Differences
This shows you the differences between two versions of the page.
|
ep:labs:09:contents:tasks:ex3 [2021/12/04 18:50] andrei.mirciu [03. [30p] Network Monitoring] |
ep:labs:09:contents:tasks:ex3 [2021/12/07 23:16] (current) andrei.mirciu [03. [30p] Network Monitoring] |
||
|---|---|---|---|
| Line 5: | Line 5: | ||
| </note> | </note> | ||
| - | We want to check the network traffic generated by the //Winhttp.exe// program (located in the //Debug// folder, after successfully running the code). By looking at its code, it can be noticed that it makes a request to www.sociouman-usamvb.ro. | + | We want to check the network traffic generated by the //Winhttp.exe// file (a program that downloads //putty.exe//; it is located in the //Debug// folder, after successfully running the code). By looking at its content, it can be noticed that it makes a request to www.sociouman-usamvb.ro. |
| + | |||
| + | <spoiler> | ||
| + | As in the case of the CPU, inspecting the events that take place on the network involves some amount of work for the analyst. However, since this is a simple case, we can just expand the view on the traffic generated by //Winhttp.exe//, and notice the request for //putty.exe//. If it is still not clear why some requests are there or why they last so long, we can integrate the application that we wish to investigate with Process Monitor. This way, we can insert logging elements to find out what request are made and how long they take. Furthermore, the part with timing the requests and traffic can be determined straight from Network Monitor, by considering the times of the packets. | ||
| + | </spoiler> | ||
| + | |||
| + | :!: Monitor the network traffic generated by //Winhttp.exe// using **Task Manager**, **Windows Performance Recorder** and **Microsoft Network Monitor**. | ||
| :!: Using **Wireshark**, capture all the frames generated after running this program. Is it possible to extract the conversation data from the packet exchange? Justify your answer. | :!: Using **Wireshark**, capture all the frames generated after running this program. Is it possible to extract the conversation data from the packet exchange? Justify your answer. | ||
| Line 12: | Line 18: | ||
| - Click the //Start// button and run //Winhttp.exe//. After //Winhttp.exe// stops, click the Stop button in Wireshark. | - Click the //Start// button and run //Winhttp.exe//. After //Winhttp.exe// stops, click the Stop button in Wireshark. | ||
| - Use the ping command to get the IP address of the previously mentioned [[http://www.sociouman-usamvb.ro/ | URL]]. | - Use the ping command to get the IP address of the previously mentioned [[http://www.sociouman-usamvb.ro/ | URL]]. | ||
| - | - Switch back to Wireshark and add a filter for ip.addr = <ip_address> (make sure to use the IP address identified using the ping command). | + | - Switch back to Wireshark and add a filter for ip.addr == <ip_address> (make sure to use the IP address identified using the ping command). |
| - Right click on the **GET /documents** request and choose Follow -> TCP Stream. | - Right click on the **GET /documents** request and choose Follow -> TCP Stream. | ||
| - In the bottom part of the Wireshark window, at the "//Show and save data as//" option, choose "Raw". Save the capture using the "Save as" button. | - In the bottom part of the Wireshark window, at the "//Show and save data as//" option, choose "Raw". Save the capture using the "Save as" button. | ||
