[Puma]

Anyone here good with Wireshark?

For a bit of work, we've been given Wireshark captures to analyse, I don't understand it at all. I know some IPs are servers and users but don't really get what's going on.

[united2000]

(Original post by Puma)
Anyone here good with Wireshark?

For a bit of work, we've been given Wireshark captures to analyse, I don't understand it at all. I know some IPs are servers and users but don't really get what's going on.

Wireshark have an excellent Wiki which is linked below.

You can filter by a lot of things like protocol, port, source or destination address or even search within packets for instance for spam words.

What do you need to find out about the captures?
Wireshark Wiki

[ch0llima]

(Original post by Puma)
Anyone here good with Wireshark?

For a bit of work, we've been given Wireshark captures to analyse, I don't understand it at all. I know some IPs are servers and users but don't really get what's going on.

What sort of captures are we dealing with here? Generally, you would only be able to determine what's a server and what isn't by looking more closely at the nature of the traffic being passed between them, for example you would see HTTP GET requests going back and forth as well as DNS lookups.

One caveat is that, IMO, Wireshark's packet view isn't hugely friendly and it's a definite shortcoming.

[JGR]

Well, what exactly are you looking for?
Otherwise, if you filter out all the routine stuff (ARP, ICMP, DHCP, netBIOS spam, etc) you should be left with user traffic, which you can peruse to see if there's anything interesting.

[mabrookes]

(Original post by JGR)
Well, what exactly are you looking for?
Otherwise, if you filter out all the routine stuff (ARP, ICMP, DHCP, netBIOS spam, etc) you should be left with user traffic, which you can peruse to see if there's anything interesting.

Wouldnt filtering for just HTTP do the same thing?

[JGR]

(Original post by mabrookes)
Wouldnt filtering for just HTTP do the same thing?

Again, it depends what he's looking for.
There are an awful lot of potentially interesting things which aren't HTTP.

[mabrookes]

(Original post by JGR)
Again, it depends what he's looking for.
There are an awful lot of potentially interesting things which aren't HTTP.

Yea, your right. For some reason I assumed he would be looking at just HTTP as it seemed like a basic exercise but he hasn't said that so I shouldn't assume.

[mfaxford]

(Original post by Puma)
Anyone here good with Wireshark?

For a bit of work, we've been given Wireshark captures to analyse, I don't understand it at all. I know some IPs are servers and users but don't really get what's going on.

A lot of it depends what you're supposed to be looking for. Wireshark can give a lot of info but when I use it what I'm doing depends heavily on what I'm trying to do.

For instance debugging an application tends to require looking at the packet contents.But looking at a network issue you might be looking more at the packet rates etc. One bit of recent debugging I was looking at the packet size distribution.

[Puma]

Would a flood attack be viable by recieving a video stream and sending back the video to the server?

[JGR]

(Original post by Puma)
Would a flood attack be viable by recieving a video stream and sending back the video to the server?

There are far easier and more effective ways of flooding a server.
It doesn't matter what data you use, so you might as well just use random bytes rather than sourcing video from that same server (which probably wouldn't be at a sufficient rate to flood anything).

TCP, which is what is generally used for video streaming, has congestion control mechanisms built in to avoid flooding, and so most floods use large fragmented UDP packets, or try to open a lot of connections to exhaust server resources (SYN flood).

[Puma]

I've a 300,000+ capture, it's a DoS attack.
I just don't know who is who (attacker/users/server etc).
Very confused.

[mfaxford]

(Original post by Puma)
I've a 300,000+ capture, it's a DoS attack.
I just don't know who is who (attacker/users/server etc).
Very confused.

In which case you might want to work out whichis the server machine(s) and then from there try to determine the type of attack. From that you can probably work out who's attacking.

As a starting point what do you know about the network and where the capture was taken ?