This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Is it safe to follow the TCP stream on a malware packet I have captured?

0

The title says it all. It's been a while since I've looked at malicious packets and I wanted to make sure that it is ok to follow the TCP stream of malware I have captured on wireshark.

Thanks.

asked 06 Feb '14, 17:07

clope070's gravatar image

clope070
1113
accept rate: 0%

edited 06 Feb '14, 17:17


One Answer:

2

Yes, it is safe to follow the TCP stream.

++ UPDATE ++

To be more precise. The function 'Follow TCP stream' will collect the bytes transmitted in a TCP conversation. Then it will show those bytes in a pop-up window. So, the malware action cannot harm your Wireshark system, with one exception. If there is a (yet unknown) bug in the 'Follow TCP stream' function and an attacker was able to create a TCP conversation that exploits exactly that (yet unknown) bug, it would (theoretically) be possible to execute code on your Wireshark system. However, the chances are pretty low for such an attack. If you think it could still happen, run Wireshark in a (disposable) virtual machine. The theoretical attack would then have only an effect on the virtual machine, which you could delete after the analysis.

However: Keep in mind, that such a scenario is highly unlikely, although not completely impossible. So, I stand by my first answer: In 99.99999% of the cases (numbers from the guts) it should be safe to simply use 'Follow TCP stream'.

Regards
Kurt

answered 06 Feb '14, 23:48

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 07 Feb '14, 03:27