Wireshark
Thread Starter
Needs more Lemon Pledge
Joined: Mar 2005
Posts: 52,768
Likes: 2,000
From: Phoenix, AZ
Wireshark
Using wireshark to watch systems and check for signs of suspicious activity, etc.
Anyone have a good tool or workflow to analyze a full 24 hours worth of wireshark activity?
Basically trying to see if a machine has been compromised or has malware that is reporting home.
I mainly want to be able to run an IP lookup on all IPs for outbound traffic, but there can be a LOT of them and don't want to have to do it manually.
Anyone have a good tool or workflow to analyze a full 24 hours worth of wireshark activity?
Basically trying to see if a machine has been compromised or has malware that is reporting home.
I mainly want to be able to run an IP lookup on all IPs for outbound traffic, but there can be a LOT of them and don't want to have to do it manually.
Sanest Florida Man
Joined: Aug 2007
Posts: 45,961
Likes: 11,757
From: Florida
I haven't used wireshark in a few years and even then it was sparingly so I could be making a fool of myself.
With that said, wouldn't that kind of capability have to be built into the edge router? I've used the logs of routers to track down a PC spewing malware induced web traffic before. Since routers/switches don't broadcast to all ports like a hub how could you run wireshark on a PC on the network and analyze all network traffic if that traffic isn't being forwarded to the PC running Wireshark?
You'd have to run wireshark on each PC and then find a way to get the results from each PC forwarded to a main PC so that you could analyze the results of each PC.
Also have you tried running sysinternals tcp/ip viewer?
With that said, wouldn't that kind of capability have to be built into the edge router? I've used the logs of routers to track down a PC spewing malware induced web traffic before. Since routers/switches don't broadcast to all ports like a hub how could you run wireshark on a PC on the network and analyze all network traffic if that traffic isn't being forwarded to the PC running Wireshark?
You'd have to run wireshark on each PC and then find a way to get the results from each PC forwarded to a main PC so that you could analyze the results of each PC.
Also have you tried running sysinternals tcp/ip viewer?
Last edited by #1 STUNNA; Dec 23, 2013 at 11:30 PM.
Thread Starter
Needs more Lemon Pledge
Joined: Mar 2005
Posts: 52,768
Likes: 2,000
From: Phoenix, AZ
Stunna, I am just trying to see if the particular PC is sending outbound traffic, and to where.
I run Wireshark on the PC in a closed environment (or not) and see where the outbound traffic tries to go.
I run Wireshark on the PC in a closed environment (or not) and see where the outbound traffic tries to go.
Sanest Florida Man
Joined: Aug 2007
Posts: 45,961
Likes: 11,757
From: Florida
So you've got it narrowed down to one? Does it really matter where it's going or are you just using wireshark to detect if this PC is infected with a virus?
Have you tried running the usual TDSSkiller, ESET Sirefef removal tool (been personally kicking ass for me lately), combofix, MSERT, malwarebytes, and a manual scan using autoruns, and if necessary process explorer and tcp/ip viewer? I've yet to come across a machine that makes it through all of those still infected, not that it's not possible, of course.
Have you tried running the usual TDSSkiller, ESET Sirefef removal tool (been personally kicking ass for me lately), combofix, MSERT, malwarebytes, and a manual scan using autoruns, and if necessary process explorer and tcp/ip viewer? I've yet to come across a machine that makes it through all of those still infected, not that it's not possible, of course.
Last edited by #1 STUNNA; Dec 23, 2013 at 11:42 PM.
Thread Starter
Needs more Lemon Pledge
Joined: Mar 2005
Posts: 52,768
Likes: 2,000
From: Phoenix, AZ
Daniel, I appreciate the thoughts but as I stated, I am specifically interested in the outbound traffic and where it is headed. That's it. Not really concerned about infections, per se, but any keylogging software that is reporting back or remote access software that is trying to connect out or send out data. Mainly related to a computer that has been part of an intrusion and may be compromised.
I am #76,361,211,935
Joined: Nov 2001
Posts: 1,285
Likes: 344
From: Ottawa,Ontario
Disclaimer: I don't know anything about Wireshark logs
If the logs are just ASCII text, it sounds like a few lines of shell script in a
*nix or cygwin environment should handle it pretty easily?
Roughly, something like ..
Probably the hardest part of the script would be extracting and cleaning up
the ip-addresses from the Wireshark log, and generating a clean list of "$TARGETS"
but I have rarely encountered any pattern processing problems that
grep/sed/cut couldn't solve.
Um, in case you don't know shell scripting the pseudocode for the above is:
-extract the raw lines of text from the wireshark log containing outbound ipaddrs and then save just the ip-addrs to a list of TARGETS
-for each unique target ip-addr
- count the number of times that ip-addr appears in the TARGETS list
- write to a REPORT - the unique ip-addr and the frequency of occurrence in the wireshark log
- use the 'dig' command to reverse-lookup the unique ip-addr and add its output to the REPORT
If the logs are just ASCII text, it sounds like a few lines of shell script in a
*nix or cygwin environment should handle it pretty easily?
Roughly, something like ..
Code:
#!/bin/sh # we goin a-huntin' !! WSLOG=/tmp/raw-wireshark-log TARGETS=/tmp/outbound-ip-addrs REPORT=/tmp/wireshark-analysis grep "some-pattern-wireshark-uses-to-report-a-outbound-IP" $WSLOG | sed -e "s/leading-cleanup-pattern//" -e "s/trailing-cleanup-pattern//" >$TARGETS sort -u $TARGETS | while read unique-ipaddr do hits=`grep $unique-ipaddr $TARGETS | wc -l` echo "" >>$REPORT echo "Target [$unique-ipaddr] - frequency: $hits" >>$REPORT dig -x $unique-ipaddr >>$REPORT done
the ip-addresses from the Wireshark log, and generating a clean list of "$TARGETS"
but I have rarely encountered any pattern processing problems that
grep/sed/cut couldn't solve.
Um, in case you don't know shell scripting the pseudocode for the above is:
-extract the raw lines of text from the wireshark log containing outbound ipaddrs and then save just the ip-addrs to a list of TARGETS
-for each unique target ip-addr
- count the number of times that ip-addr appears in the TARGETS list
- write to a REPORT - the unique ip-addr and the frequency of occurrence in the wireshark log
- use the 'dig' command to reverse-lookup the unique ip-addr and add its output to the REPORT
Last edited by underdog; Dec 24, 2013 at 07:03 AM.
Team Owner
Joined: Jan 2001
Posts: 25,967
Likes: 2,685
From: Jersey
Enterprise switches have a feature called mirror port. When you have a port on a switch configured as a mirror all traffic on that switch will be echoed to the mirror port.
Last edited by doopstr; Dec 24, 2013 at 08:37 AM.
Trending Topics
Team Owner
Joined: Jan 2001
Posts: 25,967
Likes: 2,685
From: Jersey
Wireshark has the ability to resolve names. It won't store the names in the output file but you should be able to see the names in the wireshark program if you have the feature enabled.
http://lmgtfy.com/?q=wireshark+host+resolution
http://lmgtfy.com/?q=wireshark+host+resolution
Last edited by doopstr; Dec 24, 2013 at 08:42 AM.
Thread
Thread Starter
Forum
Replies
Last Post