Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Possible network intrusion

I was looking for any intrusion through wireshark data. I followed instructions given on this post:

My laptop is connected to internet through wired LAN. Many POE LAN devices are connected in upstream cable as many other connections distributed by service provider.(giving detail here If it is important) It is a 15mbps connection.

The post says: (1) ARP Scanning: arp.dst.hw_mac==00:00:00:00:00:00 If we see many of these ARP requests in a short period of time asking for many different IP addresses, someone is probably trying to discover alive IPs on our network by ARP scanning (e.g. by running arp-scan -l).

In my wireshark data a single IP address showing up 5-10 times in a minute sometimes every 203 seconds in this filter including other IP addresses.

(2) ICMP ping sweeps: icmp.type==8 or icmp.type==0 If we see too many of these packets in a short period of time targeting many different IP addresses, then we are probably witnessing ICMP ping sweeps. Someone is trying to identify all alive IP addresses on our network (e.g. by running nmap -sn -PE <subnet> ).

In my wireshark data a the same single IP address showing up every 0.5 seconds Echo (ping) in this filter for 2 minutes.

(3) TCP Connect() scan: tcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size > 1024 Post says : If we see too many packets of this kind in a short period of time, someone is most likely doing:

SYN scans in our network (e.g. by running nmap -sS <target> )
SYN port sweeps across the network (e.g. by running nmap -sS -pXX <subnet> )
SYN floods (denial of service technique)

In my wireshark data intermittently 0.1% packets are seen with this filter.

(4) UDP port scan: icmp.type==3 and icmp.code==3 The post says: If we see a high number of these packets in our network in a short period of time, it most likely means someone is doing UDP port scans (e.g. by running nmap -sU <target> ).

In my wireshark data 31 packets seen in 2 minutes.

(5) Unexplained packet loss: tcp.analysis.lost_segment or tcp.analysis.retransmission The post says If we see many packet re-transmissions and gaps in the network communication (missing packets), it may indicate that there is a severe problem in the network, possibly caused by a denial of service attack.

Seeing such a situation in Wireshark certainly merits further investigation..

In my wireshark data for 30 minute 1055 packets seen. This problem of retransmission I was also facing in last wifi conection that is why I changed internet service provider. Now problem is less than that. At that Time I know someone hacked my laptop. Hence I wants to leave no doubt. Please suggest me if it is normal or I need to investigate further and how. Thanks