In my last post I covered tshark and discussed how to manipulate the output during a decode. There is no better way to learn than by doing, so I decided to post a challenge. In this post I’ll provide a Libpcap file. Your mission Mr. Phelps, should you choose to accept it, is to attempt to identify what is going on within the decode file using tshark.
Installing tshark
In order to install tshark, you need to install Wireshark. You can grab a current copy from the download page. Once you do, the installation process is dependent on what platform you are using:
Linux/UNIX
If you are running Fedora or Red Hat, you do not need to visit the download page. You can install Wireshark directly through Yum:
su –
yum –y install wireshark.i586
If you are running a UNIX flavor or some other Linux distro, you may need to grab the tar archive from the above link and compile Wireshark for your system. Pay close attention to the dependencies as there are a lot of them. Ensure that “./configure” completes successfully before building your binaries.
Windows
- Download the self-extracting executable
- Run the executable
- Accept Unknown Publisher screen by clicking “run” button
- Follow the on-screen prompts accepting the defaults
- Install WinPcap (make sure box is checked)
- Install NPF service if non-Administrator users will be running the tool
- Add “C:\Program Files\Wireshark” to the end of your path statement
OS X
- Select the image that matches your processor type (Intel or PPC)
- Open with DiskimageMounter
- Open the “Read me first.rtf”
- Follow the “Quick Setup” instructions
The challenge
Here’s the challenge file:
And here are the hashes of the file to verify your download:
MD5: ea92f08d9ba104c6cf7756564eb5aef9 challenge1.cap
SHA-1: 71041ab0f670c5b9558183a56fe1bb80e8b10506 challenge1.cap
Good luck and starting next week I’ll post a little more info about the file every day to help move you through the decode process.
Related posts:
