How to Analyze Network Traffic with Sniffers

Discussion in 'other firewalls' started by CloneRanger, May 19, 2011.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,913
    He's kindly agreed for me to start the thread :thumb: So here it is, fire away with anything Sniffer etc related :) At the moment i'm using the free WireShark, but i know there are other tools, both free & paid.

    Maybe you have a problem/issues, or 2 like me at the moment :p you'ld like to try & resolve and/or just dig deeper into seeing what's happening, & attempting to make sense of it. If so this threads for you :)
     
    Last edited by a moderator: May 20, 2011
  2. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    10,283
    Location:
    UK
    That link says no matches for me.
     
  3. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    I like the idea of creating a sniffer thread.
    Netwitness is something I would like to try out but I am not using Windows at the moment and maybe not in the near future, maybe in a month or so I'll have Windows installed again.
    Wireshark is quite cumbersome when you need to do any quick looks at packets with a large capture.
    Not to mention that you could be getting infected via encrypted content that bypasses all of the traditional signature detectors.
     
  4. Fad

    Fad Registered Member

    Joined:
    Feb 25, 2009
    Posts:
    420
    Location:
    England
    I find Wireshark complex as a casual observer - but maybe a list of appropriate tools, and even an A,B,C beginners guide in a few simple steps for the most basic and common/useful tasks could be useful for the simpler programs ?
     
  5. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    It is like any tool, you need to learn how to use it.
    I do not quite understand that statement.
    Are you saying you allow encrypted traffic to/from unknown IPs/sites.
    If you have inbound encrypted traffic, how will that specific traffic/contents be able to (possibly) infect you without it first being decrypted? Once it is decrypted, then any internal scanner/HIPS should see the file(s) and act accordingly.


    - Stem
     
  6. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    What do you mean by "appropriate tools"? For what purpose?

    When using Wireshark, by default it will capture all packets in order. When analyzing the log, use the various tools/functions to filter/show the info you are actually interested in. For simple example. If you have a large log in Wireshark, but only want to see the IPs you have connected to, then you simply go to the "statistics"(menu) and select "IP destinations".

    - Stem
     
  7. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,913
    Wierd ! Is it working now ? It worked fine for me when i tested it after you mentioned it, and still is.

    @ Searching_ _ _ & fad

    Re - WireShark = cumbersome/complex

    I know what you mean ;) It does appear overwhelming at first, and i don't pretend to fully understand everything, but i'm able to decipher enough to help me with a number of questions i had :) As Stem :thumb: says, it's a learning curve, like anything new initially. If you're not sure of something, just ask & i'm sure "some" kind person/s will try to help ;)
     
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.