Hi, I am a beginner learning to use Wireshark to detect network vulnerabilities. Once I capture a packet, can anybody tell me one way I can detect unusual traffic in the captured data? Thanks, James asked 27 Mar '14, 12:50  koel26 |
One Answer:
well, unusual means different things in different networks. If you only have Windows hosts on your network, SSH (Secure Shell traffic) or X11 could be 'unusual'. If you have only Linux, Unix or *BSD systems on your network, Netbios could be 'unusual'. As you see, it depends on the definition of 'unusual' and the environment you are looking at. To answer your question: You will be able to detect unusual traffic in networks, if you have a lot of experience with networking in general and typical networking protocols. With that kind of knowledge you will sometimes spot things in a capture file that shouldn't be there. Unfortunately, there is no 'simple' method or best practice what to look for. So, here is how you will get that experience:
To be honest: I would not use Wireshark to detect 'network vulnerabilities' (can you please define what that means for you). There are better tools for that, like IPS/IDS, anomaly detection tools, etc. Just google/bing those terms and you should find some information. Regards answered 27 Mar '14, 13:22  Kurt Knochner ♦ edited 27 Mar '14, 14:40 |
