Every guru in IT loved pcaps a lot But the Grinch, who lived in the datacenter did not! The Grinch hated networks, the packets and streams They furrowed his brow and haunted his dreams It could be because of some hack that had failed Or a time he’d let sensitive data go emailed But I think that the most likely reason all Is the time he’d hung up on that one last support call Alas, had he used CloudShark, perhaps it’d gone well And he’d not have attacked our own networks to tell Thus he was still here, malicious and bitter And that he’d stolen the holiday card we’d intended for Twitter So we ask, CloudShark fans, in the packet community Help us find the picture he stole, expecting impunity Our team grabbed a capture of the Grinch’s attack: Where he hid all the pieces, and how to get them back.
In depth on creating a capture challenge using custom built captures Every so often we like to come up with a special capture challenge where people can use CloudShark to dive into some packet analysis and find the solution. But often the interesting story is about the methods we use to make the captures themselves - generating and capturing very specific packets to make the challenge interesting. Being packet geeks, it’s also really fun.
A PCAP Challenge for Halloween Celebrating Halloween is something our hometown of Portsmouth, NH takes really seriously! There’s a big parade where everybody does the “Thriller” dance, pumpkin-head scarecrows lurking all over town, and private homes open their elaborately decorated haunted barns for the neighbors to wander through!
In the spirit of the season, we’re offering our own Trick or Treat challenge – PCAP style. Take a stroll through this capture file and see if you can find the 5 hidden “pumpkins” that we’ve placed in there for you!
Thanks to those who participated in our latest Challenge! You can watch the webinar walkthrough here: We’ve been a big fan of malware-traffic-analysis.net. They have a huge archive with cool examples of malicious network attacks and malware attempts, and do a great job taking even newbies through the examples. We wanted to bring one of those examples to our users to see how to solve it in CloudShark.
Every summer the devs here at CloudShark engage in a “Summer Coding Challenge” to flex their programming muscles and relive the glory (horror?) days of computer science homework. It just so happens that one of those challenges this year made a great packet capture challenge for you CloudShark fans!
We got a lot of great answers - we have some of those solutions below, but if you don’t want it spoiled and want to try the capture for yourself, here it is:
Since we’ve launched CloudShark Online Accounts, we wanted to celebrate with a special Thanksgiving capture challenge. While most of us in the U.S. will be enjoying hefty helpings of turkey, mashed potatoes, and squash, a select few will be reveling in the magical wonder that is the “Turducken”.
Never heard of turducken? It’s exactly what it sounds like: a chicken, wrapped in a duck, wrapped in a turkey, filled with stuffing and sausage and baked to perfection.
This challenge is complete! Try it yourself or scroll to the solution below.
It’s been awhile since we’ve had a good old fashioned packet capture challenge here at CloudShark. In preparation for our upcoming webinar on packet capture and analysis in wireless networks, we thought we’d throw out a challenge involving a would-be malicious attacker trying to gain access to a secured wifi network.
The Challenge Take a look at this capture.
This packet challenge has concluded!
Read on for the solution, or check out the original challenge below!
The Solution A few folks spotted the issue with multicast packets #4 and #6. Normally, IP layer multicast packets also use a layer 2 multicast destination MAC address. But the multicast packets in this capture are using a unicast destination address.
What is going on here?
It turns out that this capture was generated in a wireless network.
Haven’t got one of our snazzy CloudShark P-Caps yet? Well, how good are your dissector skills?
One of the tools we added in CloudShark 1.7 is the protocol hierarchy tool. Similar to that found in Wireshark, the CloudShark protocol hierarchy tool also lets you click on a given protocol and automatically creates a filter for you based on the packets called out in the hierarchy.
Which, you got to admit, is pretty cool.
This capture challenge has concluded! Thank you for all of your answers! You can find the solution below, or try the challenge for yourself.
The Challenge Happy Holidays from CloudShark!
We’ve had a lot of new followers and users of CloudShark.org in the network security field, so we have a special intrusion capture challenge for you this month. It requires very little description, but you can use CloudShark’s web-based analysis tools and packet view to figure it out.
This challenge is now concluded! Read the solution below or scroll down for the original challenge!
The Solution So, what’s going on here?
This communication is happening over a home gateway using Network Address Translation, or NAT. This is very common in home networks as it allows a Service Provider to use only one public address to represent many hosts. It also has an interesting side effect of acting as a natural firewall.
This challenge is now finished! Read the solution below or scroll down to try the challenge for yourself! The Solution CloudShark lets you embed your filters directly in the URL. When we view this packet capture file, we are already brought to the view we want to see: in this case, only DNS and ICMP messages.
Why is that? The problem we’re looking to illustrate happens to be an ICMP packet that is tied to a particular DNS response.
Thanks to all who participated in the packet capture challenge at Sharkfest 2012! We had a great time at Sharkfest! Here’s the solution, or scroll down to try the challenge yourself!
The Solution Many folks showed us different approaches to this challenge. Here is one approach.
Visit the HTTP Requests analysis tool for this capture and take a look at the Response Codes tab.
The Response Codes graph shows a break down of traffic by HTTP Response code.
This challenge is over! You can find the solution below. First off, thanks to everyone who sent in a solution. The solution is posted here, or try the challenge yourself below!
The Solution Unlike past challenges, this challenge involves multiple capture files with two SIP clients attempting a VoIP call behind a SIP aware router. The first capture was taken on the LAN side of the router. The second capture was taken on the WAN side of the router.
This challenge is over for now. You can find the solution below! First off, thanks to everyone who sent in a solution. Joe shows us the solution on Youtube, or try the challenge yourself below!
The Challange We are having another Packet Capture Challenge to celebrate the release of CloudShark 1.4. If you can answer the question below, send an email to firstname.lastname@example.org with your address and Tee-Shirt size, we’ll send out a CloudShark tee shirt to the first 10 correct responses we receive.
This challenge is over! You can find the solution below. First off, thanks to everyone who sent in a solution to this packet capture challenge. Some of you told us the challenge was too easy. Don’t worry. They’ll get harder.
Watch Joe show you the solution from a cafe in downtown Portsmouth, NH, or try the challenge for yourself below!
The Challange Ok, gather around packet geeks. Take a look at this capture session.