EH-Net

I'm not skilled in networking, but I have some of the basics.  I need to know how to set up Wireshark so I can analyze the traffic between my Mac and my router.  I have a separate Windows machine I can use for this.  From what I've read here:

http://wiki.wireshark.org/CaptureSetup/Ethernet

I need another NIC card in my Windows machine  in order to complete the setup.  Thing is, I don't really know how to set it up in Wireshark.  It would be great if someone held my hand and stepped it out, but this may be unrealistic.  If so, can someone point me on the direction to learn how to do this?  I've been able to observe the traffic on the Windows machine Wireshark is installed on, but not the Mac.

In case your curious, I believe I may have malware on my Mac connecting to the network, and I want to monitor the traffic to determine if my hunch is correct.

Thanks in advance.

Why don't you install Wireshark on your Macintosh? That would be where I began....

In my searches, I read somewhere that I should use a separate machine for 'sniffing' the packets.

Perhaps this is due to the possibility of malicious software interfering with the results?  I don't know why it was suggested.

Incidentally, I did install Wireshark on my Mac...but apparently it's quite difficult to get set up properly with the correct permissions.  I read a few blog posts on it and even they seemed cryptic.

Abou that time I read the suggestion for a separate machine, and Wireshark works beautifully on my Windows PC, so I thought I'd go with that setup instead.

I would also start with getting Wireshark to work on the Mac. But, if you put both machines on a network hub (not a switch), you should be able sniff the packets without two NICs on your PC.

What type of router/switch are we talking about?

If you have Cisco gear, it's pretty easy to setup a spanning port. If your talking about a Linksys/D-Link (or similiar) router, its a bit more difficult/less reliable.

Do some searches on arp spoofing. You'll find a ton of "how-to's". If you don't want to do arp spoofing, you can route your traffic from the Mac to your Windows box, but I do believe you'll need multiple NIC's on the Windows box at that point.

I think the first question, out of all the ways you could capture the data, why you want to do a man-in-the-middle?

this link will tell you how to bridge the connection, after you get the second wireless card.

http://www.windowsnetworking.com/articles_tutorials/wxpbrdge.html

Other ways of doing what you want, which will be better in my opinion:

- Use a hub (not a switch), which are harder to get these days, but can be done.

- build a network tap (I like this option the most). Little bit of physical hardware hacking and you can get some neat options.

When you do this, other than the M-I-T-M, you'll probably not want to configure your network interface card. It keeps traffic like arp and the like for the card, out of the capture. Just set the card to unconfigured and let it capture all the traffic coming to it. Promiscuous mode will probably work better.

Thanks for all the advice.  The link to the bridge setup is very helpful.

Can someone recommend a good hub to purchase online?  Preferably a lower-cost one.   Newegg, Amazon, Etc.

There are few ways of doing so as already described by many guys
Like getting a Hub
Arpspoof
Span port -- high end routers.

But much before all that you should learn about switching and routing at the least how they work and why a Hub is required to sniff out things. The best learning in hacking is not to just know how to use tools but to know how things work and then how the tools works.

Just a little addition of my experience

I got Wireshark running (finally) on my Mac.

Sadly, I'm left with more questions than answers.

I've been looking for rare flashes on my router coming from my mac that don't show up on my app firewall reporting tool (Little Snitch).  When it occurred with wireshark, I get a lot of black with red text going to Google of all places:

1   0.000000000   209.85.231.148   192.168.1.2   TCP   http > 49194 [FIN, ACK] Seq=1 Ack=1 Win=8190 Len=0

2   0.000099000   192.168.1.2   209.85.231.148   TCP   49194 > http [ACK] Seq=1 Ack=2 Win=65535 Len=0

4   0.166031000   192.168.1.2   72.14.203.102   TCP   49166 > http [ACK] Seq=1 Ack=2 Win=65535 Len=0

5   1.733916000   209.85.231.148   192.168.1.2   TCP   https > 49223 [FIN, ACK] Seq=1 Ack=1 Win=128 Len=0 TSV=2459718423 TSER=112577780

6   1.733920000   209.85.231.148   192.168.1.2   TLSv1   [TCP Out-Of-Order] Application Data

7   1.733924000   209.85.231.148   192.168.1.2   TLSv1   [TCP Out-Of-Order] Application Data

8   1.734040000   192.168.1.2   209.85.231.148   TCP   49223 > https [ACK] Seq=1 Ack=4294967199 Win=65535 Len=0 TSV=112580177 TSER=2459478419

9   1.734112000   192.168.1.2   209.85.231.148   TCP   49223 > https [ACK] Seq=1 Ack=4294967260 Win=65528 Len=0 TSV=112580177 TSER=2459718423

10   1.734156000   192.168.1.2   209.85.231.148   TCP   49223 > https [ACK] Seq=1 Ack=2 Win=65523 Len=0 TSV=112580177 TSER=2459718423

11   1.735159000   192.168.1.2   209.85.231.148   TCP   49223 > https [FIN, ACK] Seq=1 Ack=2 Win=65535 Len=0 TSV=112580177 TSER=2459718423

All are red except 1 & 3 (green) and 5 (gray).

Does this seem normal or is it worth looking into more?

I don't know what the colors mean. Never have. :)

But if you click the packet you can drill down into the details more and see.

I don't know about Macs, but on Linux and Windows you can use tools like Netackview and TPCview to see what is causing the connections in the background.

netstat might do the job from a command line window.

*edit
Not having a mac, I'm not familiar with little snitch, not sure if it has the stream program feature, but even then try netstat -tpan from the cli.

red and black wireshark:
http://www.networkworld.com/community/node/45655

Normal traffic but you're not giving enough for anyone to go by. You're entire network capture simply shows a connection between your machine and Google so here is the breakdown of what occurred:


1   0.000000000   209.85.231.148   192.168.1.2   TCP   http > 49194 [FIN, ACK] Seq=1 Ack=1 Win=8190 Len=0

Google is attempting to close the connection to Google via the web... (FIN, ACK)


2   0.000099000   192.168.1.2   209.85.231.148   TCP   49194 > http [ACK] Seq=1 Ack=2 Win=65535 Len=0

Your machine is still trying to connect to Google however, since no SYN is seen, solely another ACK, Google's FIN will never timeout and the connection won't close.


4   0.166031000   192.168.1.2   72.14.203.102   TCP   49166 > http [ACK] Seq=1 Ack=2 Win=65535 Len=0

Your machine is still trying to connect to Google as no SYN is seen, solely another ACK... same as above


5   1.733916000   209.85.231.148   192.168.1.2   TCP   https > 49223 [FIN, ACK] Seq=1 Ack=1 Win=128 Len=0 TSV=2459718423 TSER=112577780

Google is waiting for an HTTPS session to close (maybe GMail or Google talk, one of them) this is evident by the FIN, ACK packet


6   1.733920000   209.85.231.148   192.168.1.2   TLSv1   [TCP Out-Of-Order] Application Data

Google is telling you that you that there is likely packet loss as your packets are arriving "Out of order"


7   1.733924000   209.85.231.148   192.168.1.2   TLSv1   [TCP Out-Of-Order] Application Data

Google is telling you that you that there is likely packet loss as your packets are arriving "Out of order"


8   1.734040000   192.168.1.2   209.85.231.148   TCP   49223 > https [ACK] Seq=1 Ack=4294967199 Win=65535 Len=0 TSV=112580177 TSER=2459478419

Your machine is still trying to connect to Google via https


9   1.734112000   192.168.1.2   209.85.231.148   TCP   49223 > https [ACK] Seq=1 Ack=4294967260 Win=65528 Len=0 TSV=112580177 TSER=2459718423

Your machine is still trying to connect to Google via https


10   1.734156000   192.168.1.2   209.85.231.148   TCP   49223 > https [ACK] Seq=1 Ack=2 Win=65523 Len=0 TSV=112580177 TSER=2459718423

Your machine is still trying to connect to Google via https


11   1.735159000   192.168.1.2   209.85.231.148   TCP   49223 > https [FIN, ACK] Seq=1 Ack=2 Win=65535 Len=0 TSV=112580177 TSER=2459718423

Your machine is trying to close the connection to Google.

Why is your machine trying to send such big windows sizes? In your terminal just type: sudo sysctl -w net.inet.tcp.rfc1323=1

http://en.wikipedia.org/wiki/TCP_window_scale_option

"...you're not giving enough for anyone to go by."

I was hoping it was enough info to ensure data wasn't being transmitted to a malicious server, possibly through a keylogger or something else.  Does the info provided allow to confirm that isn't happening?

Great description of the traffic BTW.  Thank you very much.

"maybe GMail or Google talk"
Was encrypted search (Beta).  Just left the window open and waited for the led light to flash on my router without Little Snitch reporting it.  Then stopped the capture and examined it.

"Why is your machine trying to send such big windows sizes?"

I have no idea.  This is fresh install of Snow Leopard (on a new machine).  I'm guessing it's the default for Chrome?

On the CL
sysctl net.inet.tcp.rfc1323
Returns:
net.inet.tcp.rfc1323: 1

I will sudo the command though.

"try netstat -tpan from the cli."
Responds with:
netstat: an: unknown or uninstrumented protocol

"But if you click the packet you can drill down into the details more and see."

The only thing interesting I saw was this:
Header checksum: 0x000 Incorrect, should be 0x1da9 (or similar)
This was basically the same for 2, 4, 8, 9, 10, and 11.

There's no definitive way to determine this because of TLS for one, secondly, you didn't give enough data. If you think that "oh, its only Google..." then you're in for a surprise, How do you know someone didn't compromise a machine at Google and client side you? (http://threatpost.com/en_us/blogs/inside-aurora-google-attack-malware-011910) There is no definitive way to determine WHAT data inside of encrypted packets were sent. The LIKELIHOOD of it being something malicious is altogether different. What I can tell is that it's just a funky connection with some packet loss.

So perhaps I should log into google via non-https, wait for the LED flash, and check the packets?

Still wouldn't guarantee there isn't a keylogger or something else.

Anti-virus isn't foolproof to find or remove any, either.

I wish there was a way to ensure there are no keyloggers on a computer.  What do organizations do to guarantee they don't have this kind of problem?

Is there a service that can inspect and guarantee removal?

I'm reaching here I guess.

You seemed to be confused about what a keylogger typically does. Most keyloggers record your keystrokes to a FILE located ON your machine and then transfer that file elsewhere. Trying to dissect every single connection that your machine makes would drive you insane. As a test, pick a date that you KNOW you will NOT be using your machine. On that date, start up tcpdump or Wireshark to catch what is going on... Let it run all day if possible, then try making sense of it afterwards. My suggestions, use Netwitness Investigator + Wireshark.

One would be surprised to see the amount of connections coming in and out of a machine without any intervention. If you 'assume' something odd is occurring, throw on Snort as an EXTRUSION detection system, fire up SGUIL. Invert the rules so you can see and log what occurs on outbound connections. This is your best bet to see any truly anomalous connections.

Is there something keeping you from formatting the drive and reinstalling the operating system? That should have been your first choice if you think there is malware on your system. That is the only guaranteed way to remove a potential threat.

A few questions about this:

• Does "Little Snitch" periodically check for updates?
• Is it set to allow your web browser permanent access to the internet?
• If so, is the browser periodically checking for updates?
• If you still have browser open, could it be refreshing websites?
• Could there be any other Google products installed, which you have allowed access through "Little Snitch", that might be checking for updates?

if you really want an idea of what your box is doing. Close all the apps you have running (except wireshark) and let it run over night.

Depending WHAT on your router is flashing, it could just be keep alives or some other background noise to keep your system up to date.

Running wireshark over night will give you a lot of data to look at, but if you want to learn how to do analysis you'll need the practice anyway.

"Does "Little Snitch" periodically check for updates"
Yes, but it's auto-updates are turned off.

"Is it set to allow your web browser permanent access to the internet"
Yes but it reports every time the browser accesses and where it connects.

"Running wireshark over night..."
Will try out tonight.  And will look into Snort and sgutil.

Thanks again

This thread is old but I've got to start somewhere and maybe this will help someone else.

"I need to know how to set up Wireshark so I can analyze the traffic between my Mac and my router."

As another commenter suggested, the way to go in your situation is to set up Wireshark on your machine and then choose the interface you want to capture traffic on. While it may be possible for malware to mess with Wireshark, it's highly unlikely as black hats are usually looking for a different type of user to abuse. As the saying goes, packets don't lie.

"What type of router/switch are we talking about?"

Most managed switches have port monitoring. A hub is another route but there are quite a few hubs out there that are actually switches. The proper way would be to buy an aggregating tap like netoptics.com. Personally, I use the small mikrotik rb750 as a tap. You can build a tap but it will only be half-duplex.

"I get a lot of black with red text..."


Always bad. The default color rules have some bad traffic labeled as black/red. You can always tell what a coloring rule is based on by looking at the bottom of the list in the frame section or clicking on the coloring rules button. If you see striping in a trace, it is almost always bad. The trace you provided isn't large enough to get a full picture of what is going on with your machine. Use the display filters to get a clearer picture. If you don't know how, get the wireshark book or get the training at chappellu.com. I took her all-access course and it taught me quite a lot about the packet level and protocols. Wireshark is easy to use but packet tracing and deciphering what you see in front of you is an art form. It's easy to get lost with all that data but the packets will tell you absolutely what is going on, if you can figure it out. Packets don't lie. Packet 5 has a window size of 128 and you have essentially hit a zero window and will start dropping packets, hence the 2 out-of-order packets that follow it.