Lesson 18 Wireshark Capture Analysis Who Shot My Computer?

1
Lesson 18Wireshark Capture AnalysisWho Shot
My Computer?
2
Overview

• System Information
• Network Information
• IO Analysis
• Significant Events

3
Tools Used

• WireShark
• EtherApe
• SNORT
• Grey Matter

4
System Information

• Host name KAUFMANUPSTAIRS
• Time of Events 330 - 338PM
• Number of Packets 2449
• Total Bytes Captured 811157

5
Analysis Summary
6
EtherApe View
7

• Input/Output Analysis

8
IO Analysis 1
9
IO Analysis 2
10
DNS ResolutionWorkstation 172.16.1.35
accesses DNS 172.16.0.1 ARP (Address
Resolution Protocol) resolves the MAC Address of
0040ca7019a3
11
Network Information

• Logical network
• External Connection
• Observed Protocols

12
Observed Network Addresses

• 172.16.0.1 Gateway device
• Homeportal.gateway.2wire.net
• 172.16.1.34
• 172.16.1.35 - TiVo Media Services
• 172.16.1.36
• 172.16.1.37
• 172.16.1.39

13
IP Address Resolution 172.16.1.34, .36, .37,
.39 were made No IP address was issued except
for 172.16.1.35.
14
Gateway

• wpad.gateway.2wire.net

15
Flow Analysis Internal
16
Endpoint Analysis-IPv4
17
Endpoint Analysis-TCP
18
Endpoint Analysis-UDP
19
External Connections

• 216.166.24.20 RBFCU.ORG
• 152.163.15.208 America Online

20
Flow Analysis External
21
Protocols Observed
22
HTTP Summary
23
HTTP Details
24
Significant Events

• Packet 73 Anonymous FTP
• Packet 236 - HTTP
• Packet 958 - HTTPS
• Packet 1205 Tivo
• Packet 1591 IPv6
• Packets 1788 (Yahoo)
• 2123(AOL)
• 2156 (AIM)

25
FTP
Packet 72-- FTP session was initiated with
linux-wlan.org Accessed using USER anonymous,
PSWD IEUser_at_
26
HTTP

• Packet 236 HTTP session initiated with
  www.rbfcu.org

27
HTTPS

• Packet 958 HTTPS session initiated with
  www.rbfcu.org (SSLv2 SSLv3)

28
Tivo
Packet 1205 DVR
29
IPv6
Packet 1591 a IPv6 Compaq Peer detected
30
SNORT Analysis
Just Port Scans?
31
Summary

• Do Analysis of the facts
• Make No Assumptions
• What Story Does it tell?
• Can you tell the story or do you need more facts?
• Can you get the facts?
• From Where?