Traffic Sniffer

CyberWorm · Apr 21, 2010

I am researching a rootkit and looking for an application which logs data to and from the malware. Other than WireShark, what tools would you recommend for this purpose?

Regards,
CW

Searching_ _ _ · Apr 21, 2010

What OS are you running?

If Windows,
Have you tried Buster Sandbox Analyzer? Requires a paid liscense for Sandboxie.

CyberWorm · Apr 22, 2010

Thanks for that, I've never heard of that aplication before so I'll give it a go.

Maybe I am overlooking something in WireShark but is there any easy way to filter POST data, or look for unusual connection activity without going through all the data manually.

Blitzer · Apr 22, 2010

Just an aside note.
Theoretically it is possible to compromise the kernel in a way that whatever traffic sniffer you might use its records can become unreliable.

Sully · Apr 22, 2010

TCPview may not be a packet sniffer, but is will show you some nice data.

http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx

Sul.

CyberWorm · Apr 26, 2010

Blitzer said:

Just an aside note.
Theoretically it is possible to compromise the kernel in a way that whatever traffic sniffer you might use its records can become unreliable.
Click to expand...

I saw one on YouTube ages ago which acted as a proxy. This would allow you to use two different machines, logging the packets on a clean machine would give almost 100% accurate results. Shame I can't remember what its called.

GlobalForce · Apr 26, 2010

Charles proxy?

CyberWorm · Apr 27, 2010

No, I don't think it wasn't charles proxy.

Spiral123 · Apr 27, 2010

google network miner, there are a few other programs similar

GlobalForce · Apr 27, 2010

The only other that comes to mind is put out by TamoSoft. Check SnapFiles shareware sec-privacy and networking categories.

mhf · Apr 27, 2010

You could also try Networkminer

The wiki says : "NetworkMiner also comes in very handy when analyzing malware traffic, such as C&C (command-and-control) traffic from a BotNet, since uploaded and downloaded files are extracted to disk."

And check this

CyberWorm · Apr 27, 2010

Got it, it was Fiddler Web Proxy... http://www.fiddler2.com/fiddler2/.

GlobalForce · Apr 27, 2010

Along with Membrane, WebScarab and WFetch - the other "proxy" type application that slipped by.

MrBrian · Apr 28, 2010

Network Tracing in Windows 7
http://www.raymond.cc/blog/archives...and-decoding-packets-including-ssl-with-ospy/

Espresso · May 7, 2010

Nirsoft has a free packet sniffer

http://www.nirsoft.net/utils/smsniff.html

Log in or Sign up

Traffic Sniffer

CyberWorm Registered Member

Searching_ _ _ Registered Member

CyberWorm Registered Member

Blitzer Registered Member

Sully Registered Member

CyberWorm Registered Member

GlobalForce Regular Poster

CyberWorm Registered Member

Spiral123 Registered Member

GlobalForce Regular Poster

mhf Registered Member

CyberWorm Registered Member

GlobalForce Regular Poster

MrBrian Registered Member

Espresso Registered Member

Log in or Sign up

Traffic Sniffer

CyberWorm Registered Member

Searching_ _ _ Registered Member

CyberWorm Registered Member

Blitzer Registered Member

Sully Registered Member

CyberWorm Registered Member

GlobalForce Regular Poster

CyberWorm Registered Member

Spiral123 Registered Member

GlobalForce Regular Poster

mhf Registered Member

CyberWorm Registered Member

GlobalForce Regular Poster

MrBrian Registered Member

Espresso Registered Member

Useful Searches