Hello, I've been trying to figure out the best way to do this. I am currently trying to use wireshark offline and wasn't sure if this was possible? I am staying disconnected from the internet while attempting to run some dangerous scripts to isolate what protocols it is using and where it is trying to go out to. The reason this is offline is because I don't want this to get onto my network so I want to keep it isolated. Is there a way to do this, or does wireshark have to be online? asked 11 Aug '16, 08:05  Wireshark_No... |
2 Answers:
Wireshark itself can be used offline to open and analyze packet capture files you already have. If you want to watch live traffic you need to have a network connection, otherwise the malware you're looking at will not have a path for communication and won't be able to send anything. Which means that you cannot record anything. You might want to take a look at tools that can simulate networks, e.g. https://practicalmalwareanalysis.com/fakenet/ answered 11 Aug '16, 08:10  Jasper ♦♦ |
If you want to capture live traffic, your network interface card needs to be in an up-link status. But that doesn't mean you need to connect that machine to your live network, just connect the Wireshark machine to any stand-alone hub with nothing else connected to it (almost like offline). That will cause the NIC to go into up-link status. FWIW answered 13 Aug '16, 20:58  wbenton |
