This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello,

I'm a novice user. I suspect my computer's been hacked. With help, I've captured a trace of my router traffic, and want to filter the results in Wireshark.

What should I enter in the filter field? I'm trying to achieve two things:

  1. filter out 'noise' (anything that would definitely NOT be related to suspicious activity)
  2. filter out traffic on my 'guest' account so I only see traffic on 'my wifi' account.

Thanks!

asked 08 May '13, 04:30

melanie's gravatar image

melanie
11112
accept rate: 0%


This is not going to be simple. To determine what is malicious traffic and what isn't you need to know how "good" traffic looks like. And that is depending on what your PC is supposed to do on the network. For example of you're not using a web browser while you capture but you see HTTP traffic it could be hidden communication, but it may also be a background patch mechanism at work. So first you need to spot traffic that you can't explain, then find out what program it was caused by, and determine if it is a good or bad program.

permanent link

answered 08 May '13, 05:28

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Thanks Jasper.

I did have a browser open.

I guess I'm wondering if there are some obvious things I can filter out because they are never 'bad'.

Also, any help on question 2 would be great. (filtering out traffic to and from one of two wifi accounts.)

(08 May '13, 08:00) melanie

Almost any protocol can be abused, but in most cases you could filter out any traffic that runs between IPs you trust, e.g. IPs within your own network. A typical filter could be something like "not (ip.src==192.168.1.0/24 and ip.dst==192.168.1.0/24)", which would filter out any communication of IPs both belonging to the 192.168.1.0/24 subnet. There are some cases where malware relays communication through the local subnet, but that is very rare and usually concerns enterprise/government level targets.

Filtering on accounts is kinda hard to do. How do you differentiate between "guest" accounts and your Wifi Account? Can you base it on devices/MAC addresses?

(08 May '13, 20:28) Jasper ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×40
×24

question asked: 08 May '13, 04:30

question was seen: 2,698 times

last updated: 08 May '13, 20:29

p​o​w​e​r​e​d by O​S​Q​A