Hello all, I am still very new to wireshark, and I am curious if someone can guide me in the right direction. I have a packet captured, and we know there is an intruder, but I do not know if there is a way to tell if they are coming from within the network or an outside source. Does Wireshark tell us that information? Thanks! asked 07 Oct '13, 11:34  Ruinzifra |
One Answer:
well, if you think you identified the intruder action within that single packet, just look at the source IP. If it is from your network, the intruder might be internal or external (see below). Otherwise: external (internet, other network). HOWEVER: I doubt you will find an intruder with just a few packets (except in some easy to spot cases). So, if you think there is an intruder, you need to develop an idea which system he/she is attacking and how (protocols). Then you can capture traffic to the target and see who is doing what on that system. By that you will identify the suspicious IP addresses. If they are internal, it can still be an intruder from external. In that case he might just have successfully attacked another system on your network and is now using that 'hacked' system to attack and/or probe the rest of the network. Regards answered 07 Oct '13, 11:53  Kurt Knochner ♦ edited 07 Oct '13, 12:22 |
