I'm not skilled in networking, but I have some of the basics.  I need to know how to set up Wireshark so I can analyze the traffic between my Mac and my router.  I have a separate Windows machine I can use for this.  From what I've read here:

http://wiki.wireshark.org/CaptureSetup/Ethernet

I need another NIC card in my Windows machine  in order to complete the setup.  Thing is, I don't really know how to set it up in Wireshark.  It would be great if someone held my hand and stepped it out, but this may be unrealistic.  If so, can someone point me on the direction to learn how to do this?  I've been able to observe the traffic on the Windows machine Wireshark is installed on, but not the Mac.

In case your curious, I believe I may have malware on my Mac connecting to the network, and I want to monitor the traffic to determine if my hunch is correct.

Thanks in advance.

In my searches, I read somewhere that I should use a separate machine for 'sniffing' the packets.

Perhaps this is due to the possibility of malicious software interfering with the results?  I don't know why it was suggested.

Incidentally, I did install Wireshark on my Mac...but apparently it's quite difficult to get set up properly with the correct permissions.  I read a few blog posts on it and even they seemed cryptic.

Abou that time I read the suggestion for a separate machine, and Wireshark works beautifully on my Windows PC, so I thought I'd go with that setup instead.

What type of router/switch are we talking about?

If you have Cisco gear, it's pretty easy to setup a spanning port. If your talking about a Linksys/D-Link (or similiar) router, its a bit more difficult/less reliable.

Do some searches on arp spoofing. You'll find a ton of "how-to's". If you don't want to do arp spoofing, you can route your traffic from the Mac to your Windows box, but I do believe you'll need multiple NIC's on the Windows box at that point.

Thanks for all the advice.  The link to the bridge setup is very helpful.

Can someone recommend a good hub to purchase online?  Preferably a lower-cost one.   Newegg, Amazon, Etc.

I got Wireshark running (finally) on my Mac.

Sadly, I'm left with more questions than answers.

I've been looking for rare flashes on my router coming from my mac that don't show up on my app firewall reporting tool (Little Snitch).  When it occurred with wireshark, I get a lot of black with red text going to Google of all places:

1   0.000000000   209.85.231.148   192.168.1.2   TCP   http > 49194 [FIN, ACK] Seq=1 Ack=1 Win=8190 Len=0

2   0.000099000   192.168.1.2   209.85.231.148   TCP   49194 > http [ACK] Seq=1 Ack=2 Win=65535 Len=0

4   0.166031000   192.168.1.2   72.14.203.102   TCP   49166 > http [ACK] Seq=1 Ack=2 Win=65535 Len=0

5   1.733916000   209.85.231.148   192.168.1.2   TCP   https > 49223 [FIN, ACK] Seq=1 Ack=1 Win=128 Len=0 TSV=2459718423 TSER=112577780

6   1.733920000   209.85.231.148   192.168.1.2   TLSv1   [TCP Out-Of-Order] Application Data

7   1.733924000   209.85.231.148   192.168.1.2   TLSv1   [TCP Out-Of-Order] Application Data

8   1.734040000   192.168.1.2   209.85.231.148   TCP   49223 > https [ACK] Seq=1 Ack=4294967199 Win=65535 Len=0 TSV=112580177 TSER=2459478419

9   1.734112000   192.168.1.2   209.85.231.148   TCP   49223 > https [ACK] Seq=1 Ack=4294967260 Win=65528 Len=0 TSV=112580177 TSER=2459718423

10   1.734156000   192.168.1.2   209.85.231.148   TCP   49223 > https [ACK] Seq=1 Ack=2 Win=65523 Len=0 TSV=112580177 TSER=2459718423

11   1.735159000   192.168.1.2   209.85.231.148   TCP   49223 > https [FIN, ACK] Seq=1 Ack=2 Win=65535 Len=0 TSV=112580177 TSER=2459718423

All are red except 1 & 3 (green) and 5 (gray).

Does this seem normal or is it worth looking into more?

