Lesson 18

Wireshark Capture Analysis

Who Shot My Computer?

Overview

• System Information

• Network Information

• IO Analysis

• Significant Events

Tools Used

• WireShark

• EtherApe

• SNORT

• Grey Matter

System Information

• Host name: KAUFMANUPSTAIRS

• Time of Events: 3:30 - 3:38PM

• Number of Packets: 2449

• Total Bytes Captured: 811157

Analysis Summary

EtherApe View

Input/Output Analysis

IO Analysis 1

IO Analysis 2

DNS ResolutionWorkstation – 172.16.1.35 accesses DNS – 172.16.0.1

ARP (Address Resolution Protocol) resolves the MAC Address of: 00:40:ca:70:19:a3

Network Information

• Logical network

• External Connection

• Observed Protocols

Observed Network Addresses

• 172.16.0.1 – Gateway device– Homeportal.gateway.2wire.net

• 172.16.1.34

• 172.16.1.35 - TiVo Media Services

• 172.16.1.36

• 172.16.1.37

• 172.16.1.39

IP Address Resolution 172.16.1.34, .36, .37, & .39 were made

No IP address was issued except for 172.16.1.35.

Gateway

wpad.gateway.2wire.net

Flow Analysis Internal

Endpoint Analysis-IPv4

Endpoint Analysis-TCP

Endpoint Analysis-UDP

External Connections

• 216.166.24.20 – RBFCU.ORG

• 152.163.15.208 – America Online

Flow Analysis External

Protocols Observed

HTTP Summary

HTTP Details

Significant Events

• Packet 73 – Anonymous FTP• Packet 236 - HTTP• Packet 958 - HTTPS• Packet 1205 – Tivo• Packet 1591 – IPv6• Packets: 1788 (Yahoo)

2123(AOL) 2156 (AIM)

FTPPacket 72-- FTP session was initiated with linux-wlan.org

Accessed using USER: anonymous, PSWD: IEUser@

HTTP

• Packet 236: HTTP session initiated with www.rbfcu.org

HTTPSPacket 958: HTTPS session initiated with

www.rbfcu.org (SSLv2 & SSLv3)

Tivo

Packet 1205: DVR

IPv6 Packet 1591: a IPv6 Compaq Peer detected

SNORT Analysis

Just Port Scans?

Summary

• Do Analysis of the facts

• Make No Assumptions

• What Story Does it tell?

• Can you tell the story or do you need more facts?

• Can you get the facts?

• From Where?