It basically turned out that most of the connections were just updates for the virus scanner and other components that turned out to be non-malicious. Especially when most of the connections look like this (actually, it had the public IP of the server in them, but I sanitized the file, replacing the address with “10.0.0.21”): I had opened the trace and activated Network Name Resolution which I usually do not have enabled, but for an investigation like this it is quite helpful. So basically I wanted to separate good from bad traffic, if any, and see what was transferred.įirst, I used the conversation statistics to get an idea of who the server was talking to. Actually, dumpcap was already running for a couple of days in front of the firewall using a capture filter set to the server IP, recording everything that the server sent or received to and from the internet. A couple of malicious files had been reported by the virus scanner, so I had to take a closer look at what it was doing in the network. of the traffic you want to analyze and all other protocols will be hidden in your trace.Ī very good cheat sheet is available from packetlife.Today I was using a combination of dumpcap and Wireshark to run a network forensics investigation against a server that may have been compromised. You can specify the protocol like " smb"," http" or " smtp". It is possible to combine filters with the logic operators " and, or, xor, not" For xample " ip.addr=10.0.0.10 and not eth.addr=45:20:24:ff:5a:18" checks if there are packets with ip address 10.0.0.10 which do not come from the correct network adapter.
For example if you want the whole traffice from and to 10.0.10.x then use ip.addr contains 10.0.10. You can replace the "=" with contains to search for a part of an address. See all packets in the communication trace which transport cookies to remote server. See all packets in the communication trace which sets cookies. Hide Address Resolution Protocol packets to prevent the flood of them in your communication trace. Today i want to show some other very usefull Displayfilters in Wireshark.ĭisplay all IP traffic coming from or going to the specified IP Address.ĭisplay all Network traffice coming from or going to the specified Mac Address. In one of my last posts i have talked about how to trace DHCP communication in Wireshark.
0 kommentar(er)
