Network Traffic Analysis

Announcements Posted on
How helpful is our apprenticeship zone? Have your say with our short survey 02-12-2016
    • Thread Starter
    Offline

    1
    ReputationRep:
    Anyone here good with Wireshark?

    For a bit of work, we've been given Wireshark captures to analyse, I don't understand it at all. I know some IPs are servers and users but don't really get what's going on.
    Offline

    1
    ReputationRep:
    (Original post by Puma)
    Anyone here good with Wireshark?

    For a bit of work, we've been given Wireshark captures to analyse, I don't understand it at all. I know some IPs are servers and users but don't really get what's going on.
    Wireshark have an excellent Wiki which is linked below.

    You can filter by a lot of things like protocol, port, source or destination address or even search within packets for instance for spam words.

    What do you need to find out about the captures?
    Wireshark Wiki
    Offline

    2
    (Original post by Puma)
    Anyone here good with Wireshark?

    For a bit of work, we've been given Wireshark captures to analyse, I don't understand it at all. I know some IPs are servers and users but don't really get what's going on.
    What sort of captures are we dealing with here? Generally, you would only be able to determine what's a server and what isn't by looking more closely at the nature of the traffic being passed between them, for example you would see HTTP GET requests going back and forth as well as DNS lookups.

    One caveat is that, IMO, Wireshark's packet view isn't hugely friendly and it's a definite shortcoming.
    Offline

    0
    ReputationRep:
    Well, what exactly are you looking for?
    Otherwise, if you filter out all the routine stuff (ARP, ICMP, DHCP, netBIOS spam, etc) you should be left with user traffic, which you can peruse to see if there's anything interesting.
    Offline

    2
    ReputationRep:
    (Original post by JGR)
    Well, what exactly are you looking for?
    Otherwise, if you filter out all the routine stuff (ARP, ICMP, DHCP, netBIOS spam, etc) you should be left with user traffic, which you can peruse to see if there's anything interesting.
    Wouldnt filtering for just HTTP do the same thing?
    Offline

    0
    ReputationRep:
    (Original post by mabrookes)
    Wouldnt filtering for just HTTP do the same thing?
    Again, it depends what he's looking for.
    There are an awful lot of potentially interesting things which aren't HTTP.
    Offline

    2
    ReputationRep:
    (Original post by JGR)
    Again, it depends what he's looking for.
    There are an awful lot of potentially interesting things which aren't HTTP.
    Yea, your right. For some reason I assumed he would be looking at just HTTP as it seemed like a basic exercise but he hasn't said that so I shouldn't assume.
    Offline

    1
    ReputationRep:
    (Original post by Puma)
    Anyone here good with Wireshark?

    For a bit of work, we've been given Wireshark captures to analyse, I don't understand it at all. I know some IPs are servers and users but don't really get what's going on.
    A lot of it depends what you're supposed to be looking for. Wireshark can give a lot of info but when I use it what I'm doing depends heavily on what I'm trying to do.

    For instance debugging an application tends to require looking at the packet contents.But looking at a network issue you might be looking more at the packet rates etc. One bit of recent debugging I was looking at the packet size distribution.
    • Thread Starter
    Offline

    1
    ReputationRep:
    Would a flood attack be viable by recieving a video stream and sending back the video to the server?
    Offline

    0
    ReputationRep:
    (Original post by Puma)
    Would a flood attack be viable by recieving a video stream and sending back the video to the server?
    There are far easier and more effective ways of flooding a server.
    It doesn't matter what data you use, so you might as well just use random bytes rather than sourcing video from that same server (which probably wouldn't be at a sufficient rate to flood anything).

    TCP, which is what is generally used for video streaming, has congestion control mechanisms built in to avoid flooding, and so most floods use large fragmented UDP packets, or try to open a lot of connections to exhaust server resources (SYN flood).
    • Thread Starter
    Offline

    1
    ReputationRep:
    I've a 300,000+ capture, it's a DoS attack.
    I just don't know who is who (attacker/users/server etc).
    Very confused.
    Offline

    1
    ReputationRep:
    (Original post by Puma)
    I've a 300,000+ capture, it's a DoS attack.
    I just don't know who is who (attacker/users/server etc).
    Very confused.
    In which case you might want to work out whichis the server machine(s) and then from there try to determine the type of attack. From that you can probably work out who's attacking.

    As a starting point what do you know about the network and where the capture was taken ?
 
 
 
Write a reply… Reply
Submit reply

Register

Thanks for posting! You just need to create an account in order to submit the post
  1. this can't be left blank
    that username has been taken, please choose another Forgotten your password?
  2. this can't be left blank
    this email is already registered. Forgotten your password?
  3. this can't be left blank

    6 characters or longer with both numbers and letters is safer

  4. this can't be left empty
    your full birthday is required
  1. Oops, you need to agree to our Ts&Cs to register
  2. Slide to join now Processing…

Updated: March 27, 2012
TSR Support Team

We have a brilliant team of more than 60 Support Team members looking after discussions on The Student Room, helping to make it a fun, safe and useful place to hang out.

Today on TSR
Poll
Would you rather have...?
Useful resources

Articles:

The Student Room tech wikiTech forum guidelines

Quick link:

Unanswered technology and computers threads

Sponsored features:

Making money from your own website

Need some cash?

How to make money running your own website.

Groups associated with this forum:

View associated groups

The Student Room, Get Revising and Marked by Teachers are trading names of The Student Room Group Ltd.

Register Number: 04666380 (England and Wales), VAT No. 806 8067 22 Registered Office: International House, Queens Road, Brighton, BN1 3XE

Quick reply
Reputation gems: You get these gems as you gain rep from other members for making good contributions and giving helpful advice.