340 likes | 591 Views
Lesson 18 Wireshark Capture Analysis Who Shot My Computer?. Overview. System Information Network Information IO Analysis Significant Events. Tools Used. WireShark EtherApe SNORT Grey Matter. System Information. Host name: KAUFMANUPSTAIRS Time of Events: 3:30 - 3:38PM
E N D
Overview • System Information • Network Information • IO Analysis • Significant Events
Tools Used • WireShark • EtherApe • SNORT • Grey Matter
System Information • Host name: KAUFMANUPSTAIRS • Time of Events: 3:30 - 3:38PM • Number of Packets: 2449 • Total Bytes Captured: 811157
DNS ResolutionWorkstation – 172.16.1.35 accesses DNS – 172.16.0.1ARP (Address Resolution Protocol) resolves the MAC Address of: 00:40:ca:70:19:a3
Network Information • Logical network • External Connection • Observed Protocols
Observed Network Addresses • 172.16.0.1 – Gateway device • Homeportal.gateway.2wire.net • 172.16.1.34 • 172.16.1.35 - TiVo Media Services • 172.16.1.36 • 172.16.1.37 • 172.16.1.39
IP Address Resolution 172.16.1.34, .36, .37, & .39 were made No IP address was issued except for 172.16.1.35.
Gateway wpad.gateway.2wire.net
External Connections • 216.166.24.20 – RBFCU.ORG • 152.163.15.208 – America Online
Significant Events • Packet 73 – Anonymous FTP • Packet 236 - HTTP • Packet 958 - HTTPS • Packet 1205 – Tivo • Packet 1591 – IPv6 • Packets: 1788 (Yahoo) 2123(AOL) 2156 (AIM)
FTP Packet 72-- FTP session was initiated with linux-wlan.org Accessed using USER: anonymous, PSWD: IEUser@
HTTP • Packet 236: HTTP session initiated with www.rbfcu.org
HTTPS Packet 958: HTTPS session initiated with www.rbfcu.org (SSLv2 & SSLv3)
Tivo Packet 1205: DVR
IPv6 Packet 1591: a IPv6 Compaq Peer detected
SNORT Analysis Just Port Scans?
Summary • Do Analysis of the facts • Make No Assumptions • What Story Does it tell? • Can you tell the story or do you need more facts? • Can you get the facts? • From Where?