Hi, I would like to capture one of my pc in my LAN to watch the traffic to port 80 and process name. In other words, I would like to know which process (IE,Mozilla,Chrome, etc.) is trying to communicate with the internet. I am getting an alerts from our SIEM that my PC is trying to communicate with over 100 different IP addresses at the same time (in less than 5 min !!! ). Obviously this is not a standard behavior of an regular Pc in a standard LAN. So I would like to capture the process/malware/virus/botnet which trying to communicate with these 100 IP addresses. How can I manage this? What filter should I type? I have tried : tcp.port==80 but I need to add to this filter the process name field as well so I will be able to view the process that trying to communicate... What is the correct syntax that I should type in the filter?? Please help Thanks in advance. asked 31 Dec '15, 01:55 syntax1127 |
One Answer:
No way to do that using Wireshark as Wireshark has no information about which process is bound to a particular source port. You can use Wireshark to have a look at the payload of that traffic itself, but if it is encrypted or simply incomprehensible, it won't help you much. If it is a virus, you'll most likely see just several instances of svchost.exe in the tasklist, which is a process used by many "legal" applications but often also by viruses. I'd recommend some "bootable anti-virus" software - you boot from a CD or a USB flash and scan your disk before any virus can run and thus hide itself from being spotted by normal anti-virus software. But it can also be some communication software like Skype - instances of applications of this type often talk to each other using tcp ports 80 or 443 because these are often the only ones open at firewalls. Also, if you have many windows open in your web browser, each of them may fetch advertisement from another site. answered 31 Dec '15, 07:11 sindy |