Normal traffic but you're not giving enough for anyone to go by. You're entire network capture simply shows a connection between your machine and Google so here is the breakdown of what occurred:


1   0.000000000   209.85.231.148   192.168.1.2   TCP   http > 49194 [FIN, ACK] Seq=1 Ack=1 Win=8190 Len=0

Google is attempting to close the connection to Google via the web... (FIN, ACK)


2   0.000099000   192.168.1.2   209.85.231.148   TCP   49194 > http [ACK] Seq=1 Ack=2 Win=65535 Len=0

Your machine is still trying to connect to Google however, since no SYN is seen, solely another ACK, Google's FIN will never timeout and the connection won't close.


4   0.166031000   192.168.1.2   72.14.203.102   TCP   49166 > http [ACK] Seq=1 Ack=2 Win=65535 Len=0

Your machine is still trying to connect to Google as no SYN is seen, solely another ACK... same as above


5   1.733916000   209.85.231.148   192.168.1.2   TCP   https > 49223 [FIN, ACK] Seq=1 Ack=1 Win=128 Len=0 TSV=2459718423 TSER=112577780

Google is waiting for an HTTPS session to close (maybe GMail or Google talk, one of them) this is evident by the FIN, ACK packet


6   1.733920000   209.85.231.148   192.168.1.2   TLSv1   [TCP Out-Of-Order] Application Data

Google is telling you that you that there is likely packet loss as your packets are arriving "Out of order"


7   1.733924000   209.85.231.148   192.168.1.2   TLSv1   [TCP Out-Of-Order] Application Data

Google is telling you that you that there is likely packet loss as your packets are arriving "Out of order"


8   1.734040000   192.168.1.2   209.85.231.148   TCP   49223 > https [ACK] Seq=1 Ack=4294967199 Win=65535 Len=0 TSV=112580177 TSER=2459478419

Your machine is still trying to connect to Google via https


9   1.734112000   192.168.1.2   209.85.231.148   TCP   49223 > https [ACK] Seq=1 Ack=4294967260 Win=65528 Len=0 TSV=112580177 TSER=2459718423

Your machine is still trying to connect to Google via https


10   1.734156000   192.168.1.2   209.85.231.148   TCP   49223 > https [ACK] Seq=1 Ack=2 Win=65523 Len=0 TSV=112580177 TSER=2459718423

Your machine is still trying to connect to Google via https


11   1.735159000   192.168.1.2   209.85.231.148   TCP   49223 > https [FIN, ACK] Seq=1 Ack=2 Win=65535 Len=0 TSV=112580177 TSER=2459718423

Your machine is trying to close the connection to Google.

Why is your machine trying to send such big windows sizes? In your terminal just type: sudo sysctl -w net.inet.tcp.rfc1323=1

http://en.wikipedia.org/wiki/TCP_window_scale_option

There's no definitive way to determine this because of TLS for one, secondly, you didn't give enough data. If you think that "oh, its only Google..." then you're in for a surprise, How do you know someone didn't compromise a machine at Google and client side you? (http://threatpost.com/en_us/blogs/inside-aurora-google-attack-malware-011910) There is no definitive way to determine WHAT data inside of encrypted packets were sent. The LIKELIHOOD of it being something malicious is altogether different. What I can tell is that it's just a funky connection with some packet loss.

You seemed to be confused about what a keylogger typically does. Most keyloggers record your keystrokes to a FILE located ON your machine and then transfer that file elsewhere. Trying to dissect every single connection that your machine makes would drive you insane. As a test, pick a date that you KNOW you will NOT be using your machine. On that date, start up tcpdump or Wireshark to catch what is going on... Let it run all day if possible, then try making sense of it afterwards. My suggestions, use Netwitness Investigator + Wireshark.

One would be surprised to see the amount of connections coming in and out of a machine without any intervention. If you 'assume' something odd is occurring, throw on Snort as an EXTRUSION detection system, fire up SGUIL. Invert the rules so you can see and log what occurs on outbound connections. This is your best bet to see any truly anomalous connections.