This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

So I just started using Wireshark and started the capture on my own computer. A few packets that catch my attention include http protocol. It seems to me as if my computer is attempting to logon somewhere with my email address but fails. Below is the TCP Stream and I replaced my email address with x's. If anybody as any idea on how I can identify what is the source of this on my computer, I would very much appreciate it.

GET /sub?cname=xxx%40xxx.com_browsers&seq=1&st=6114460300580000 HTTP/1.1 Host: 72.26.124.29:443 Connection: Close

HTTP/1.1 200 OK Server: evsnotify Content-Type: text/javascript; charset=utf-8 Date: Tue, 19 Apr 2016 14:50:22 GMT Content-Length: 37 Connection: close

{"type":"user authentication failed"}

asked 19 Apr '16, 09:41

chuyrod's gravatar image

chuyrod
6112
accept rate: 0%


If anybody as any idea on how I can identify what is the source of this on my computer, I would very much appreciate it.

Run Microsoft Network Monitor. They abandoned it, but it should be downloadable. It will show you the PID of the process that sends certain data.´

BTW: That behavior looks strange!

Regards
Kurt

permanent link

answered 19 Apr '16, 13:25

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thanks for the tip. I opened Resource Monitor and found under the Network Activity section that the id_service.exe from iDrive has a connection to the ip address above. Now i know what process is triggering this traffice, but I'm still confused because I would think the ip address would be iDrive's ip address. I also did another capture and still get the same results even after logging into the idrive website for my account. I'll keep digging.

Thanks again for the tip.

Jesse

(20 Apr '16, 08:17) chuyrod

I converted your answer to a comment. Please follow-up with comments instead of answers (see FAQ).

but I'm still confused because I would think the ip address would be iDrive's ip address.

What should confuse you even more is the fact that they send your data over an unencrypted connection. Strange enough that they are using the HTTPS port (443). Who knows what else they send (password, backup data) in other unencrypted connections?

I suggest to contact their support and ask them what the heck this is all about ;-)

You can direct them to your post. 'Publicity' sometimes helps to speed up things :-)

Regards
Kurt

(20 Apr '16, 09:14) Kurt Knochner ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×14
×2

question asked: 19 Apr '16, 09:41

question was seen: 1,976 times

last updated: 20 Apr '16, 09:15

p​o​w​e​r​e​d by O​S​Q​A