I Smell Packets

Another Solution to Where in The World is Chris?
July 28, 2009, 5:22 pm
Filed under: Berlin, Packet Challenge, WinHex, Wireshark

I wanted to share another solution I received to the ‘Where in The World is Chris?’ packet challenge. This one comes from Justin Acquaro.

Justin writes:

Short Answer:

Mohrenstrabe 30
10117 Berlin, Germany

The long answer:

Using wireshark it appears that the packet is a http session to twitter ( http://twitter/cchristianson )


Follow the TCP stream shows this conversation followed by a GZIP download:


Using the save as function I save the file to packets.bin I then open packets.bin up in a hex editor (winHex). According to the RFC for gzip (http://tools.ietf.org/html/rfc1952) the start of a gzip file is always β€œ1f 8b”. I then locate these two values in WinHex.


I then deleted all the data above this magic value and saved the results as packets.bin.gz


When I opened the file I was presented with the original contents.


Opening the file up it appears to be the HTML source of a twitter page.


Rendering the HTML yields:


Which once plugged into google maps yields:


Chris writes:

Thanks for the write-up Justin (jacquaro on twitter.)
If anyone else would like share how they solved this or any of the other challenges, please feel free to send me a message. It’s always nice to see how others go about it.

Solution to Where in The World is Chris?
July 23, 2009, 2:34 pm
Filed under: Berlin, Brandenburg Gate, Packet Challenge, Wireshark

I’m back from vacation. It was a blast! Where was I? Here is the solution to last week’s packet challenge.

Opening up the pcap file in Wireshark we see the following:


A quick glance at the fourth packet reveals that this is a HTTP request to twitter.com. Note that in the Packet List Pane the fourth packet has been selected. In the Packet Details Pane the Hypertext Transfer Protocol field section has been expanded. In particular, this is a request to twitter.com for /cchristianson.

Another thing to take note of, is that there is also only one connection or flow in this particular capture. We know this because there is only one set of IP addresses, source port, and destination port combonation. In this case, it’s the one from <->

Back to the question at hand, ‘where in the world is Chris?’ Most of us are familiar with Twitter. One of Twitter’s features is the ability for a user to update their Location. This Location field is displayed on every user’s page. In this instance, this field reveals exactly where I am.

Looking through all these packets for my location would be a little tedious. To assist us in our efforts to find the right packet, Wireshark does have a nifty little search feature. To access the Search feature, go to the Edit Menu and select Find Packet. Search for the string ‘Location’ in the ‘Packet Details’ like so:


This highlights the packet that contains my location. Selecting that packet and then expanding the Line-based text data: text/html section at the bottom, reveals all the content of the web page. Scrolling through that information will reveal the Location field as well as some numbers.


The numbers are of course GPS coordinates. Inserting those coordinates into Google Maps or any other mapping software will reveal my exact location at the time, the Hilton Hotel in Berlin. Berlin is fantastic by the way.

Lot’s of people got this one right. Congratulations to Jorge Orchilles (@jorgeorchilles on twitter) for being the first. Thanks to everyone else for playing and following along.

I’ll be in Las Vegas next week attending Blackhat and Defcon. Send me a tweet or an email if you’d like to meet.

Before I go, here is one of the pictures I took while I was there. It’s of the Brandenburg Gate in Berlin.



The TCP/IP Guide
Wireshark User’s Guide
Brandenburg Gate