Wireshark — Lab !!install!!
He initiated an ARP scan. The lab's switch, a manageable Cisco catalyst, was supposed to isolate ports. But the Wireshark capture showed something impossible: Client-3 was responding to ARP requests for every IP on the subnet. It had claimed the entire network.
10.0.0.25 → 10.0.0.1 (Gateway) [ICMP] Redirect. Packet #5,002: 10.0.0.25 → 10.0.0.2 (DNS Server) [DNS] Query: where-is-the-backup.exe Packet #5,003: 10.0.0.25 → 10.0.0.25 [TCP] Flags: SYN, SYN-ACK, ACK. (A self-handshake. A TCP loop talking to itself.) wireshark lab
He looked back at Wireshark. The last packet had just arrived. Packet #12,000. He initiated an ARP scan
It wasn't supposed to be like this. The "Wireshark Lab" was a routine exercise for the new junior analysts. A controlled environment. A safe little network with three virtual machines, a switch, and a firewall. The goal was simple: capture a standard HTTP login, an FTP file transfer, and a DNS query. Basic pattern recognition. It had claimed the entire network
Aris had set up the capture filter: host 10.0.0.25 . That was "Client-3," the dummy machine the newbies would use. He expected a quiet sea of ARP requests and the occasional SYN-ACK handshake.
Src: 10.0.0.25, Dst: 10.0.0.1 TCP Payload: You passed the lab, Aris. But the lab is not over.
Because the lab wasn't just a room anymore. It was a conversation. And someone—or something—had just asked the first question.
