Wireshark
Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Wireshark

  1. #1
    Member bradlesliect's Avatar
    Join Date
    Apr 2006
    Location
    CT - SA
    Posts
    74

    Wireshark

    Hi All,

    The age old question about network abuse and security. What is the better or recommended network monitoring tools out there to accurately monitor internet traffic ONLY going IN and OUT of a network? The only thing acting as the Firewall is the router. All internal addresses are being NATted and I need to see who is abusing the internet connection?

    I have logs which show some DOS attacks but I also have logs that show 4-8Gb of downloads in a week.

    The client primarily uses the internet connection to send email and has a staff compliment of about 6 and the only things they should be receiving or sending are architectural drawings.

    I heard about wireshark but will it create a realtime log for me and would it be easy to analyse this log? Has anyone had any experience with wireshark? What are your views?

    Looking for something simple but effective - I want to see connections, ports, downloads(if possible) and all the nice stuff to nail the suckers who've been making a sucker out of me!

    Any help will do!

    Thanks all!
    .....I rather not say....

  2. #2
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003
    Wireshark is a great tool.. But with lot of features come chances of vulnerability. I personally like the tool and I’m a fan of it. However I don't use it off the machine directly. You will not see real-time monitoring capability like a firewall showing you in simple GUI ports and apps using it or hosts using it (in your case) but will surely help you catch people..

    I use TCPDump of Windump to capture traffic and use wireshark to analyze it..
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  3. #3
    Only african to own a PC! Cider's Avatar
    Join Date
    Jun 2003
    Location
    Israel
    Posts
    1,683
    Wire-shark gets quite messy but you can tone it down quite abit and just search for http traffic ...

    im sure there are software packages out there to monitor though.
    The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
    Albert Einstein

  4. #4
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    I also have logs that show 4-8Gb of downloads in a week.
    Are those really downloads or just traffic/bandwidth?

    4-8Gb gives an average of 6Gb /6 people = 1Gb per week or 200Mb per day. That does not take very much to do with just a few Google searches, visiting a few customer/supplier websites and so on.

    The place I would start is by looking at the browser logs/history, the favourites list and the cookies...............that will probably tell you all you need to know
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  5. #5
    Only african to own a PC! Cider's Avatar
    Join Date
    Jun 2003
    Location
    Israel
    Posts
    1,683
    Haha Nihil, if someone is downloading on the sly im sure they would of removed cookies and favourites ....
    The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
    Albert Einstein

  6. #6
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    Haha Nihil, if someone is downloading on the sly im sure they would of removed cookies and favourites ....
    And sometimes the lack of evidence is all the evidence that you need?

    I am guessing that these people are not rocket scientists, so I doubt if they have taken any precautions.

    We are talking a small office here, not some anonymous college campus..........you threaten someone else's livelihood and expect consequences.........trust me!

    What I am suspecting is that they are just surfing the internet when they get bored............assuming that the activity is pretty even, that would easily explain 200Mb a day. I would bet that they don't even know that opening web pages takes up bandwidth and looks like a download.

    You need to be very careful in small office environments because you can easily make your position untenable.

    Just look at it...............the people sending and receiving architectural drawings are the ones earning the corporate revenue.............the IT support guy is just another overhead?
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  7. #7
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    Don't use wireshark for this, it's not meant to be a network monitoring solution, it's a protocol analyzer.

    Have a look at things like ntop, netflow and/or MRTG.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  8. #8
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,188
    If you have the capture saved, you might try running it through NetWitness. It can help organize the mountain of information that wireshark will spit at you.
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  9. #9
    Member bradlesliect's Avatar
    Join Date
    Apr 2006
    Location
    CT - SA
    Posts
    74
    gees...this has become quite a contentious topic... I was looking at some netflow analyzer software, perhaps this would be better.... i need something realtime that would create a log but could be run in "stealth mode". I dont want the users to know its on or be able to uninstall it...
    .....I rather not say....

  10. #10
    Junior Member
    Join Date
    Jun 2009
    Posts
    2
    Sound like you might want Squid Proxy. It can be molded into many things, and work as a cache proxy all the while. You can run it in transparent mode, and log all the Internet traffic in/out of a node.

    link to squid
    http://www.squid-cache.org/

    hope that helps a bit...

Similar Threads

  1. Wireshark capture problem
    By Ignatius in forum Network Security Discussions
    Replies: 6
    Last Post: October 31st, 2007, 10:22 AM
  2. Video:Intro to the AirPcap USB adapter, Wireshark, and using Cain to crack WEP
    By Irongeek in forum The Security Tutorials Forum
    Replies: 1
    Last Post: June 8th, 2007, 02:59 PM
  3. wireshark showing weird activity
    By psaux in forum Network Security Discussions
    Replies: 8
    Last Post: May 23rd, 2007, 07:36 PM
  4. Fiction author needing help with research question...please...
    By sommersby in forum Newbie Security Questions
    Replies: 65
    Last Post: August 13th, 2006, 10:49 AM
  5. ethereal now wireshark
    By mmkhan in forum Security News
    Replies: 11
    Last Post: June 13th, 2006, 01:01 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides