March 20, 2012 • 2 min read
First off, thanks to everyone who sent in a solution to this packet capture challenge. Some of you told us the challenge was too easy. Don’t worry. They’ll get harder.
Watch Joe show you the solution from a cafe in downtown Portsmouth, NH, or try the challenge for yourself below!
Ok, gather around packet geeks. Take a look at this capture session. If you can answer the question below, send an email to info@cloudshark.org with your address and Tee-Shirt size, we’ll send out a CloudShark tee shirt to the first 10 correct responses we receive.
Question: What is the name of the file downloaded in this web session? Hint: It has 142354 bytes.
Here is the CloudShark capture session:
https://www.cloudshark.org/captures/289c2fe55c9d
Ready … Go … Good luck!
So, how did we find the downloaded file in this web session with a size of 142354 bytes? While you could approach this a few different ways, we immediately thought of using display filters. CloudShark’s display filters are compatible with Wireshark display filters. Display filters allow you to limit the packets displayed to just the ones that meet some criteria. Since we are looking at web traffic, we start with “http” as the display filter.
https://www.cloudshark.org/captures/289c2fe55c9d?filter=http
Even with the “http” display filter, we are seeing a lot of packets. But you can get more specific than “http” and even include simple expressions in your display filters. Since we know the size of the file downloaded, we can check the “http.content_length” display filter for a specific size.
https://www.cloudshark.org/captures/289c2fe55c9d?filter=http.content_length%20==%20142354
Now by applying the specific display filter, we find a single http response. From here, we can use the decode interface to examine the HTTP layer of the packet and pull out the filename from the headers.
Content-Disposition: attachment; filename=cloudshark-plugin-1.0-136.tgz
Until next time …
