Hi Sir/Madam, How can I find this following errors in my traffic There is 6.27% of established traffic [headers:stats:base.eth.ip.tcp.established:nb_bytes:= 23038 (6.27%)] Thanks, Senthil. asked 18 Nov '15, 22:38 senthilkumar edited 22 Nov '15, 21:32 |
One Answer:
You haven't stated which operating system are you running so I'll assume you are using MS Windows, but most of what I write is valid for all OSes. To find traffic which is not coming from any of your applications, you have to terminate all applications, including those which continue running at the background when you try to terminate them the usual way (like e.g. Skype where you press the [X] icon in the window frame and it just minimises the window into the application tray). Even then, part of the traffic may be "legal" because various applications come bundled with daemons which are started at system boot and check for updates even though the application itself is not running. When you've done what you could to get rid of "legal" traffic, capture using Wireshark for a while (if you are hunting for malware, I'd recommend to run the capture at least overnight) to see what continues to communicate. After stopping the capture, you have to identify remote IP addresses of all the individual TCP streams and use a whois client or some online service (like e.g. this one) to tell you to whom these IP addresses belong. If the owner is a renowned company which is a vendor of some of the applications you have installed, chances are high (but not 100 %) that the traffic is a check for updates; if the owner is some internet service provider, chances are high (but not 100 %) that your machine is a part of some botnet (here I remind again that this is only true if none of your applications was running during the capture, as some applications work on peer-to-peer basis). answered 23 Nov '15, 00:47 sindy Hi, I have used Viber application on my iphone (ios 9.1) in Promiscuous mode and I did groupchat from my mobile i captured that traffic. I got this much extra traffic on my packet If you want I can give that packet capture also to verify. Thanks, Senthil (23 Nov '15, 01:48) senthilkumar @senthilkumar: It is still unclear what you are asking for. Apparently you are using Viber, but:
(23 Nov '15, 03:04) Kurt Knochner ♦ assume I've never heard of iPhone or Viber, so
You may post the capture somewhere and put a link to it here. (23 Nov '15, 03:15) sindy Hi, I have captured from my iphone which was connected with my same network i have shared WiFi from that network that iphone was connected with this same network. Through Promiscuous mode I have captured that traffic in my system. Let I want to find out Unwanted/Extra traffic which is not related to my application. In my Capture has this much extra traffic how I can find it? There is 6.27% of established traffic [headers:stats:base.eth.ip.tcp.established:nb_bytes:= 23038 (6.27%)] Thanks, Senthil. (23 Nov '15, 04:11) senthilkumar Senthil, repeating what you already wrote and the other party did not understand it may be a recommended techniques in some assertiveness training but it rarely helps getting forward in any problem solution. From your description of your capture setup I am afraid that you may have captured anything but the iPhone's traffic. To make sure, please identify the iPhone's MAC address (the iOS should disclose it to you somewhere in network settings, or your WiFi router's web interface should show a list of connected devices somewhere), open the capture you're taken before and apply a display filter (23 Nov '15, 05:06) sindy |
Each post should have a clear, specific question in the title field. Please rephrase the title as a proper question.Each post should have a clear, specific question in the title field. Please rephrase the title as a proper question.
OK, and now why do you call existence of established tcp traffic (which is normal) an error?
@senthilkumar: It is still unclear what you are asking for. Your question is lacking the defintion of "find this specific error" and "traffic which is not related to my applications". What we need: