Wireshark
Anyone know of a good site for tutorials on how to really use Wireshark? I had an issue today with a clients PC that had 6000+ concurrent external connections (according to our monitoring software) but when I ran wireshark on it, I seen nothing but my single connection and a few internal IPs.
netstat -n -o via the command line showed that every port on the internal IP was used up and connected to another internal IP (which was a security IP camera). Very weird...but the PC is working normal, not a hint of slowdown. The user had not noticed anything strange either. No malware that was found with the basic scans.
Either the monitoring software is bugged out on this one or I am not using wireshark correctly.
netstat -n -o via the command line showed that every port on the internal IP was used up and connected to another internal IP (which was a security IP camera). Very weird...but the PC is working normal, not a hint of slowdown. The user had not noticed anything strange either. No malware that was found with the basic scans.
Either the monitoring software is bugged out on this one or I am not using wireshark correctly.
Comments
-
Asif Dasl
Member Posts: 2,116 ■■■■■■■■□□
Wireshark University
https://www.lcuportal2.com/wct01-network-analysis-overview.html
https://www.lcuportal2.com/wct02-introduction-to-wireshark.html
Were you on a normal switch port? Not a SPAN port? That's probably why you are only seeing yourself and a few broadcasts from other devices... edit - there are 65535 ports on a pc so not sure how you are using them all... -
--chris--
Member Posts: 1,518 ■■■■■□□□□□
Wireshark University
https://www.lcuportal2.com/wct01-network-analysis-overview.html
https://www.lcuportal2.com/wct02-introduction-to-wireshark.html
Were you on a normal switch port? Not a SPAN port? That's probably why you are only seeing yourself and a few broadcasts from other devices... edit - there are 65535 ports on a pc so not sure how you are using them all...
This was in a small business...~15 hosts, all on a Dlink unmanaged switch. The incoming connection is bridged from the comcast router to a Cyberoam multi-purpose device. The Cyberoam shows nothing unusual either, but I think thats because the ports are being used up internally (not passing through the Cyberoam).
I cant for the life of me figure out why there are 60,000+ ports in use between these two devices. -
chrisone
Member Posts: 2,278 ■■■■■■■■■□
If you have the resources look into INE's wireshark video. I haven't personally checked this video out yet, but its new and well INE is a very reputable training site.
Wireshark Video Training Course - INECerts: CISSP, EnCE, OSCP, CRTP, eCTHPv2, eCPPT, eCIR, LFCS, CEH, SPLK-1002, SC-200, SC-300, AZ-900, AZ-500, VHL:Advanced+
2023 Cert Goals: SC-100, eCPTX -
Krusader
Member Posts: 109
CBT Nuggets is also good for WireShark
Wireshark Video Training Online | CBT Nuggets2018 Goals
AWS & Linux Knowledge -
JeanM
Member Posts: 1,117
Anyone know of a good site for tutorials on how to really use Wireshark? I had an issue today with a clients PC that had 6000+ concurrent external connections (according to our monitoring software) but when I ran wireshark on it, I seen nothing but my single connection and a few internal IPs.
netstat -n -o via the command line showed that every port on the internal IP was used up and connected to another internal IP (which was a security IP camera). Very weird...but the PC is working normal, not a hint of slowdown. The user had not noticed anything strange either. No malware that was found with the basic scans.
Either the monitoring software is bugged out on this one or I am not using wireshark correctly.
Well, where did you run wireshark to capture traffic vs. where the monitoring software is pulling the numbers from?
You have to think where you will probe , as that will make a difference on what you'll see.
example - your local node/ vlan, dmz, edge firewall...etc.2015 goals - ccna voice / vmware vcp.