Tips-of-Sharkfest_Challenge_2016

Posted on | In | | 次阅读
前言
  • Sharkfest Challenge对于学习wireshark来说是个非常不错的挑战赛,2016年的还没有在网上找到解题思路,索性就自己写一篇(强迫自己写博客学习:))
sf2016-a
1. What IP addresses are used by Laura’s iPad?
  1. 首先看到iPad,想到可以从物理地址名字解析中筛选出Apple开头的地址,Statistics->Conversations:
  2. 通过eth.addr筛选
  3. 地址有:0.0.0.0, 192.168.1.66, fe80::8f5:de86:f16e:a500, 2602:301:7786:9aa0:452:a774:5191:841a
2. What is the IPv4 address of the host that is attempting to discover a Cannon printer/scanner?
  1. 查找Cannon、printer、scanner等字段
  2. 找到该layer
  3. sender为192.168.1.70
3. Which DNS response transaction IDs contained the largest number of Answer RRs?
  1. filter: dns.count.answer > 15(这个数字可以从1往上加,以筛选出最大值)
  2. 找到transaction IDs分别为:0x5813, 0x99c9(answer RRs is 18)

4. What is the largest DNS response time seen in this trace file?
  1. filter: dns.time > 1
  2. 找到time为1.104968000
5. What website is the user browsing for ceiling fans?
  1. Ctrl-F 搜索 ceiling字段
  2. 找到包含该字段的http协议的包,Follow TCP Stream
  3. 主机如图:www.wayfair.com
sf2016-b
1. How many cipher suites are offered to the www.bing.com server?
  1. filter:ssl.handshake.ciphersuite
  2. 展开ssl层
  3. 如上图:cipher suite(26),所以答案为26个
2. Which cipher suite did th www.bing.com server select to use for the connection?
  • 这题存在疑问,答案是TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
3. What host name query is generating DNS errors?
  1. filter:DNS
  2. 找出DNS response中flags包含Refused的字段,如:
  3. 可以发现该DNS response包没有对DNS查询做出Answer,说明要查询的主机在DNS查询过程中生成了错误,该主机名为:wpad.attlocal.net
4. Who owns the iPad detected in this trace file?
  1. 按照sf2016-a第一题的方法,筛选规则为eth.addr == c8:f6:50:e4:15:2d
  2. 见MDNS的展开:
  3. Pat’s iPad…(答案为 Pat)
5. What server is the client connecting to in TCP stream 8?
  1. filter:tcp.stream wq 8
  2. 找到52.202.146.168
  3. Statistics->Show address resolution
  4. 找到该ip对应的主机名:files-weighted.r53.acrobat.com
sf2016-c
1. How many days are covered by the Money Back Guarantee for HotAlarmClock?
  1. http过滤
  2. Ctrl+F 搜索 “money”
  3. 将找到这个包
  4. 找到其回复的包,拉开Packet List
  5. 右击HTTP下面的GIF层,点击Export Selected Packet Bytes(将该图像导出)
  6. 如图可知,答案为30天
2. Which content delivery network(CDN) is used by Microsoft?
  • filter:dns过滤后的DNS responses中找到关于microsoft的解析,会找到Akamai的CDN
3. What caused the DNS client to send an ICMP message to a DNS response?
  1. 经过filter:dns筛选后找到该ICMP是frame 1179
  2. 展开其Packet List
  3. 发现Request in 1170
  4. 但是1171就是1170的DNS response(Transaction ID都是0x203b)
  5. 所以,frame 1178是DNS server多发的一个DNS响应包,而DNS client在接受到frame 1171后即与DNS server断开连接,所以frame 1179是对frame 1178回了一个ICMP(Destination Unreachable)
4. How many complete TCP handshakes are seen in this trace file?
  • tcp.flags == 0x12(筛选出syn/ack的包)
  • 23个
5. What is the host name of the system that offers the largest TCP window scale multiplier?
  1. filter:tcp.window_size_scalefactor>1023
  2. 找到提供最大TCP窗口缩放倍数的主机ip:63.245.213.48
  3. Statistics->Show address resolution,找到其对应的主机名为:aus5.external.zlb.scl3.mozilla.com
  4. 通过filter:dns筛选后,Ctrl-F 搜索 “63.245.213.48”,发现这是一个cname主机的ip
  5. 因此,题目要求的主机名为:aus5.mozilla.org
sf2016-d
1. Who owns an iPod Touch?
  • 直接Ctrl-F(Packet details) 搜索 “iPod”
2. Why did Wireshark mark Frame 11 as a Spurious Retransmission?
  • 找到frame 11,展开TCP layer,经分析,Seq 132(用的是relative sequence number)已经在frame 10中收到了ACK回复
3. How many Gratuitous ARPs are in this trace file?
  • filter:arp.isgratuitous == 1 12个
4. What is getting “hairy”?
  • Ctrl-F(Packet details)搜索 “hairy”,发现在一些HTTP的GET里有这样一句话:”purdy-sharks-series-blues-getting-hairy”
5. Why was a user redirected when connecting to www.wireshark.org?
  • 在frame 2467的HTTP layer展开中看到,Location是https://www.wireshark.org,而不是http://www.wireshark.org,即重定向到https页面上
sf2016-e
1. Who or what is “awesome”?
  • Ctrl—F(Packet details)搜索“awesome”,找到
2. What is the IP address of the DHCP Relay Agent?
  1. filter:bootp.ip.relay != 0.0.0.0
  2. 找到该IP:172.19.131.119
3. ow many TCP FIN packets are marked as spurious retransmissions?
  1. Statistics->Packet Lengths,过滤条件为 tcp.analysis.spurious_retransmission
  2. 初步判断为533个
  3. 再看40~79的部分,有446个,这部分基本上就是不包含数据部分的TCP控制数据包
  4. 最后查看80~159部分的两个数据包,frame.cap_len == 89的数据包是存在问题的TCP包,frame.cap_len == 153的多了一个SSL层
  5. Sharkfest Challenge官网给出的答案是446
4. What manufacturer’s products are looking for 169.254.255.255?
  • Ctrl-F搜索“169.254.255.255”,展开ARP层,发现Sender Mac Address 是Apple_03:b2:24,所以这是Apple厂商的设备
5. How many IP hosts advertise a window scaling factor of 128?
  • Statistics->Conversations->Limit to display filter(tcp.window_size_scalefactor == 128)
小结
  • wireshark可谓是分析数据包的神器,其中有很多优秀的功能,如Statistics等,有些filter的表达式不知道怎么去写,可以打开Expressions查看
  • Sharkfest Challenge也是旨在帮助大家更好地使用wireshark,解决实际问题,最早的Challenge时从2013年开始的,感兴趣的也可以看看之前的题目