This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

how to find my unwanted traffic which is not related to my applications?

0

Hi Sir/Madam,

How can I find this following errors in my traffic

There is 6.27% of established traffic [headers:stats:base.eth.ip.tcp.established:nb_bytes:= 23038 (6.27%)]

Thanks, Senthil.

asked 18 Nov '15, 22:38

senthilkumar's gravatar image

senthilkumar
6113
accept rate: 0%

edited 22 Nov '15, 21:32

Each post should have a clear, specific question in the title field. Please rephrase the title as a proper question.Each post should have a clear, specific question in the title field. Please rephrase the title as a proper question.

(18 Nov '15, 23:05) Jaap ♦

OK, and now why do you call existence of established tcp traffic (which is normal) an error?

(19 Nov '15, 00:56) sindy

@senthilkumar: It is still unclear what you are asking for. Your question is lacking the defintion of "find this specific error" and "traffic which is not related to my applications". What we need:

  • What kind of application are you using
  • What is your problem (a technical description please)
  • What do you want to achieve with Wireshark
(23 Nov '15, 00:53) Kurt Knochner ♦

One Answer:

0

You haven't stated which operating system are you running so I'll assume you are using MS Windows, but most of what I write is valid for all OSes.

To find traffic which is not coming from any of your applications, you have to terminate all applications, including those which continue running at the background when you try to terminate them the usual way (like e.g. Skype where you press the [X] icon in the window frame and it just minimises the window into the application tray). Even then, part of the traffic may be "legal" because various applications come bundled with daemons which are started at system boot and check for updates even though the application itself is not running.

When you've done what you could to get rid of "legal" traffic, capture using Wireshark for a while (if you are hunting for malware, I'd recommend to run the capture at least overnight) to see what continues to communicate.

After stopping the capture, you have to identify remote IP addresses of all the individual TCP streams and use a whois client or some online service (like e.g. this one) to tell you to whom these IP addresses belong. If the owner is a renowned company which is a vendor of some of the applications you have installed, chances are high (but not 100 %) that the traffic is a check for updates; if the owner is some internet service provider, chances are high (but not 100 %) that your machine is a part of some botnet (here I remind again that this is only true if none of your applications was running during the capture, as some applications work on peer-to-peer basis).

answered 23 Nov '15, 00:47

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

Hi, I have used Viber application on my iphone (ios 9.1) in Promiscuous mode and I did groupchat from my mobile i captured that traffic. I got this much extra traffic on my packet

If you want I can give that packet capture also to verify.

Thanks, Senthil

(23 Nov '15, 01:48) senthilkumar

@senthilkumar: It is still unclear what you are asking for. Apparently you are using Viber, but:

  • What is your problem (a technical description please)
  • What do you want to achieve with Wireshark
(23 Nov '15, 03:04) Kurt Knochner ♦

assume I've never heard of iPhone or Viber, so

  • is the "Promiscuous mode" related to Wireshark or to Viber?

  • where have you captured the data, given that the iPhone has no wired interface? On a WiFi router through which your iPhone is connected? Could it be that the traffic which worries you does not come to/from the iPhone?

You may post the capture somewhere and put a link to it here.

(23 Nov '15, 03:15) sindy

Hi,

I have captured from my iphone which was connected with my same network i have shared WiFi from that network that iphone was connected with this same network. Through Promiscuous mode I have captured that traffic in my system. Let I want to find out Unwanted/Extra traffic which is not related to my application.

In my Capture has this much extra traffic how I can find it?

There is 6.27% of established traffic [headers:stats:base.eth.ip.tcp.established:nb_bytes:= 23038 (6.27%)]

Thanks, Senthil.

(23 Nov '15, 04:11) senthilkumar

Senthil,

repeating what you already wrote and the other party did not understand it may be a recommended techniques in some assertiveness training but it rarely helps getting forward in any problem solution.

From your description of your capture setup I am afraid that you may have captured anything but the iPhone's traffic. To make sure, please identify the iPhone's MAC address (the iOS should disclose it to you somewhere in network settings, or your WiFi router's web interface should show a list of connected devices somewhere), open the capture you're taken before and apply a display filter eth.addr == xx:xx:xx:xx:xx:xx (replace xx:xx:xx:xx:xx:xx with your iPhone's MAC address of course). Only if some packets are still visible in the packet list when this display filter is active, it makes sense to proceed with this capture. Otherwise most of the traffic in the capture comes from the machine on which you were taking the capture and none from the iPhone. Look here for explanation why.

(23 Nov '15, 05:06) sindy