This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

analyzing packets

0

I am new to wireshark, and am trying to learn as much as possible, and wasn't sure where to start. I heard somewhere from doing research online that the books can't teach/show you everything, so a good place to get started is to look around, use it, and to get familiar with it. I noticed on the wireshark site that they have some captures. i thought it would be interesting to see what a virus/trojan looked like. I downloaded the slammer.pcap, and am trying to figure out the main things that would pop out warning the administrator that it is a malicious packet?

asked 27 Nov '12, 15:34

droidus's gravatar image

droidus
1333
accept rate: 0%


One Answer:

0

and am trying to figure out the main things that would pop out warning the administrator that it is a malicious packet?

Wireshark is a network analyzer, so it helps to detect problems within the network and/or with networked applications. Wireshark is unable to detect "malicious" content in a packet as it has no functionality for that. You can however do that manually, if you know what to look for.

There is an extension for Wireshark, called WireShnork, which combines the functionality of Wireshark with the detection capabilities of Snort. With that plugin, you will be able to detect malicious "actions/content" in a packet (or data stream), if there is a pattern for that specific attack. However, that's more a snort question than a Wireshark question.

Regards
Kurt

answered 27 Nov '12, 16:37

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 27 Nov '12, 16:49

I could only see directions for linux commands. am i missing something for windows? also, there is no way to just look at this data, like the content, to tell if it is malicious?

(27 Nov '12, 19:24) droidus

Well, if you need WireShnork for Windows, you need the following:

  • snort version for Windows, which is available
  • you would have to compile the plugin yourself on Windows (follow the plugin developer guide).
  • you would have o extend the plugin code to work on windows (calling the snort binary).
  • download the plugin code

Unfortunately, the code is currently not available, as the mentioned GIT server refuses the GIT connection !?!

also, there is no way to just look at this data, like the content, to tell if it is malicious?

Sure there is. As I mentioned, you can look into the packet content manually (that's the main usage of wireshark) and try to identifiy malicious code/activities. But then you need to know exactly what to look for.

In the case of slammer.pcap you can view the packet bytes in Wireshark.

http://www.wireshark.org/docs/wsug_html_chunked/ChapterWork.html

As the MS-SQL protocol is a binary protocol, you will only see the HEX representation of the packet bytes. If you can identify the attack in that packet, depends on your knowledge of how slammer works.

(28 Nov '12, 03:52) Kurt Knochner ♦