Hi, I have a network performance issue and a quick wireshark capture shows a high traffic between my client and the NAS. This doesn't occur frequently but it seems to have disrupt the office network. Based on the capture below which lasted 10 mins, how can i go deeper into the each packets to see if there was a bottleneck in bandwidth or was there any other possibilities that might have slow down the network? asked 03 Dec '16, 00:33 doran_lum |
One Answer:
For me the traffic on port 445 looks good. It is normal SMB (Windows network file sharing and can be used for NAS) and it seems that someone downloads a vmplayer.exe. So everything looks calm on this port to me. But there is a lot of traffic on Port 9001. Port 9001 can be used for Sharepoint authoring or for TOR-Browsing. There is huge traffic to the internet (5.135.184.158) on that port, this could slow down your network, FW or WAN interface. The traffic comes from 192.168.70.8 on Port 53947 You can see that stas under: Statitstics -> Conversations - TCP And then you can sort by each column you want. answered 05 Dec '16, 08:40 Christian_R edited 06 Dec '16, 00:51 Thanks, how did you find out that someone was downliading the vmplayer ? I was trying to search on wireshark and networkminer but can't seem to find it. Anyway a vmplayer.exe file would be less than 100MB, so it's unlikely it can slow down the network. Yes for the port 9001, i show it as second highest byte under Conversations. (06 Dec '16, 05:39) doran_lum Sorry I found it out by filtering smb.cmd==46 I also can see .m4v files being play. May I ask how do I tell if the movie file i being download or being stream from the NAS ? (06 Dec '16, 05:52) doran_lum Please try this displayfilter:
And there we find the evidence that Port 9001 is TOR (06 Dec '16, 06:26) Christian_R Well, you have to enable TCP Reassembly. Right click TCP header in Packet Detail. Select Protocol preferences. Enable TCP reassembly. Then select a SMB packet. And then choose the export SMB objects dialog. Now you get all the transfered objects. (06 Dec '16, 11:45) Christian_R |
Easily said in your case you can use tcptrace or the smb request stats.
An other way could be that you share us a at a public accessible place like dropbox, google drive or cloudshark.
Thanks, I was looking at this link to see if it's link to a DOS attack using this vulnerability.
https://www.symantec.com/security_response/vulnerability.jsp?bid=33121
pcap file: https://drive.google.com/open?id=0B6Euh1o48D7ESkpOSUVnSEo4YzQ