I need help to analyze slammer.pcap
Hi!
I just want some help or guide to analyze or understand the slammer.pcap exercise file provided by Wireshark page.
add a comment
Presumably they're referring to the "slammer.pcap" file on the Wireshark Wiki's Sample Captures page. The description of that capture is "Slammer worm sending a DCE RPC packet.". The Web searches I've done show a "Slammer" worm that attacks via SQL, not DCE RPC, so I'm not sure what that packet indicates. It's also not an "exercise" in the sense of, for example, an exercise in a training course.
One way to look at this (under linux at least) would be to use the Snort post-dissector (https://wiki.wireshark.org/Snort) with the emerging-threats rules (https://rules.emergingthreats.net/ope...) and open slammer.pcap. Then, you should see that one or more alerts fired and: - what rule(s) caused the alert(s) to be detected - where in the packet the content or pcre fields were found (and where they occur in the normal dissection) - clickable links to web-pages describing the snort rule and the threat it is thought to represent
This is admittedly be not-straightforward, especially if you are not already familiar with snort, but I am pretty sure I did this for this exact capture file once before.
