This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

EDIT 2 i can open.pcapng with notepad. some stuff is in plain english. i see it connecting to another website's iis server. huh :( some weird charectors so i would guess thats the code. gonna try and see what else i can get from this stream capture. any thoughts appreciated.

EDIT: how can i view udp packets? i need to look at what commands are being run in java with a udp field i belive. looking to see what files are being transfered or what commands are being sent to my pc... i isolated the traffic, now i just want to read/translate the code inside.

i go to (what appears to be ) a regular company website with a link off google.com and i see my ms sec essntials open up and clean up/quarantine a virus. its a java exploit:

trojan:JS/Redirector.LB

i captured 349 packets. all i did was start the capture, clicked the link, saw the ms security essential quarantine the exploit (Again) and stopped the capture

now i would like to find whats tripping the av software.

if i follow a tcp stream of the packets i got froom the server answering the pings, would that cause the exploit to be run again? as soon as i followed the stream, my ms security essentials opened again quarantining that exploit again. ever time i follow the stream i get the virus.

its showing an error on the tcp stream: could not open temp file C:\users\x\appdata\local\temp\follow_20121203192017_a04336: access is denied

is this normal when you foolow a tcp stream? is that file above the virus or the temp file of the wireshark capture? how can i find the file/virus from the wireshark capture?

thanks for the time. any help appreciated... Im sick of getting viruses.

asked 03 Dec '12, 16:00

networktec's gravatar image

networktec
1112
accept rate: 0%

edited 10 Dec '12, 01:43

grahamb's gravatar image

grahamb ♦
19.8k330206


is this normal when you foolow a tcp stream? is that file above the virus or the temp file of the wireshark capture?

That's a temp file, written by Wireshark, when you follow a TCP stream. It contains the payload data of the TCP connection. As the virus/trojan code is downloaded via the HTTP connection, wireshark writes the virus/trojan code into that temp file. Your AV scanner detects that write attempt and blocks the action, as it finds the virus/trojan code.

You could add an exception in your AV scanner for the path where Wireshark writes the temp file, if you really know what you are doing ;-). However, just writing the virus/trojan code in the temp file, does not pose any risk, as the virus/trojan code will not be executed.

Regards
Kurt

permanent link

answered 03 Dec '12, 16:42

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

thanks.

1.) i see the stream opening up a connection to a different iis server so im guessing thats where its coming in from. wheres the temp file go? %temp%? i could add exception, but wouldnt the code self execute? if i have enough to trip the av software, that might let it install and delete file if thats in the programing. i was reading about using a debugger to slow down the program and see whats going on.any thoughts appreciated.

2.) i opened the pcapng with notepad. dont understand how to read stuff like: </script> </body> </html><script>try{n&=window[\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\...NUL NUL ACK NUL NUL etc.

hTML code? just not sure what \\\ is?

its full of stuff like this. im guessing im looking for java code, just not sure what it looks like, etc.

then at end i see:

<msgfmtrev>3</msgfmtrev> <msgcontrev>6</msgcontrev> <netstatus>0</netstatus> <hmadevice> <devstatus>0</devstatus> <macaddr>xxxxxxxxxxxx</macaddr> <ipaddr>xxx.xxx.1.xxx</ipaddr> <unitaddr>00029583A9</unitaddr> <networkmaster>Master</networkmaster> <devicetype>2</devicetype> <settopnodeid>1</settopnodeid> <netconnecttype>1</netconnecttype> <mocanodeid>0</mocanodeid> <mocaversion>01.73</mocaversion> <hmaauth>Yes</hmaauth> <hmacontsupport>SDorHD</hmacontsupport> <numcontses>0</numcontses> <hmastreamtypesupport>MPEG2orMPEG4</hmastreamtypesupport> </hmadevice> </hmanetconfig>

java code? weird. any thoughts appreciated.

(09 Dec '12, 14:51) networktec

The .pcapng file is the file that Wireshark stores the network traffic captured from the interface, but it is not an executable file, nor is it (generally) human readable. One piece of software that can generate or display the contents of a pcapng file is called Wireshark.

If the capture file contains the download of some malware, it is possible that av software may trigger on the write (or read) of the file due to the av "recognising" a pattern of bytes that match an entry in the av database of malware.

I don't know of a way to encode data in a pcapng file that would cause a normal program that read it to misbehave (apart from crash), but I would think it possible that a malware program could use a pcapng file to hold data (or code) for it in the same way any other file could be used for the same purpose.

permanent link

answered 10 Dec '12, 01:43

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×7

question asked: 03 Dec '12, 16:00

question was seen: 9,138 times

last updated: 10 Dec '12, 01:43

p​o​w​e​r​e​d by O​S​Q​A