Hey guys, I want to know how to identify a hacker from a tapped network traffic. I want to determine the identity of a hacker from a pcap file. How can I do that? I got the file here, if someone help me how to do it with instructions, I will be happy asked 26 Sep '16, 11:11  Farsa42 edited 01 Oct '16, 04:40  Christian_R |
One Answer:
Identification of a hacker is rarely possible. All you may get is an IP address that is contacted for command & control traffic, but those are usually compromised systems themselves. So don't get your hopes up. So what you need to do is to identify the malicious traffic. For that you need to know what the "normal" traffic of the network looks like, and find what doesn't fit the pattern. You can do that by looking at the protocols involved (e.g. via the Statistics menu, using the Protocol Distribution stats), or IPs contacted that seem odd. It will take a while if you're not trained in spotting malicious activity, but often filtering for http requests can be a good starting point. This can by done by filtering on "http.request.method" and looking at the host and URL called in the packets you get. Another point is filtering on "dns" and check if there's any host names that are odd - again, this is something that will take a lot of work checking things out to see if they're legit or not. answered 26 Sep '16, 11:33  Jasper ♦♦ showing 5 of 6 show 1 more comments |
There's nothing at that Protocol Hierarchy Statistics? Am I doing it wrong? I only see TCP/HTTP, but nothing else. Percent packets are 100.0.
So the question still is as @Jasper has asked you, too: What do you exactly mean with identify the attacker? Do you want his full name, IP address, home address, telephone number or birthday?
A teacher gave me a pcap file to find out ID of a 'hacker' and telling what his/her ID is. I don't know what it meant to be, but only identify a 'hacker' from this pcap file that is been tapped.
without any prior training as what to look for? That's not a good assignment...
No no, it's a bonus, but I want it do it, because I like it. But there was no explanation
Well, then you can only look through the packets and statistics to find something that looks odd...