.

How to set up Wireshark with machine-in-the-middle PC?

<<

eth3real

User avatar

Sr. Member
Sr. Member

Posts: 309

Joined: Wed Feb 27, 2008 10:35 am

Location: US

Post Wed Dec 29, 2010 4:43 pm

Re: How to set up Wireshark with machine-in-the-middle PC?

macattack wrote:I wish there was a way to ensure there are no keyloggers on a computer.  What do organizations do to guarantee they don't have this kind of problem?

Is there a service that can inspect and guarantee removal?


Is there something keeping you from formatting the drive and reinstalling the operating system? That should have been your first choice if you think there is malware on your system. That is the only guaranteed way to remove a potential threat.
Put that in your pipe and grep it!
<<

eth3real

User avatar

Sr. Member
Sr. Member

Posts: 309

Joined: Wed Feb 27, 2008 10:35 am

Location: US

Post Wed Dec 29, 2010 5:07 pm

Re: How to set up Wireshark with machine-in-the-middle PC?

macattack wrote:I've been looking for rare flashes on my router coming from my mac that don't show up on my app firewall reporting tool (Little Snitch).


A few questions about this:

• Does "Little Snitch" periodically check for updates?
• Is it set to allow your web browser permanent access to the internet?
• If so, is the browser periodically checking for updates?
• If you still have browser open, could it be refreshing websites?
• Could there be any other Google products installed, which you have allowed access through "Little Snitch", that might be checking for updates?
Put that in your pipe and grep it!
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Wed Dec 29, 2010 5:13 pm

Re: How to set up Wireshark with machine-in-the-middle PC?

if you really want an idea of what your box is doing. Close all the apps you have running (except wireshark) and let it run over night.

Depending WHAT on your router is flashing, it could just be keep alives or some other background noise to keep your system up to date.

Running wireshark over night will give you a lot of data to look at, but if you want to learn how to do analysis you'll need the practice anyway.
OSWP, Sec+
<<

macattack

Newbie
Newbie

Posts: 13

Joined: Tue Dec 28, 2010 9:31 am

Post Fri Dec 31, 2010 8:09 am

Re: How to set up Wireshark with machine-in-the-middle PC?

"Does "Little Snitch" periodically check for updates"
Yes, but it's auto-updates are turned off.

"Is it set to allow your web browser permanent access to the internet"
Yes but it reports every time the browser accesses and where it connects.

"Running wireshark over night..."
Will try out tonight.  And will look into Snort and sgutil.

Thanks again
<<

WCNA

User avatar

Full Member
Full Member

Posts: 187

Joined: Wed Mar 02, 2011 8:05 am

Location: Florida

Post Wed Mar 02, 2011 8:39 am

Re: How to set up Wireshark with machine-in-the-middle PC?

This thread is old but I've got to start somewhere and maybe this will help someone else.

"I need to know how to set up Wireshark so I can analyze the traffic between my Mac and my router."

As another commenter suggested, the way to go in your situation is to set up Wireshark on your machine and then choose the interface you want to capture traffic on. While it may be possible for malware to mess with Wireshark, it's highly unlikely as black hats are usually looking for a different type of user to abuse. As the saying goes, packets don't lie.

"What type of router/switch are we talking about?"

Most managed switches have port monitoring. A hub is another route but there are quite a few hubs out there that are actually switches. The proper way would be to buy an aggregating tap like netoptics.com. Personally, I use the small mikrotik rb750 as a tap. You can build a tap but it will only be half-duplex.

"I get a lot of black with red text..."


Always bad. The default color rules have some bad traffic labeled as black/red. You can always tell what a coloring rule is based on by looking at the bottom of the list in the frame section or clicking on the coloring rules button. If you see striping in a trace, it is almost always bad. The trace you provided isn't large enough to get a full picture of what is going on with your machine. Use the display filters to get a clearer picture. If you don't know how, get the wireshark book or get the training at chappellu.com. I took her all-access course and it taught me quite a lot about the packet level and protocols. Wireshark is easy to use but packet tracing and deciphering what you see in front of you is an art form. It's easy to get lost with all that data but the packets will tell you absolutely what is going on, if you can figure it out. Packets don't lie. Packet 5 has a window size of 128 and you have essentially hit a zero window and will start dropping packets, hence the 2 out-of-order packets that follow it.
ISC2 Associate, WCNA, CWNA, OSCP, Network+
Previous

Return to Malware

Who is online

Users browsing this forum: No registered users and 2 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software