Course Notes - Day 2

Please say "Hi" with your name in the chat area... for the roster. Thanks. 

RFC 3514

Creating Spoofed MAC addresses
1. SMAC
2. Colasoft Packet Player 
(Npcap compatibility)



https://dev.maxmind.com/geoip/geoip2/geolite2/

GeoLite2 ASN GZIP
GeoLite2 City GZIP
GeoLite2 Country GZIP

GZIP - > compressed file --> dir .mmdb

c:\maxmind\*.mmdb

DPRK - share with caution
ip.addr==175.45.176.0/24 || dns contains "dprk"


Coloring Rules Order
"S-" Security on top (ORANGE BACKGROUND)
"T-" Troubleshooting 
Wireshark troubleshooting
"N-" Notes to me (dns in lime green)
Other defaults

filter for all "S-" colored frames

TCP Ping, UDP Ping, ICMP Ping
NetScanTools Pro 

Detecting Delays
Check out page 96

Step 7 (page 99)
Packet 2 0.015182
Packet 4 0.015923
Packet 11 0.012041
Packet 13 0.013521 

DNS response times
0.012
0.013
0.012
0.011
0.014
0.037 This name was probably NOT cached at the local DNS server... takes much longer to get the response because the local DNS server has to ask another DNS server for the information. 
0.012
0.011

Step 11 (page 100)
0.01921 (19ms)

Start Capturing
No capture filter (Zoom traffic in there)
Browse to wcnacertification.com website
Browse to bankofamerica.com
Stop capture
Statistics > Resolved addresses


Network Forensics
Protocol Hierarchy Windows
1. Look for unusual protocols (IRC, TFTP, unexpected)
2. "data" directly under IP, TCP, or UDP

My contact at Profitap
John Modlin
john.modlin@profitap.com

Tell him I sent you and told him to take care of you, OR ELSE!!! Grin.