CloudShark Blog

Training, webinars, and resources for network analysis

March 20, 2012

Packet Capture Challenge #1 - The Solution

Written By
CloudShark
Published
March 20, 2012
Share

Posted to:
Capture Challenge

This challenge is over, for now! Stay tuned for the next packet capture challenge!

First off, thanks to everyone who sent in a solution to this packet capture challenge. Some of you told us the challenge was too easy. Don’t worry. They’ll get harder.

Watch Joe show you the solution from a cafe in downtown Portsmouth, NH, or try the challenge for yourself below!

The Challange

Ok, gather around packet geeks. Take a look at this capture session. If you can answer the question below, send an email to info@cloudshark.org with your address and Tee-Shirt size, we’ll send out a CloudShark tee shirt to the first 10 correct responses we receive.

Question: What is the name of the file downloaded in this web session? Hint: It has 142354 bytes.

Here is the CloudShark capture session:

https://www.cloudshark.org/captures/289c2fe55c9d

Ready … Go … Good luck!

The Solution

So, how did we find the downloaded file in this web session with a size of 142354 bytes? While you could approach this a few different ways, we immediately thought of using display filters. CloudShark’s display filters are compatible with Wireshark display filters. Display filters allow you to limit the packets displayed to just the ones that meet some criteria. Since we are looking at web traffic, we start with “http” as the display filter.

https://www.cloudshark.org/captures/289c2fe55c9d?filter=http

Even with the “http” display filter, we are seeing a lot of packets. But you can get more specific than “http” and even include simple expressions in your display filters. Since we know the size of the file downloaded, we can check the “http.content_length” display filter for a specific size.

https://www.cloudshark.org/captures/289c2fe55c9d?filter=http.content_length%20==%20142354

Now by applying the specific display filter, we find a single http response. From here, we can use the decode interface to examine the HTTP layer of the packet and pull out the filename from the headers.

Content-Disposition: attachment; filename=cloudshark-plugin-1.0-136.tgz

Until next time …

About Us

CloudShark is made by QA Cafe, a technology company based in Portsmouth, NH. Our passion for packet captures has grown out of our other product CDRouter.

Get in touch via our Contact us page or by following us on your favorite service: