This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capturing VBScript traffic

0

We have many vbscripts that run on our network and we are trying to identify the source of a vbscript that is starting any service on a server that is stopped at the top of the hour. So I stopped the Print Spooler service on a random server, started the capture a minute before the top of the hour and then waited until the service started again. I then stopped the capture and saved it to a file. How would I go about filtering this capture file now for vbscript traffic? I don't even know if it's tcp or udp or what else?

Thank you.

asked 01 Feb '11, 11:30

vegas588's gravatar image

vegas588
1111
accept rate: 0%


One Answer:

0

Are you sure there isn't an automated script running on the server itself that's automatically restarting the processes?

If it's truly being pushed from a remote source I imagine it'll appear to be some kind of SMS/WMI/MOM/SMB deal. You can just go looking through all of the conversations labeled SMB. You can try searching through the packets for strings like "service" (Edit->Find Packet). Unless your programmers went all out and built a complete socket based application from the ground up I doubt you'll see a dedicated stream just for this script. Good luck!

answered 01 Feb '11, 12:34

GeonJay's gravatar image

GeonJay
4705922
accept rate: 5%