How to Analyze Network Traffic with Sniffers

He's kindly agreed for me to start the thread So here it is, fire away with anything Sniffer etc related At the moment i'm using the free WireShark, but i know there are other tools, both free & paid.

Maybe you have a problem/issues, or 2 like me at the moment you'ld like to try & resolve and/or just dig deeper into seeing what's happening, & attempting to make sense of it. If so this threads for you

 

I like the idea of creating a sniffer thread.
Netwitness is something I would like to try out but I am not using Windows at the moment and maybe not in the near future, maybe in a month or so I'll have Windows installed again.
Wireshark is quite cumbersome when you need to do any quick looks at packets with a large capture.
Not to mention that you could be getting infected via encrypted content that bypasses all of the traditional signature detectors.

 

I find Wireshark complex as a casual observer - but maybe a list of appropriate tools, and even an A,B,C beginners guide in a few simple steps for the most basic and common/useful tasks could be useful for the simpler programs ?

 

It is like any tool, you need to learn how to use it.

I do not quite understand that statement.
Are you saying you allow encrypted traffic to/from unknown IPs/sites.
If you have inbound encrypted traffic, how will that specific traffic/contents be able to (possibly) infect you without it first being decrypted? Once it is decrypted, then any internal scanner/HIPS should see the file(s) and act accordingly.


- Stem

 

What do you mean by "appropriate tools"? For what purpose?

When using Wireshark, by default it will capture all packets in order. When analyzing the log, use the various tools/functions to filter/show the info you are actually interested in. For simple example. If you have a large log in Wireshark, but only want to see the IPs you have connected to, then you simply go to the "statistics"(menu) and select "IP destinations".

- Stem

 

Wierd ! Is it working now ? It worked fine for me when i tested it after you mentioned it, and still is.

@ Searching_ _ _ & fad

Re - WireShark = cumbersome/complex

I know what you mean It does appear overwhelming at first, and i don't pretend to fully understand everything, but i'm able to decipher enough to help me with a number of questions i had As Stem says, it's a learning curve, like anything new initially. If you're not sure of something, just ask & i'm sure "some" kind person/s will try to help