LabEx
Log InJoin For Free

Export Suspicious Network Evidence

WiresharkWiresharkBeginner
Practice Now

Introduction

In this challenge, you will assume the role of a security analyst at TechDefend who has detected suspicious HTTP traffic. Your task is to use Wireshark to isolate this traffic from a pre-captured network file and export it as a CSV file for the forensics team's analysis.

The exercise will test your ability to open packet captures, apply protocol filters in Wireshark, and export filtered data in the required format. You'll need to ensure the exported evidence is properly saved to the designated location with all the necessary HTTP protocol information intact.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL wireshark(("Wireshark")) -.-> wireshark/WiresharkGroup(["Wireshark"]) wireshark/WiresharkGroup -.-> wireshark/display_filters("Display Filters") wireshark/WiresharkGroup -.-> wireshark/export_packets("Exporting Packets") subgraph Lab Skills wireshark/display_filters -.-> lab-548847{{"Export Suspicious Network Evidence"}} wireshark/export_packets -.-> lab-548847{{"Export Suspicious Network Evidence"}} end

Export Suspicious Network Evidence

As a security analyst at TechDefend, you've detected unusual HTTP traffic that may indicate a potential breach. Your supervisor needs this evidence for an urgent investigation. You must quickly isolate the suspicious HTTP traffic and export it in a format suitable for the forensics team to analyze.

Tasks

  • Apply a filter to display only HTTP traffic then export these packets as a CSV file named evidence.csv in the /home/labex/project directory

Requirements

  • Open the provided network_traffic.pcap file in Wireshark using the terminal or GUI
  • Use Wireshark's filter functionality to display only HTTP traffic
  • Export the filtered HTTP traffic as a CSV file named evidence.csv
  • Save the CSV file in the /home/labex/project directory
  • The exported file must contain HTTP protocol information

Examples

Here's a small sample of what the exported CSV file might look like (actual content will depend on the captured traffic):

Wireshark filter

Hints

  • To open Wireshark from the terminal, simply type wireshark in the terminal and press Enter
  • To open a specific capture file, you can use wireshark /home/labex/project/network_traffic.pcap
  • The basic filter to display only HTTP traffic is simply typing "http" in the filter box at the top of Wireshark
  • To export packets as CSV, go to File → Export Packet Dissections → As CSV
  • Make sure to select the correct file location (/home/labex/project) and filename (evidence.csv) when saving
✨ Check Solution and Practice

Summary

In this challenge, I worked as a security analyst at TechDefend to isolate and export suspicious HTTP traffic from a network capture. Using Wireshark, I opened a pre-captured packet file (network_traffic.pcap), applied filters to display only HTTP traffic, and exported the filtered data as a CSV file named evidence.csv in the specified directory.

The challenge demonstrated essential security analyst skills including network traffic analysis with Wireshark, applying protocol-specific filters, and properly exporting evidence in a format suitable for forensic investigation. These techniques are crucial for security professionals when identifying and documenting potential network breaches for further analysis.

Related Wireshark Courses
Quick Start with Wireshark

Quick Start with Wireshark

Cybersecurity
Beginner