This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

The title says it all. It's been a while since I've looked at malicious packets and I wanted to make sure that it is ok to follow the TCP stream of malware I have captured on wireshark.

Thanks.

asked 06 Feb '14, 17:07

clope070's gravatar image

clope070
1113
accept rate: 0%

edited 06 Feb '14, 17:17


Yes, it is safe to follow the TCP stream.

++ UPDATE ++

To be more precise. The function 'Follow TCP stream' will collect the bytes transmitted in a TCP conversation. Then it will show those bytes in a pop-up window. So, the malware action cannot harm your Wireshark system, with one exception. If there is a (yet unknown) bug in the 'Follow TCP stream' function and an attacker was able to create a TCP conversation that exploits exactly that (yet unknown) bug, it would (theoretically) be possible to execute code on your Wireshark system. However, the chances are pretty low for such an attack. If you think it could still happen, run Wireshark in a (disposable) virtual machine. The theoretical attack would then have only an effect on the virtual machine, which you could delete after the analysis.

However: Keep in mind, that such a scenario is highly unlikely, although not completely impossible. So, I stand by my first answer: In 99.99999% of the cases (numbers from the guts) it should be safe to simply use 'Follow TCP stream'.

Regards
Kurt

permanent link

answered 06 Feb '14, 23:48

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 07 Feb '14, 03:27

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×752
×205
×27

question asked: 06 Feb '14, 17:07

question was seen: 2,026 times

last updated: 07 Feb '14, 03:27

p​o​w​e​r​e​d by O​S​Q​A