Task 2: To find strings that will be sent from terrorist to device
run 'client -h' to get commands then
run 'client --command DISARM' to get 25 4D 10 01 (as 625807361)
run 'client --command ARM' to get 25 4D 10 02 (as 625807362)
run 'client --command TRIGGER' to get 25 4D 10 03 (as 625807363)
(the above are straight translations from decimal to hex via calculator)
Open 'wireshark traffic.pcap'
From Edit -> Find Packet open a dialog box. Click Hex value
enter 01104d25 in the filter field (bytes in reverse)
Observe that the only frame that includes this string involves
192.168.87.240 and 192.168.70.113
Now click the 'Filter' field and enter 'ip.addr == 192.168.87.240'
All the frames that show up involve 192.168.87.240 and 192.168.70.113
Note that 192.168.87.240 always sends the first syn so is likely
to be the terrorist. Clicking on all packets with 192.168.87.240
as the source eventually brings up 5.3-dev3863 (4th line down).
Hence the answers to the questions are:
IED at 192.168.70.113 with id string 5.3-dev3863