Please read carfully!!!

Packet Capture Analysis

Download packet cap here http://www.filedropper.com/packetcap

Identify any suspicious activity in the packet capture. You are to answer the questions below, in as much detail as possible. If there's a 'mole' in the organization we want to know, and what, if anything, might have been stolen or compromised.

Here are the details regarding the network:

Employee	Title	IP address
Server	Server	172.16.235.131
Philo Farnsworth	President	172.16.235.129
James Garrett	Network Admin	172.16.235.130
Allen Beard	Vice President	172.16.235.128

Questions

1. What is occurring in packets 21-26? Is it evidence of an intrusion? Provide an interpretation of what is occurring, and the possible uses of the information gained. If theres nothing suspicious, tell me so, and explain why its normal traffic.

2. Is the activity occurring in packets 75-95 evidence of an intrusion? Provide a detailed interpretation of what is occurring, and the possible uses of the information gained. What ports are involved? What information would be gained, and how would it be used by an attacker? What tool did the attacker use? (Covered in a video.) Note there are several questions here to be answered.

3. Is the activity starting in packet 101 evidence of an intrusion? (Hint: Select the packet, right-click, Follow->TCP Stream). Provide a detailed interpretation of what is occurring, and the possible consequences. THERE IS A LOT GOING ON. TELL ME WHAT HAPPENED!

4. Is the activity starting in packet 507 evidence of an intrusion? (Note: this is a TCP stream so you can select the first packet, right click your mouse, select "Follow -> TCP Stream", and Wireshark will extract those packets and form a single readable stream.) Provide a detailed interpretation of what is occurring, and the possible consequences. THERE IS A LOT GOING ON. TELL ME WHAT HAPPENED!

5. Is the activity starting in packet 661 evidence of an intrusion? (Note: this is a TCP stream so you can select the packet, right click your mouse, select "Follow TCP Stream", and Wireshark will extract those packets and form a single readable stream.) Provide a detailed interpretation of what is occurring, and the possible consequences. Look for human readable text (a lot of what you see are formatting commands.). What text was added? To what file? What was the purpose of adding the text to this file, and who might see it? (there are a lot of questions to answer there).

6. Is the activity starting in packet 804-805 abnormal? Why or why not?

7. Is the activity starting in 1713 through 1719 a sign of an attack? Why or why not?

8. Is the activity starting in packet 2367 a sign of an attack (Note: if its sign of an attack, tell me why. If you cant tell, tell me why you cant). (Use Follow TCP Stream).

9. Is the activity starting in packet 2519 (to the end of the packet capture) evidence of an intrusion or attack? Provide a detailed description of what is occurring, and the possible consequences. What did the attacker do?

10. Who was the attacker, and were his skills low, moderate, or high? Defend your answer based on the evidence. How much is Philo Farnsworths salary?