I'm setting up a trap for hackers on my server, by putting an attractive file named: "source-code.zip" (as an example) so only hackers can see. (If the hacker is using a PHP shell trap or something)
Once the hacker trys to open or access the "source-code.zip" file, I need wireshark to trigger an executable file that will shut down the network card on my server to prevent any other theft, just in case.
How can I do this using wireshark or tcpdump ? is it possible ? for example using a filter where if any packet (TCP/UDP/ETC..) contains the word "source-code.zip" it should trigger an executable.
Of course the file name "source-code.zip" will be changed to someting more unique and complex.
I need your help guys, is it possible to trigger files using filters on wireshark ? It also should not slow my network or CPU usage..
Thank you. (and sorry if my english is bad)
asked 21 Mar '12, 09:11
Yes, you can do this through Wireshark Lua, but as the other answers indicate, there are better ways to accomplish your goal.
If you really wanted to use Wireshark, you could create a tap/listener that runs a specified program (using
Here's an example Lua script (based on this answer) that opens iTunes whenever UDP packets, containing XML, arrive at port 2000. The script is put in
answered 22 Mar ‘12, 17:23
No, Wireshark does not have any facility to trigger an executable based on filters. Also, you have no guarantee that the file name would be contained in a single packet. It could, for example, be spread over two TCP segments in two different IP packets.
I'm not clear on what you're trying to do, but it doesn't seem like Wireshark is the right tool.
If you're actually trying to attract a hacker for whatever reason, then build a real honey pot that is not a production server, so that it isn't a problem if it gets destroyed. A virtual machine would be an excellent choice. You could use a snapshot to restore the machine if it was compromised in an attack.
If this is a production server that you're really trying to protect, use the tried and tested tools that are available for that purpose, instead of trying to cobble together your own system. Make sure the server has a host-based firewall, or is behind a network firewall, or both. Deploy an intrusion detection system, like Snort. Make sure that the server is properly and frequently backed up and can be restored if it does get compromised. If you can't afford commercial protective software, there are free programs available.
No matter how cleverly you name your file, you have absolutely no assurance that a hacker will go after this file first, so it will not serve as a reliable early warning of an attack.
answered 22 Mar '12, 12:51
Wireshark does not have a built-in capability to launch arbitrary external programs (if it did, it could be abused by hackers attacking a system on which they knew wireshark to run). I doubt seriously the effectiveness of your honeypot. If your server's security is critical, and you anticipate it to be compromised so easily, I would very strongly recommend a different approach to network security. Moreover, Wireshark comes with it's own list of problems, not the least of which is the known out of memory memory problem that would certainly cripple your security setup.
Why not try a tool that is actually intended for catching malicious packets (snort, for example)?
answered 22 Mar '12, 12:55