Jump to content

Finding the program causing issue using Wireshark

BrotherZero
 Share
Go to solution Solved by 2FA,
12 hours ago, JaysonJacob said:

When I set up the filters as you said all the black lines with red text disappear. I am not sure what to make of all the information at the bottom, the only thing that stood out to me was the source port. But I'm not sure what to do with it.

You might want to watch some tutorial videos.

Posted

Hey all,

 

Let me start off by saying that I had never used Wireshark until yesterday.

 

I'm an IT student and was recently assigned a Wireshark packet analysis project. I was given a Wireshark output file and told that the server in question was on an intranet behind a hardened firewall and was trying to reach a Google DNS server, creating suspicious traffic. I need to find what's causing it plus why and some solutions. My guess is that it is perhaps a program trying to update itself (Hense trying to reach the Google DNS server). However, I have no idea how to go about finding the program or proving my theory.

 

Any and all help is appreciated. Thank you!

Link to post
Share on other sites
Posted

You want to use what are called Display Filters, these filter packets based off the criteria inputted. They can also get very complicated though I think this should be simple.

 

Specifically you'll want to make use of the ip.dst==x.x.x.x filter where x.x.x.x is the IP address of the Google DNS server. This will display any packets where the destination is the Google DNS server.

[Out-of-date] Want to learn how to make your own custom Windows 10 image?

 

Desktop: AMD R9 3900X | ASUS ROG Strix X570-F | Radeon RX 5700 XT | EVGA GTX 1080 SC | 32GB Trident Z Neo 3600MHz | 1TB 970 EVO | 256GB 840 EVO | 960GB Corsair Force LE | EVGA G2 850W | Phanteks P400S

Laptop: Intel M-5Y10c | Intel HD Graphics | 8GB RAM | 250GB Micron SSD | Asus UX305FA

Server 01: Intel Xeon D 1541 | ASRock Rack D1541D4I-2L2T | 32GB Hynix ECC DDR4 | 4x8TB Western Digital HDDs | 32TB Raw 16TB Usable

Server 02: Intel i7 7700K | Gigabye Z170N Gaming5 | 16GB Trident Z 3200MHz

Link to post
Share on other sites
Posted

Also, since the traffic you see will be DNS requests think of what those requests contain. You can view that in the bottom part of Wireshark when a packet is selected.

[Out-of-date] Want to learn how to make your own custom Windows 10 image?

 

Desktop: AMD R9 3900X | ASUS ROG Strix X570-F | Radeon RX 5700 XT | EVGA GTX 1080 SC | 32GB Trident Z Neo 3600MHz | 1TB 970 EVO | 256GB 840 EVO | 960GB Corsair Force LE | EVGA G2 850W | Phanteks P400S

Laptop: Intel M-5Y10c | Intel HD Graphics | 8GB RAM | 250GB Micron SSD | Asus UX305FA

Server 01: Intel Xeon D 1541 | ASRock Rack D1541D4I-2L2T | 32GB Hynix ECC DDR4 | 4x8TB Western Digital HDDs | 32TB Raw 16TB Usable

Server 02: Intel i7 7700K | Gigabye Z170N Gaming5 | 16GB Trident Z 3200MHz

Link to post
Share on other sites
Posted
  • Author
3 minutes ago, DeadEyePsycho said:

Also, since the traffic you see will be DNS requests think of what those requests contain. You can view that in the bottom part of Wireshark when a packet is selected.

When I set up the filters as you said all the black lines with red text disappear. I am not sure what to make of all the information at the bottom, the only thing that stood out to me was the source port. But I'm not sure what to do with it.

Link to post
Share on other sites
Posted
  • Solution
12 hours ago, JaysonJacob said:

When I set up the filters as you said all the black lines with red text disappear. I am not sure what to make of all the information at the bottom, the only thing that stood out to me was the source port. But I'm not sure what to do with it.

You might want to watch some tutorial videos.

[Out-of-date] Want to learn how to make your own custom Windows 10 image?

 

Desktop: AMD R9 3900X | ASUS ROG Strix X570-F | Radeon RX 5700 XT | EVGA GTX 1080 SC | 32GB Trident Z Neo 3600MHz | 1TB 970 EVO | 256GB 840 EVO | 960GB Corsair Force LE | EVGA G2 850W | Phanteks P400S

Laptop: Intel M-5Y10c | Intel HD Graphics | 8GB RAM | 250GB Micron SSD | Asus UX305FA

Server 01: Intel Xeon D 1541 | ASRock Rack D1541D4I-2L2T | 32GB Hynix ECC DDR4 | 4x8TB Western Digital HDDs | 32TB Raw 16TB Usable

Server 02: Intel i7 7700K | Gigabye Z170N Gaming5 | 16GB Trident Z 3200MHz

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Programs, Apps and Websites

×