This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hey guys,

I want to know how to identify a hacker from a tapped network traffic. I want to determine the identity of a hacker from a pcap file. How can I do that? I got the file here, if someone help me how to do it with instructions, I will be happy

asked 26 Sep '16, 11:11

Farsa42's gravatar image

Farsa42
6113
accept rate: 0%

edited 01 Oct '16, 04:40

Christian_R's gravatar image

Christian_R
1.8k2625


Identification of a hacker is rarely possible. All you may get is an IP address that is contacted for command & control traffic, but those are usually compromised systems themselves. So don't get your hopes up.

So what you need to do is to identify the malicious traffic. For that you need to know what the "normal" traffic of the network looks like, and find what doesn't fit the pattern. You can do that by looking at the protocols involved (e.g. via the Statistics menu, using the Protocol Distribution stats), or IPs contacted that seem odd. It will take a while if you're not trained in spotting malicious activity, but often filtering for http requests can be a good starting point. This can by done by filtering on "http.request.method" and looking at the host and URL called in the packets you get.

Another point is filtering on "dns" and check if there's any host names that are odd - again, this is something that will take a lot of work checking things out to see if they're legit or not.

permanent link

answered 26 Sep '16, 11:33

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

There's nothing at that Protocol Hierarchy Statistics? Am I doing it wrong? I only see TCP/HTTP, but nothing else. Percent packets are 100.0.

(26 Sep '16, 12:59) Farsa42

So the question still is as @Jasper has asked you, too: What do you exactly mean with identify the attacker? Do you want his full name, IP address, home address, telephone number or birthday?

(26 Sep '16, 13:09) Christian_R

A teacher gave me a pcap file to find out ID of a 'hacker' and telling what his/her ID is. I don't know what it meant to be, but only identify a 'hacker' from this pcap file that is been tapped.

(26 Sep '16, 13:22) Farsa42

without any prior training as what to look for? That's not a good assignment...

(26 Sep '16, 13:50) Jasper ♦♦

No no, it's a bonus, but I want it do it, because I like it. But there was no explanation

(26 Sep '16, 14:17) Farsa42

Well, then you can only look through the packets and statistics to find something that looks odd...

(26 Sep '16, 16:21) Jasper ♦♦
showing 5 of 6 show 1 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×23
×4
×1

question asked: 26 Sep '16, 11:11

question was seen: 5,508 times

last updated: 01 Oct '16, 04:40

p​o​w​e​r​e​d by O​S​Q​A