Packet analysis

Phase 3
In Phase 3 we are switching gears a bit. We are not building onto the infrastructure
specifically, but we are developing a skill that is critical to your future success as a sys
admin. That skill being packet analysis. You will see a packet analysis aspect in your final
project as well.
In D2L locate the file called “xyz.pcap.”
You are roleplaying that your boss has given you this file from a client site. Your boss tells
you that they are not totally sure what is happening at the client site but they are experiencing
bandwidth issues.
You know from previous work with this client that they have atrocious security awareness. From
this experience you assess that there is a high probability that something malicious is happening.
Your task is to analyze this file with network captures and determine what is happening to this
client.
Rubric
You are producing a written document that describes in detail the situation that is happening on
the network of this client. You should be using deep packet analysis techniques taught to you in
theory and lab. You are role-playing that you are presenting this document to client. The client
has limited knowledge of IT and you have to be able to explain everything to them so that they
100% clear.
Requirements:
Your project must contain the following:
• Identification of the malicious traffic
• Analysis steps taken to identify the malicious traffic
• Risk analysis of threats to company assets
• Recommendations for prevention of this malicious traffic
This project is graded on a scale. You need to obtain all items located on the higher levels of
the scale in order to receive the grade for that level. There is no middle grade between levels.

Percentage
Qualifications

0
Nothing submitted.
Assignment was late.
The quality of the product submitted is egregious

20
Unable to identify what the malicious traffic was
-Documentation is confusing to follow
-Documentation is lacking content
-One or more of the four requirements is missing. The way the document is laid
out is confusing to follow and it is unclear which requirement you are referring
too.
-requirements are severely lacking in content and effort

40
Unable to identify what the malicious traffic was
-Your document contains all 4 requirements
-You have the four requirements, but it is hard to understand how you came to
your conclusions. You may have correct conclusions, but based on how you have
presented the document and written out your content
-Your documentation is not ready to be seen by the client. Generally, a few
more proofreads would be required in order to catch errors and produce a
document that a client can read and understand.
-Realistically you shouldn’t pass if you can’t identify what the malicious
traffic is. 40% is generous.

50
You identify what the malicious traffic was.
-Your document contains all 4 requirements
-You have the four requirements, but it is hard to understand how you came to
your conclusions. You may have correct conclusions, but based on how you have
presented the document and written out your content it is not clear that you
understand what you are presenting

-Your documentation is not ready to be seen by the client. Generally, a few
more proofreads would be required in order to catch errors and produce a
document that a client can read and understand.

60
-You identify what the malicious traffic was.
-Your document contains all 4 requirements
-More Depth is required on the 4 requirements, the topics are touched on but
explanations need to be more verbose.
-Generally you met the requirements, but in order to get anything above this you
need to demonstrate in your documentation that you can explain the requirements
in a technical and non-technical way. Since a variety of people will be reading
this document you have to consider all who are going to be handling it.

80
-You identify what the malicious traffic was.
-Your document contains all 4 requirements
-You cover all the requirements in depth and on a technical level it is very
well done. However, a regular user would struggle to understand the concepts
that are being discussed. 80% is very good! In order to have obtained 100% you
need to be able to merge technical and non-technical language so that the
document is legible by average users and also maintains technical depth that
makes the document useful too system administrators.

100
-You identify what the malicious traffic was.
-Your document is professional and is of the caliber that it could be presented
to a real-world client with limited IT knowledge and they would understand
everything that you are telling them.
-It is abundantly obvious that you went above and beyond to produce a document
of such high quality that anyone who was to pick this up would have no doubt in
their mind about what the four requirements are talking about.