Network Packet Anaylsis (simple)

Here are the details regarding the network: Employee Title IP address Server Server [login to view URL] Phil Farnsworth Owner [login to view URL] James Garrett Network Admin [login to view URL] Allen Beard Payroll Admin [login to view URL] If you don't know whether it's suspicious -- sometimes it's difficult to tell -- say so, and describe why you can't tell whether it's suspicious or not. There are examples of EACH of the aforementioned categories of behavior included in the packet capture. NOTE: I want a DETAILED INTERPRETATION of what is happening. Don't simply DESCRIBE what is going on, I want an expert interpretation. Here’s an example: POOR DESCRIPTION: IP [login to view URL] is accessing port 21 over TCP on IP xx.xx.xx.xx. My feedback to you: That is useless information. GOOD DESCRIPTION: IP [login to view URL] is attempting to connect to port 21 on IP xxx.xxx.xxx.xxx. Port 21 is ftp, which sends credentials in the clear. The series of packet captures shows that the intruder was attempting to guess passwords for user "sumowrestler". The intruder was eventually successful after the 5th try. The passwords guessed were "password", "sumo", "wrestler", "beatles" and "sumo1", the latter of which allowed the intruder to gain access to the computer. Questions 1. What is occurring in packets 3-4? Is it evidence of an intrusion? Provide an interpretation of what is occurring, and the possible uses of the information gained. If there’s nothing suspicious, tell me so, and explain why it’s normal traffic. 2. Is the activity occurring in packets 17-20, 24-25, 28-33, 36-41 evidence of an intrusion? Provide a detailed interpretation of what is occurring, and the possible uses of the information gained. How many computers are involved? Who owns them? 3. Is the activity starting in packet 80-116 evidence of an intrusion? Provide a detailed interpretation of what is occurring, and the possible consequences. How many ports are involved, and what are their associated services? What information would be gained, and how would it be used by an attacker? 4. Are packets 508-595 abnormal? (Note: this is a TCP stream so you can select the first packet, right click your mouse, select "Follow TCP Stream", and Wireshark will extract those packets and form a single readable stream.) Provide a detailed description AND interpretation of what is occurring, and the possible consequences. THERE IS A LOT GOING ON. TELL ME WHAT HAPPENED! 5. Is the activity starting in packet 618 evidence of an intrusion? (Note: this is a TCP stream so you can select the packet, right click your mouse, select "Follow TCP Stream", and Wireshark will extract those