How to Analyze Network Traffic with Sniffers

Discussion in 'other firewalls' started by CloneRanger, May 19, 2011.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    He's kindly agreed for me to start the thread :thumb: So here it is, fire away with anything Sniffer etc related :) At the moment i'm using the free WireShark, but i know there are other tools, both free & paid.

    Maybe you have a problem/issues, or 2 like me at the moment :p you'ld like to try & resolve and/or just dig deeper into seeing what's happening, & attempting to make sense of it. If so this threads for you :)
     
    Last edited by a moderator: May 20, 2011
  2. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    7,304
    Location:
    England
    That link says no matches for me.
     
  3. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    I like the idea of creating a sniffer thread.
    Netwitness is something I would like to try out but I am not using Windows at the moment and maybe not in the near future, maybe in a month or so I'll have Windows installed again.
    Wireshark is quite cumbersome when you need to do any quick looks at packets with a large capture.
    Not to mention that you could be getting infected via encrypted content that bypasses all of the traditional signature detectors.
     
  4. Fad

    Fad Registered Member

    Joined:
    Feb 25, 2009
    Posts:
    378
    Location:
    England
    I find Wireshark complex as a casual observer - but maybe a list of appropriate tools, and even an A,B,C beginners guide in a few simple steps for the most basic and common/useful tasks could be useful for the simpler programs ?
     
  5. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    It is like any tool, you need to learn how to use it.
    I do not quite understand that statement.
    Are you saying you allow encrypted traffic to/from unknown IPs/sites.
    If you have inbound encrypted traffic, how will that specific traffic/contents be able to (possibly) infect you without it first being decrypted? Once it is decrypted, then any internal scanner/HIPS should see the file(s) and act accordingly.


    - Stem
     
  6. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    What do you mean by "appropriate tools"? For what purpose?

    When using Wireshark, by default it will capture all packets in order. When analyzing the log, use the various tools/functions to filter/show the info you are actually interested in. For simple example. If you have a large log in Wireshark, but only want to see the IPs you have connected to, then you simply go to the "statistics"(menu) and select "IP destinations".

    - Stem
     
  7. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Wierd ! Is it working now ? It worked fine for me when i tested it after you mentioned it, and still is.

    @ Searching_ _ _ & fad

    Re - WireShark = cumbersome/complex

    I know what you mean ;) It does appear overwhelming at first, and i don't pretend to fully understand everything, but i'm able to decipher enough to help me with a number of questions i had :) As Stem :thumb: says, it's a learning curve, like anything new initially. If you're not sure of something, just ask & i'm sure "some" kind person/s will try to help ;)
     
Loading...
Thread Status:
Not open for further replies.