Results are out! Find what you need...fast. Get quick advice or join the chat
Hey there Sign in to join this conversationNew here? Join for free

Network Traffic Analysis

This thread is sponsored by:
Announcements Posted on
    • Thread Starter
    • 3 followers
    Offline

    ReputationRep:
    Anyone here good with Wireshark?

    For a bit of work, we've been given Wireshark captures to analyse, I don't understand it at all. I know some IPs are servers and users but don't really get what's going on.
    • 1 follower
    Offline

    ReputationRep:
    (Original post by Puma)
    Anyone here good with Wireshark?

    For a bit of work, we've been given Wireshark captures to analyse, I don't understand it at all. I know some IPs are servers and users but don't really get what's going on.
    Wireshark have an excellent Wiki which is linked below.

    You can filter by a lot of things like protocol, port, source or destination address or even search within packets for instance for spam words.

    What do you need to find out about the captures?
    Wireshark Wiki
    • 10 followers
    Offline

    ReputationRep:
    (Original post by Puma)
    Anyone here good with Wireshark?

    For a bit of work, we've been given Wireshark captures to analyse, I don't understand it at all. I know some IPs are servers and users but don't really get what's going on.
    What sort of captures are we dealing with here? Generally, you would only be able to determine what's a server and what isn't by looking more closely at the nature of the traffic being passed between them, for example you would see HTTP GET requests going back and forth as well as DNS lookups.

    One caveat is that, IMO, Wireshark's packet view isn't hugely friendly and it's a definite shortcoming.
    • 0 followers
    Offline

    ReputationRep:
    Well, what exactly are you looking for?
    Otherwise, if you filter out all the routine stuff (ARP, ICMP, DHCP, netBIOS spam, etc) you should be left with user traffic, which you can peruse to see if there's anything interesting.
    • 1 follower
    Offline

    ReputationRep:
    (Original post by JGR)
    Well, what exactly are you looking for?
    Otherwise, if you filter out all the routine stuff (ARP, ICMP, DHCP, netBIOS spam, etc) you should be left with user traffic, which you can peruse to see if there's anything interesting.
    Wouldnt filtering for just HTTP do the same thing?
    • 0 followers
    Offline

    ReputationRep:
    (Original post by mabrookes)
    Wouldnt filtering for just HTTP do the same thing?
    Again, it depends what he's looking for.
    There are an awful lot of potentially interesting things which aren't HTTP.
    • 1 follower
    Offline

    ReputationRep:
    (Original post by JGR)
    Again, it depends what he's looking for.
    There are an awful lot of potentially interesting things which aren't HTTP.
    Yea, your right. For some reason I assumed he would be looking at just HTTP as it seemed like a basic exercise but he hasn't said that so I shouldn't assume.
    • 2 followers
    Offline

    ReputationRep:
    (Original post by Puma)
    Anyone here good with Wireshark?

    For a bit of work, we've been given Wireshark captures to analyse, I don't understand it at all. I know some IPs are servers and users but don't really get what's going on.
    A lot of it depends what you're supposed to be looking for. Wireshark can give a lot of info but when I use it what I'm doing depends heavily on what I'm trying to do.

    For instance debugging an application tends to require looking at the packet contents.But looking at a network issue you might be looking more at the packet rates etc. One bit of recent debugging I was looking at the packet size distribution.
    • Thread Starter
    • 3 followers
    Offline

    ReputationRep:
    Would a flood attack be viable by recieving a video stream and sending back the video to the server?
    • 0 followers
    Offline

    ReputationRep:
    (Original post by Puma)
    Would a flood attack be viable by recieving a video stream and sending back the video to the server?
    There are far easier and more effective ways of flooding a server.
    It doesn't matter what data you use, so you might as well just use random bytes rather than sourcing video from that same server (which probably wouldn't be at a sufficient rate to flood anything).

    TCP, which is what is generally used for video streaming, has congestion control mechanisms built in to avoid flooding, and so most floods use large fragmented UDP packets, or try to open a lot of connections to exhaust server resources (SYN flood).
    • Thread Starter
    • 3 followers
    Offline

    ReputationRep:
    I've a 300,000+ capture, it's a DoS attack.
    I just don't know who is who (attacker/users/server etc).
    Very confused.
    • 2 followers
    Offline

    ReputationRep:
    (Original post by Puma)
    I've a 300,000+ capture, it's a DoS attack.
    I just don't know who is who (attacker/users/server etc).
    Very confused.
    In which case you might want to work out whichis the server machine(s) and then from there try to determine the type of attack. From that you can probably work out who's attacking.

    As a starting point what do you know about the network and where the capture was taken ?

Reply

Submit reply

Register

Thanks for posting! You just need to create an account in order to submit the post
  1. this can't be left blank
    that username has been taken, please choose another Forgotten your password?
  2. this can't be left blank
    this email is already registered. Forgotten your password?
  3. this can't be left blank

    6 characters or longer with both numbers and letters is safer

  4. this can't be left empty
    your full birthday is required
  1. By joining you agree to our Ts and Cs, privacy policy and site rules

  2. Slide to join now Processing…

Updated: March 27, 2012
New on TSR

Strictly iPlayer

Will you still watch if some BBC programmes go online only?

Article updates
Reputation gems:
You get these gems as you gain rep from other members for making good contributions and giving helpful advice.