How to trace CBL detail summary in Wireshark?

CBL
Delisting

asked 2020-08-17 10:57:47 +0000

AA631
1

How to search in wire shark using CBL's detection information summary?

Example: Destination IP : n/a Destination port: 447 Source IP : (Prefer not to disclose) Source port: 56596 C&C name/domain: n/a Protocol: TCP Time: Mon Aug 17 09:39:49 2020 UTC

edit retag flag offensive close merge delete

Comments

You might start with Statistics->Conversations or Statistics->Endpoints to look for matches.
A display filter of tcp.srcport==56596 && tcp.dstport==447 would match the example.
There is a chance it might match more than one conversation if the source port is reused. The Expert Information screen in Wireshark will show port reuse in the capture.

Notes: CBL Info, Palo Alto article on Trickbot (TCP 447)

Chuckc ( 2020-08-17 14:04:42 +0000 )edit

add a comment

How to trace CBL detail summary in Wireshark?

Comments

Be the first one to answer this question!

Question Tools

Stats

How to trace CBL detail summary in Wireshark? edit

Comments

Be the first one to answer this question!

Question Tools

Stats

How to trace CBL detail summary in Wireshark?