The title says it all. It's been a while since I've looked at malicious packets and I wanted to make sure that it is ok to follow the TCP stream of malware I have captured on wireshark. Thanks. asked 06 Feb '14, 17:07  clope070 edited 06 Feb '14, 17:17 |
One Answer:
Yes, it is safe to follow the TCP stream. ++ UPDATE ++ To be more precise. The function 'Follow TCP stream' will collect the bytes transmitted in a TCP conversation. Then it will show those bytes in a pop-up window. So, the malware action cannot harm your Wireshark system, with one exception. If there is a (yet unknown) bug in the 'Follow TCP stream' function and an attacker was able to create a TCP conversation that exploits exactly that (yet unknown) bug, it would (theoretically) be possible to execute code on your Wireshark system. However, the chances are pretty low for such an attack. If you think it could still happen, run Wireshark in a (disposable) virtual machine. The theoretical attack would then have only an effect on the virtual machine, which you could delete after the analysis. However: Keep in mind, that such a scenario is highly unlikely, although not completely impossible. So, I stand by my first answer: In 99.99999% of the cases (numbers from the guts) it should be safe to simply use 'Follow TCP stream'. Regards answered 06 Feb '14, 23:48  Kurt Knochner ♦ edited 07 Feb '14, 03:27 |
