This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello

I have a problem. I have to scan whole network with 30 computer in our company. I was searching for some guides, but all i could find was "how to hack password". I dont want that, i just want to get infromation about : - what sides are visited - is there any attack on our network (hackers, malware etc.) I dont want to block our workers or something i just want to know what sites are they visiting. I have no experience. Please help me, I will be grateful

asked 25 Jan '14, 07:22

Beginer's gravatar image

Beginer
1556
accept rate: 0%


While Wireshark is certainly able to show you network packets containing details about what your co-workers are doing, it is most likely not the most efficient.

If you're interested in sites visited you should take a look at the proxy logs (I do hope you have a proxy that has to be used to surf the web, do you?).

For attacks, get something like Snort or Suricata to scan the internet uplink for signatures of attacks - it is easy to setup when using the Security Onion Live CD.

permanent link

answered 25 Jan '14, 09:24

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Thanks, but there is a little problem. I had a conversation with my mentor and he said i have to do it with wireshark. I dont know why but he insisted. If someone can help me. I just want to know what filters i have to use. I think thats all.

(25 Jan '14, 11:12) Beginer

Ok, so this is not a real life task, but homework :-)

You might want to take a look at the statistics menu, e.g. the HTTP menu items. If you need to use filters, try "http.request.method" to find all requests.

Regarding attacks - you would need to have known attack patterns to find them with a filter. Snort or Suricata have patterns like that, but translating them to display filters may not be easy.

If your mentor is one of those guys who still think that attacks can be found by looking for ancient indicators like IRC traffic you could filter for that by using the "irc" display filter.

(25 Jan '14, 12:30) Jasper ♦♦

IRC??? Isn't that something for guys 50+ ;-)))

(25 Jan '14, 14:00) Kurt Knochner ♦

he said i have to do it with wireshark.
I dont know why but he insisted.

hm... why don't you question that?

It does not make much sense to look for 'attacks' in your network manually as there are by far too many ways to attack a system. It's like trying to calculate 563492*67543 manually although you could use a calculator. Same set of problems in both cases:

  • the manual approach is much slower
  • chances to do it wrong are rather high
  • you won't learn anything from it, after you've done it more than twice

Maybe your mentor is just testing if you are a person that follows 'the order of the master by the word', even if it does not make any sense ;-))

So, if you don't know why, ask him/her, as that will most certainly give you some hints what to look for in Wireshark.

Regards
Kurt

permanent link

answered 25 Jan '14, 14:12

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 25 Jan '14, 14:21

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×36

question asked: 25 Jan '14, 07:22

question was seen: 6,756 times

last updated: 25 Jan '14, 14:21

p​o​w​e​r​e​d by O​S​Q​A