Hello, I'm a novice user. I suspect my computer's been hacked. With help, I've captured a trace of my router traffic, and want to filter the results in Wireshark. What should I enter in the filter field? I'm trying to achieve two things:
Thanks! asked 08 May '13, 04:30  melanie |
One Answer:
This is not going to be simple. To determine what is malicious traffic and what isn't you need to know how "good" traffic looks like. And that is depending on what your PC is supposed to do on the network. For example of you're not using a web browser while you capture but you see HTTP traffic it could be hidden communication, but it may also be a background patch mechanism at work. So first you need to spot traffic that you can't explain, then find out what program it was caused by, and determine if it is a good or bad program. answered 08 May '13, 05:28  Jasper ♦♦ |
Thanks Jasper.
I did have a browser open.
I guess I'm wondering if there are some obvious things I can filter out because they are never 'bad'.
Also, any help on question 2 would be great. (filtering out traffic to and from one of two wifi accounts.)
Almost any protocol can be abused, but in most cases you could filter out any traffic that runs between IPs you trust, e.g. IPs within your own network. A typical filter could be something like "not (ip.src==192.168.1.0/24 and ip.dst==192.168.1.0/24)", which would filter out any communication of IPs both belonging to the 192.168.1.0/24 subnet. There are some cases where malware relays communication through the local subnet, but that is very rare and usually concerns enterprise/government level targets.
Filtering on accounts is kinda hard to do. How do you differentiate between "guest" accounts and your Wifi Account? Can you base it on devices/MAC addresses?