I am new to wireshark, and am trying to learn as much as possible, and wasn't sure where to start. I heard somewhere from doing research online that the books can't teach/show you everything, so a good place to get started is to look around, use it, and to get familiar with it. I noticed on the wireshark site that they have some captures. i thought it would be interesting to see what a virus/trojan looked like. I downloaded the slammer.pcap, and am trying to figure out the main things that would pop out warning the administrator that it is a malicious packet?

asked 27 Nov '12, 15:34

droidus's gravatar image

droidus
1111
accept rate: 0%


and am trying to figure out the main things that would pop out warning the administrator that it is a malicious packet?

Wireshark is a network analyzer, so it helps to detect problems within the network and/or with networked applications. Wireshark is unable to detect "malicious" content in a packet as it has no functionality for that. You can however do that manually, if you know what to look for.

There is an extension for Wireshark, called WireShnork, which combines the functionality of Wireshark with the detection capabilities of Snort. With that plugin, you will be able to detect malicious "actions/content" in a packet (or data stream), if there is a pattern for that specific attack. However, that's more a snort question than a Wireshark question.

Regards
Kurt

link

answered 27 Nov '12, 16:37

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
18.9k733181
accept rate: 15%

edited 27 Nov '12, 16:49

I could only see directions for linux commands. am i missing something for windows? also, there is no way to just look at this data, like the content, to tell if it is malicious?

(27 Nov '12, 19:24) droidus

Well, if you need WireShnork for Windows, you need the following:

  • snort version for Windows, which is available
  • you would have to compile the plugin yourself on Windows (follow the plugin developer guide).
  • you would have o extend the plugin code to work on windows (calling the snort binary).
  • download the plugin code

Unfortunately, the code is currently not available, as the mentioned GIT server refuses the GIT connection !?!

also, there is no way to just look at this data, like the content, to tell if it is malicious?

Sure there is. As I mentioned, you can look into the packet content manually (that's the main usage of wireshark) and try to identifiy malicious code/activities. But then you need to know exactly what to look for.

In the case of slammer.pcap you can view the packet bytes in Wireshark.

http://www.wireshark.org/docs/wsug_html_chunked/ChapterWork.html

As the MS-SQL protocol is a binary protocol, you will only see the HEX representation of the packet bytes. If you can identify the attack in that packet, depends on your knowledge of how slammer works.

(28 Nov '12, 03:52) Kurt Knochner ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×112

Asked: 27 Nov '12, 15:34

Seen: 1,506 times

Last updated: 28 Nov '12, 03:52

powered by OSQA