Long story short, I’m taking an introductory Computer Security class, and part of our assignment is to use Wireshark to analyze a log file and extract some information. Except up until now I’ve only very very briefly used Wireshark, and we weren’t really given an introduction or anything like that, so I’m a little lost.
I’ve attached the files, and here’s some of the things I’m supposed to be able to surmise from them:
The sample file is a fake log from a piece of malicious software that was run. The execution file contains traffic from when this particular piece of code was execute. We’re told that the log contains three separate TCP sessions; the first two sessions were terminated and this piece of code was allowed to reconnect to a listener so that 3 separate beacons could be observed. We’re supposed to identify the beacons and information about them, including their protocol, the port that was used in the communication with the beacons, and then finally set up a filter in Wireshark to identify packets from this beacon.
But from what I can tell, there are only two hosts talking: 172.16.192.140 and 172.16.192.129. I’ve looked through the TCP packets, but I can’t figure out what information is actually useful. It looks like all of the connections go through port 8585 but other than that I’m pretty lost as to what I’m looking at, particularly with respect to these beacons and where information about them would be in the logs.
Thanks in advance. Any help or pointers in the right direction would be awesome.