How can I find this following errors in my traffic
There is 6.27% of established traffic [headers:stats:base.eth.ip.tcp.established:nb_bytes:= 23038 (6.27%)]
asked 18 Nov '15, 22:38
edited 22 Nov '15, 21:32
You haven't stated which operating system are you running so I'll assume you are using MS Windows, but most of what I write is valid for all OSes.
To find traffic which is not coming from any of your applications, you have to terminate all applications, including those which continue running at the background when you try to terminate them the usual way (like e.g. Skype where you press the [X] icon in the window frame and it just minimises the window into the application tray). Even then, part of the traffic may be "legal" because various applications come bundled with daemons which are started at system boot and check for updates even though the application itself is not running.
When you've done what you could to get rid of "legal" traffic, capture using Wireshark for a while (if you are hunting for malware, I'd recommend to run the capture at least overnight) to see what continues to communicate.
After stopping the capture, you have to identify remote IP addresses of all the individual TCP streams and use a whois client or some online service (like e.g. this one) to tell you to whom these IP addresses belong. If the owner is a renowned company which is a vendor of some of the applications you have installed, chances are high (but not 100 %) that the traffic is a check for updates; if the owner is some internet service provider, chances are high (but not 100 %) that your machine is a part of some botnet (here I remind again that this is only true if none of your applications was running during the capture, as some applications work on peer-to-peer basis).
answered 23 Nov '15, 00:47