This is our old Q&A Site. Please post any new questions and answers at

Hello guys,

Iam searching for a client controller from a botnet in a PCAP file. Is there somebody who knows where and how I am able to find the client controller. The PCAP file is about 75mb with all kinds of different ip addresses.

I am not familiar with WireShark yet.

Any help will be appreciated.

Thanks in advance.


asked 22 Dec '13, 06:05

nothingatall's gravatar image

accept rate: 0%

closed 11 Jan '14, 12:26

Bill%20Meier's gravatar image

Bill Meier ♦♦

Hello guys,

Thanks in advance for the answers. Thanks to you because I found what I was looking for!


"from the Netherlands"

(26 Dec '13, 13:35) nothingatall

Thanks to you because I found what I was looking for!

do you mind to tell us how?

(27 Dec '13, 03:51) Kurt Knochner ♦

I have the same problem with finding a client controller in a pcap file. I found the "server" but now i need to find the client controller.

Is there anyone who has a clue for me..?

(01 Jan '14, 10:35) kweerd63

I have found an webpage, but i can't see al the details i wish. It is asking for a token provided by the client controller.

I can't find that token. What do i miss and where do i have to look at?

(01 Jan '14, 10:47) kweerd63

@MarkV: stop spamming the site with your comments to an already closed question (I mean the other one)!! You will do yourself (and us) a favor if you ask this kind of questions in a malware analysis forum!

(09 Jan '14, 08:04) Kurt Knochner ♦

The question has been closed for the following reason "Question is off-topic or not relevant" by Bill Meier 11 Jan '14, 12:26

Is there somebody who knows where and how I am able to find the client controller.

well, as there are several hundred (or even thousand) different bots in the wild, it's hard to give any good advice, as most of them have different 'control protocols'. So, if you don't know what kind of botnet you are looking for and you don't know the protocol being used, the only way to find botnet communication in the capture file (if it exists at all), is the hard way by removing what does not look like botnet traffic. The traffic that remains is the botnet traffic.

Here is how I would start.

  • First look at very long conversations from one client to one 'server' (Statistics -> Conversations -> TCP (perhaps also UDP)). Sort the connections for the duration. If there is one connection that lasts much longer as any of the other connections, take a closer look at the conversation (Follow, Reverse Resolve the 'server' IP, get the Geolocation of the IP, take a look at the transmitted data, etc.). Do everything that might help to identify botnet traffic in that conversation.
  • Then look at lots of short connections from one client, the either the same 'server' (perhaps also to a bunch of 'servers'). You can use the Conversation statistics as well
  • Get a list of destination addresses your client is communicating with (Statistics -> Conversations -> IPv4). Take those IP addresses and map them with a GeoIP tool (online, or with Wireshark: If you find any reagion of the world, that sounds 'suspicious' to you (because you would usually not communicate with North Korea), then have a closer look at the conversation with that destination IP address


permanent link

answered 23 Dec '13, 11:57

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
accept rate: 15%

I would take a look at the RSA Security Analytics forum for this. They have lists of some fresh botnet traffic captures for botnets. The SA parses don't translate to ws filters but you can amend them. They list for user agent strings, which in WS would http user agent contains, dst ip, and ports etc etc. There are 1000's of bad ips, you could try the freeware version of netwitness. Just experiment and apply them as filters to see what you get. One method would be to put a pfsense firewall up at home then you can create a more permanent solution. Here is an example.

http.user_agent contains "GTB0.0" <- botnet useragent

some ips to look for

ip.dst == || ip.dst == || ip.dst == || ip.dst == || ip.dst == || ip.dst == || ip.dst == || ip.dst == || ip.dst == || ip.dst == || ip.dst == || ip.dst ==

permanent link

answered 24 Dec '13, 21:06

rayyai%20beach's gravatar image

rayyai beach
accept rate: 0%

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 22 Dec '13, 06:05

question was seen: 3,586 times

last updated: 11 Jan '14, 12:26

p​o​w​e​r​e​d by O​S​Q​A