This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi, all...

I posted this in another forum, so if you've seen it please don't gripe me out.

My question will appear to present a dumbass-ness that I do not actually possess. In other words, I don't know what I'm doing here or even how to ask about it, but I'm not completely clueless: I'm just new to this tool and the best way to analyze its output.

I'm working on a potential hacking case. I've already exploited 4 of their computers (drives), imaged them and used FTK and Paraben's P2C on them. What I'm trying to do now is see if there is any current activity happening on their network (either outbound or inbound).

I've got a script running that is capturing (via dumpcap, netstat, handles.exe and listdlls.exe) most of their network traffic and the running processes, et al.

I've got a few weeks of this data, which means mucho packets obviously. What I was hoping to find was a way to evaluate the frequency/periodicity of any particular IP address' appearance in the dumpcap/Wireshark captures. I need a starting place.

I've got scripts running on the data to do more Address Name Resolutions and I will use that to knock out obviously benign addresses. But on the ones I don't know or question, I need to figure some way of seeing when and how often any particular IP address is appearing in the captures.

And it wouldn't be just one. It would be any that I couldn't eliminate as benign.

I know there's an I/O graph on Wireshark for ALL traffic...it would be great to see something like that for SPECIFIC IP addresses.

Maybe there's a piece that is native in Wireshark itself that I haven't found, yet. Maybe there's an app or some other way to see this.

Any ideas? I'd sure appreciate the help.

asked 11 Jul '16, 09:20

chasaway's gravatar image

chasaway
6112
accept rate: 0%


permanent link

answered 12 Jul '16, 07:08

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×100
×89
×3

question asked: 11 Jul '16, 09:20

question was seen: 1,101 times

last updated: 12 Jul '16, 07:08

p​o​w​e​r​e​d by O​S​Q​A