1 / 31

Lesson 18 Wireshark Capture Analysis Who Shot My Computer?

Lesson 18 Wireshark Capture Analysis Who Shot My Computer?. Overview. System Information Network Information IO Analysis Significant Events. Tools Used. WireShark EtherApe SNORT Grey Matter. System Information. Host name: KAUFMANUPSTAIRS Time of Events: 3:30 - 3:38PM

luella
Télécharger la présentation

Lesson 18 Wireshark Capture Analysis Who Shot My Computer?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lesson 18Wireshark Capture AnalysisWho Shot My Computer?

  2. Overview • System Information • Network Information • IO Analysis • Significant Events

  3. Tools Used • WireShark • EtherApe • SNORT • Grey Matter

  4. System Information • Host name: KAUFMANUPSTAIRS • Time of Events: 3:30 - 3:38PM • Number of Packets: 2449 • Total Bytes Captured: 811157

  5. Analysis Summary

  6. EtherApe View

  7. Input/Output Analysis

  8. IO Analysis 1

  9. IO Analysis 2

  10. DNS ResolutionWorkstation – 172.16.1.35 accesses DNS – 172.16.0.1ARP (Address Resolution Protocol) resolves the MAC Address of: 00:40:ca:70:19:a3

  11. Network Information • Logical network • External Connection • Observed Protocols

  12. Observed Network Addresses • 172.16.0.1 – Gateway device • Homeportal.gateway.2wire.net • 172.16.1.34 • 172.16.1.35 - TiVo Media Services • 172.16.1.36 • 172.16.1.37 • 172.16.1.39

  13. IP Address Resolution 172.16.1.34, .36, .37, & .39 were made No IP address was issued except for 172.16.1.35.

  14. Gateway wpad.gateway.2wire.net

  15. Flow Analysis Internal

  16. Endpoint Analysis-IPv4

  17. Endpoint Analysis-TCP

  18. Endpoint Analysis-UDP

  19. External Connections • 216.166.24.20 – RBFCU.ORG • 152.163.15.208 – America Online

  20. Flow Analysis External

  21. Protocols Observed

  22. HTTP Summary

  23. HTTP Details

  24. Significant Events • Packet 73 – Anonymous FTP • Packet 236 - HTTP • Packet 958 - HTTPS • Packet 1205 – Tivo • Packet 1591 – IPv6 • Packets: 1788 (Yahoo) 2123(AOL) 2156 (AIM)

  25. FTP Packet 72-- FTP session was initiated with linux-wlan.org Accessed using USER: anonymous, PSWD: IEUser@

  26. HTTP • Packet 236: HTTP session initiated with www.rbfcu.org

  27. HTTPS Packet 958: HTTPS session initiated with www.rbfcu.org (SSLv2 & SSLv3)

  28. Tivo Packet 1205: DVR

  29. IPv6 Packet 1591: a IPv6 Compaq Peer detected

  30. SNORT Analysis Just Port Scans?

  31. Summary • Do Analysis of the facts • Make No Assumptions • What Story Does it tell? • Can you tell the story or do you need more facts? • Can you get the facts? • From Where?

More Related