server without completing the three-way handshake.
Section 1: Identify the type of attack that may have caused this network interruption
One potential explanation for the website's connection timeout error message is: The system is under a DoS attack known as a SYN flood attack.
The logs show that: The web server is receiving a large number of TCP SYN requests from an unfamiliar IP address.
This event could be: a SYN flood attack.
Section 2: Explain how the attack is causing the website to malfunction

When website visitors try to establish a connection with the web server, a three-way handshake occurs using the TCP protocol.

Explain the three steps of the handshake:

  1. SYN (Client sends a SYN request to the server) "Hello, pleased to meet you. Would you like to have a conversation?"
  2. SYN-ACK (Server responds with a SYN-ACK) "well, how do you do! I'd be much obliged"
  3. ACK (Client acknowledges the response with an ACK) "Wonderful. Here is all the thins I thought we could discuss"

Explain what happens when a malicious actor sends a large number of SYN packets all at once:

  • This leads to a SYN flood attack, overwhelming the server's resources and leaving legitimate requests unprocessed.

Explain what the logs indicate and how that affects the server:

  • Analyzing the logs show a large amount of incomplete connections (SYN) all originating from the same IP address. This increases to the point where regular traffic begins to fail to complete thier legitimate requests and then the logs show a very large amount of traffic all from the offending IP address until the web server appears to go offline. Given that the SYN requests all have the same origin IP, we can rule our a botnet or zombie attack.