Tuesday, April 28, 2015

Network Forensics using Packet Sniffer : Wireshark

Wireshark is open source network packet analyzer tool available for most of the OS.

It capture network packets and tries to display that packet data as detailed as possible.

Prominent features of Wireshark: 
  • Capture live packet data from a network interface. No Mirror port needed.
  • Open files containing packet data captured with tcpdump/WinDump, Wireshark, and a number of other packet capture programs.
  • Import packets from text files containing hex dumps of packet data.
  • Display packets with very detailed protocol information.
  • Save packet data captured.
  • Export some or all packets in a number of capture file formats.
  • Filter packets on many criteria.
  • Search for packets on many criteria.
  • Colorize packet display based on filters.
  • Create various statistics.
What Wireshark does not provide:
  • Wireshark is just a packet analyzer tool and it isn’t an intrusion detection system. So it displays no warnings about the type of traffic passing through.
  • Wireshark will not manipulate things on the network, it will only "measure" things from it.
  • Wireshark doesn’t send packets on the network or do other active things (except for name resolutions, but even that can be disabled).
     Anomalies Detection using Wireshark:
  • Log analytics, their co-relation, and pattern understanding etc. helps a lot in realizing any type of anomalies going across the environment.
  • Wireshark can be used as network forensic software. It can be used to detect various successful/unsuccessful breaches like DOS, DDOS, Data Loss etc.
  • If some malware is communicating with external domain, by analyzing the traffic flowing out of the system, it is possible to realize the action and to detect malicious process/dll associated with that particular process call. After knowing the time when that particular event happened, event logs can be explored to understand which process initiated the communication and by analyzing that, its possible to identify malware.
This presentation describes about how to examine a slew of malicious traffic, customizes Wireshark to detect these problems faster, and extracts relevant information using command-line tools. Presentation also describes about how to detect anomalies just by analyzing the logs using Wireshark packet sniffer.




Courtesy : Laura Chappell
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)