I took a picture while on an airplane. The intent was to learn more about how the aircraft switched network works while integrated with satellite connection via ViaSat Services.

I captioned the LinkedIn Post with: “Wireshark on the Plane why?

Flying metal tube in the sky have connectivity to the entire world via satellite 🛰️ and I wanted to know the details of how and which protocols are used.

I’ll post a blog about the analysis of that PCAP file later.”

To the best of my understanding, the flow of the packet should go from the airplane router to the satellite and then be relayed back down to the hypersphere we call the internet hosted on Earth.

Therefore, any analysis of the traffic meant for my host machine is an analysis of the traffic that has traveled from the aircraft to the satellite and back.

Unfortunately, I didn’t run a traceroute but that would have proven that point by providing the hops traveled by the packet. Wireshark and hping would be a good combo to uplevel this experiment. Wireshark and Nmap would also be a good choice for analyzing public wifi traffic. I would also be careful if you did any of this. The methods I used were not actively scanning the network.

ViaSat suffered a cyber attack just 1 day prior to the Russian Invasion of Ukraine. The attack on ViaSat was launched by a Russian Nation State Actor, which used the Wiper malware and its variants to include hermetic wiper whilst targeting ViaSat modems and routers.

I found several details that are especially useful to myself and the role I play as a cybersecurity Instructor. In both the Security+ and Ethical Hacking Bootcamps I am fortunate enough to have the opportunity to play a role in could benefit from the examples shown in the PCAP file. This is a simple PCAP project that could frame beginner projects for people trying to break into the industry.

• Gratuitous ARP request - a crucial concept when building the mental maps to understand when implementing Man in the Middle Attacks. Man in the Middle Attacks imitates networks to trick you into joining a monitored network.

• DHCP lease Information - Most DHCP servers give you information about the switched network you are attached to. It also assigns you an IP address from an address pool, all of which are from the same network.

• VPN TLS Payload - A self-imposed security assessment to see if I can capture the information regarding the algorithms used by my VPN.

• Vendor MAC address Identifier for ViaSat (confirms that the aircraft Wi-Fi is using ViaSat modems and routers) - This one is really interesting when pivoting off of Wigle.

• Passive Banner Grabbing of Capture Portal webpage and web server OS - If I were a malicious actor this would be a detail I would want to know and would use to find useful vulnerabilities.