Analyzing With Wireshark

Forensics:

As stated by Precise Cyber Forensics, “Computer Forensics is the use of specialized techniques for recovery, authentication, and analysis of electronic data when a case involves issues relating to reconstruction of computer usage, examination of residual data, authentication of data by technical analysis.”

In general terms, a forensic is a post event analysis done in order to find the root cause.

Done on residual data or logs from different resources…

To analyze the packet captures, various tools are available starting from simplistic: TCPDUMP, wireshark, ethreal, netmon and many others……

Forensic experts and hackers analyze the logic and write parsers to extract specific stream of data from big big network traces…automating their work.

For example Dsniff is a tool which extracts HTTP, SMTP, FTP, and Telnet passwords.
Cain also uses similar features to extract passwords from real streams.

Analyzing packet captures can be at times overwhelming with a lot of data if you have a lot of hosts or traces taken for longer intervals.

Coming to Wireshark…

If you don’t already have Wireshark, you will need to download it.

There is a lot of help available through videos on YouTube, and there’s different compilations atSecurityTube.net and others, but I am only giving you a brief introduction.


We can filer the capture files to minimize the amount of data we have to see and analyze.

1. tcp.port==21 filters all the traffic on basis of port (source and destination has port 21)

2. ip.src==a.b.c.d Filters all traffic on basis of source IP address in packet. (the IP address is a.b.c.d)

3. ip.dst==a.b.c.d Filters all traffic on basis of destination IP address. (the IP address is a.b.c.d)

4. ip.addr==a.b.c.d Filters all traffic on basis of where source or destination IP address is a.b.c.d. 


Hope this helps… 🙂
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s