Lesson 18
Wireshark Capture Analysis
Who Shot My Computer?
Overview
• System Information
• Network Information
• IO Analysis
• Significant Events
Tools Used
• WireShark
• EtherApe
• SNORT
• Grey Matter
System Information
• Host name: KAUFMANUPSTAIRS
• Time of Events: 3:30 - 3:38PM
• Number of Packets: 2449
• Total Bytes Captured: 811157
Analysis Summary
EtherApe View
Input/Output Analysis
IO Analysis 1
IO Analysis 2
DNS ResolutionWorkstation – 172.16.1.35 accesses DNS – 172.16.0.1
ARP (Address Resolution Protocol) resolves the MAC Address of: 00:40:ca:70:19:a3
Network Information
• Logical network
• External Connection
• Observed Protocols
Observed Network Addresses
• 172.16.0.1 – Gateway device– Homeportal.gateway.2wire.net
• 172.16.1.34
• 172.16.1.35 - TiVo Media Services
• 172.16.1.36
• 172.16.1.37
• 172.16.1.39
IP Address Resolution 172.16.1.34, .36, .37, & .39 were made
No IP address was issued except for 172.16.1.35.
Gateway
wpad.gateway.2wire.net
Flow Analysis Internal
Endpoint Analysis-IPv4
Endpoint Analysis-TCP
Endpoint Analysis-UDP
External Connections
• 216.166.24.20 – RBFCU.ORG
• 152.163.15.208 – America Online
Flow Analysis External
Protocols Observed
HTTP Summary
HTTP Details
Significant Events
• Packet 73 – Anonymous FTP• Packet 236 - HTTP• Packet 958 - HTTPS• Packet 1205 – Tivo• Packet 1591 – IPv6• Packets: 1788 (Yahoo)
2123(AOL) 2156 (AIM)
FTPPacket 72-- FTP session was initiated with linux-wlan.org
Accessed using USER: anonymous, PSWD: IEUser@
Tivo
Packet 1205: DVR
IPv6 Packet 1591: a IPv6 Compaq Peer detected
SNORT Analysis
Just Port Scans?
Summary
• Do Analysis of the facts
• Make No Assumptions
• What Story Does it tell?
• Can you tell the story or do you need more facts?
• Can you get the facts?
• From Where?
Top Related