This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Something unusual which hints at stalking?

0

alt text

alt text

since i am convinced of getting stalked by a certain person, i would like to prove it through wireshark.

i have quite a lot of red underlined messages like out of order sgments, tcv-retransmissions, outoforder tcvs, new fragments which overlaps old data.

could someone help me concerning this. i think there is additionally installed some kind of monitoring=software.

regards

asked 12 Dec '15, 02:50

Falcon's gravatar image

Falcon
6113
accept rate: 0%

edited 12 Dec '15, 07:26

sindy's gravatar image

sindy
6.0k4851


One Answer:

0

A stalking software's primary activity would most likely be to spy on any of (your camera, sound card, e-mails & instant messages, keyboard, whatever else), and then send this information out compressed & encrypted as files. If it would also cause the communication errors you describe, it would be a red herring, intended to obfuscate the real activity by making analysis of network activity complex and time-consuming, i.e. quite an advanced techniques.

The bad news is that a person thinking that complex (whether it is the stalker or the author of the malware, which may not be the same person) would probably not make the mistake of sending all recorded files to a single destination address.

The good news is that all those errors you've found may really be mere errors occurring by natural reasons.

So I'd recommend to take a new capture while you've open just a single web page, preferably a simple one and definitely advertisement-free, so that it would load once and not continue loading tons of video etc., and with all other data-rich activity (listening to online radio, etc.) also suppressed, for several hours or even a day if feasible. And then take the capture and identify the individual tcp streams to their source/destination.

answered 12 Dec '15, 03:08

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

i do not opened that much when i took the capture, actually.alt text

(12 Dec '15, 03:26) Falcon

In such case, I cannot see any other way than to use Statistics -> Conversations, watch the list of conversations (starting from TCP) and find the domain names for the individual remote IP addresses found in the list (using nslookup ip.add.re.ss on Windows or dig -x ip.add.re.ss on Linux). You may ignore domains you know you've visited or are somehow related to (your e-mail service provider, as an example) and you should have a deeper look at traffic to those you don't know about or which do not resolve to a name at all.

(12 Dec '15, 03:48) sindy

usually those kind of tcvs even also appear when i do not have opened any kind of browser.

(12 Dec '15, 23:03) Falcon

additionally, there are always ip-adresses that have kind of surreal location like in the mid of the sea.

(12 Dec '15, 23:05) Falcon

there are always ip-adresses that have kind of surreal location like in the mid of the sea.

I have no experience yet with the translation of IP addresses to geolocation, but IP addresses in the middle of the sea sound to me like a bug of the database or maybe Wireshark, if it is not simply 0° N/0° E because data for that IP are missing in the database completely. But regardless what GeoIP says, think realistic: the fact that GeoIP data are wrong for a given IP address does not mean that such IP does not exist at all. So the result of GeoIP translation is not a safe criteria to select real IP addresses from fake ones.

usually those kind of tcvs even also appear when i do not have opened any kind of browser.

What means tcv?

In addition to browsers, there is a lot of other interaction between the network and your operating system and even the applications whose purpose is not to interact with the network. Both the operating systems and some applications regularly check for updates and download them without asking you in advance. And some applications, e.g. Skype, can forward someone else's traffic even if you have no active call yourself.

One more thing - your PC may exhibit weird network activity because it is infected with something unrelated to stalking. When was the last time you've scanned your disk for viruses before allowing the operating system come up, i.e. booting from a virus-scanning CD?

(13 Dec '15, 01:59) sindy

Just an afterthought: do you know what "private IP address" means in the network jargon, or have you started using Wireshark just due to your suspicion of being monitored and you never had anything to do with network analysis before? Are some of the addresses in the conversations in your capture private addresses? Do you realize that while public IP addresses are (well, should be) unique, the same private IP addresses are used in thousands of private networks, so the notion of their geographic location is senseless outside the scope of the particular private network in which they are used?

(13 Dec '15, 04:29) sindy
showing 5 of 6 show 1 more comments