This exercise is one of our challenges to help you learn how to analyze PCAP files

< 1 Hr.
PCAP badge


To get started with this badge, you need to install Wireshark to inspect the provided network dump. You can download the PCAP file for this challenge from the given link. The file contains a single DNS query and its corresponding answer, both using UDP. By opening the file in Wireshark and following the UDP stream, you can inspect the traffic to find the key in both the query and the answer. The client requests an A record for a hostname, and the response contains the IP address corresponding to that hostname.

In this video exercise, you will learn to follow the UDP stream in Wireshark to extract the necessary data. While following the stream, you might notice that most of the data is not visible, so it's sometimes better to look at the actual packets. By analyzing both the query and the response packets, you can determine that the hostname "DEMOKEY-DEMOKEY-DEMOKEY" corresponds to the IP address, with "DEMOKEY" being the key for this exercise.

Want to learn more? Get started with PentesterLab Pro! GO PRO