Wireshark version 3

yengiangyengiang Posts: 33Member ■■■□□□□□□□
Hi Everyone,

I just got a report from a client's security consultant saying that traffic going to my server is being denied. The transport listed on the report is: TCP and UDP

Question: What would be a correct approach to determine the cause and come up with the fix? I'm new to Wireshark and hope someone could share the knowledge/link.


Thank you,

Answers

  • cyberguyprcyberguypr Senior Member Posts: 6,848Mod Mod
    Wireshark doo doo doo doo doo doo: wireshark shark!

    I'll let myself out now.
  • bigdogzbigdogz Posts: 701Member ■■■■■□□□□□
    edited November 15
    You should mirror the port on the server and look at those fresh bits and bytes coming and going on the host or look at the host to see if ports are not being blocked. If not, this could be a firewall issue.

    Verify that the client has had the work performed and this is a legitimate request.

    Should the data be blocked? This could be a good thing. If you know the server (network / environment) should be blocking the or certain data, then you probably would have followed up with:
    'What ports and where you you coming in from....yeah, it should be blocking that traffic'
    In order to troubleshoot the environment, you should know how every device is tied together.

    Paranoid response
    Did you or your company pay for this consultant? 
    If you never heard of this consultant, this could be a social engineering attempt to hack into your machine(s) and take what they can !!!'
  • JDMurrayJDMurray Certification Invigilator Surf City, USAPosts: 11,505Admin Admin
    Was the traffic ever allowed to reach your server? If so, check the configurations of the router and firewall/reverse proxy between the client's computer and your server and find out what changed.
  • yengiangyengiang Posts: 33Member ■■■□□□□□□□
    bigdogz & JDMurray

     This consultant works as an internal IT/Security support at the client site. I'm still trying to gather all info because I just join (a month ago) a company that has no one in IT/network department. I was invited to a meeting with this consultant by my co-worker who works in maintenance(IT savvy) and help out IT before I came on board.

    Do you know how to analyze the trace using wireshark?
    Here's the report from the consultant:

    Source/source port/destination address/destination port
    10.220.93.x 54439 54.191.205.204 443 TCP
    10.220.93.x 58158 65.55.252.93 443 TCP
    10.220.93.x 48204 162.159.200.1 123 UDP
    10.220.93.x 57938 199.182.221.110 123 UDP
    10.220.93.x 40746 54.39.13.155 123 UDP
    10.220.93.x 49786 199.182.221.110 123 UDP
    10.220.93.x 36745 216.232.132.77 123 UDP
    10.220.93.x 33949 216.55.208.242 123 UDP
    10.220.93.x 36189 208.81.1.244 123 UDP
    10.220.93.x 61667 65.55.252.93 443 TCP
    10.220.93.x 58799 216.197.156.83 123 UDP
    10.220.93.x 59011 199.182.221.110 123 UDP
    10.220.93.x 11051 129.6.15.29 37 UDP
    10.220.93.x 41298 199.182.221.110 123 UDP
    10.220.93.x 11065 129.6.15.29 37 UDP
    10.220.93.x 11063 129.6.15.29 37 UDP

    Thank you
  • JDMurrayJDMurray Certification Invigilator Surf City, USAPosts: 11,505Admin Admin
    edited November 17
    You do not need Wireshark to read this log sample. It contains only very basic information about network traffic and could have been generated by a firewall or a Web proxy. Wireshark is useful if you want to see the details of an entire "conversation" between two network hosts and to look at their packet payload information. To interpret this log file, all you need is basic tools like nslookup and WHOIS and possibly nmap for host verification.

    The 10.220.93.x source IP is an internal subnet whose live hosts are sending traffic outbound to a variety of Internet hosts. The HTTPS traffic (port 443) is going to Amazon- and Microsoft-registered IP addresses likely used in their respective Clouds.
    The NTP traffic (port 123) is going to what are presumably known, public NTP servers (nmap can verify this). The port 37 traffic is unusual in that it is the old TIME protocol that has been replaced by NTP. However, this traffic is outbound to a NIST time server so it's not suspicious but I would still be interested to know what old, legacy host(s) is generating this port 37 traffic. The only other thing of interest is that many of these Internet IPs are registered to businesses in Canada (but are not necessarily being used by hosts in Canada).

    As to your connectivity problem, this log sample does not give an indication if the TCP connections were allowed or denied. I presume 10.220.93.x is your client's internal LAN and your servers are in the AWS Cloud. If this is true, the Security Group for the VPC must be configured to allow the ingress of the Internet traffic from your client's hosts to your EC2 server instances. Does that terminology sound familiar to you?

  • bigdogzbigdogz Posts: 701Member ■■■■■□□□□□
    edited November 17
    also why are the source ports soo high? Is that the application(s)?
  • JDMurrayJDMurray Certification Invigilator Surf City, USAPosts: 11,505Admin Admin
    edited November 17
    Those are ephemeral ports randomly are chosen by the TCP/IP stack when a client app requests to send a UDP packet or make a TCP connection. Nothing unusual there. It's interesting that the older system using the time protocol uses a much lower range for its ephemeral ports.
  • yengiangyengiang Posts: 33Member ■■■□□□□□□□
    @JDMurray - I've done some lookup base on your analysis and your presumption is correct. The client's host is located in Canada and my company was acquired by a corporate office which is on AWS Cloud. Perhaps I would need to get corporate IT involved to modify the security group.

    Thank you for sharing the knowledge.


  • yengiangyengiang Posts: 33Member ■■■□□□□□□□
    @JDMurray - I have more questions

    The Canadian client has 5 site, each site has a server cabinet that included 2-5 server 2012 R2. I'm currently investigating outbound internet traffic issue from Site A: 10.220.93.x which has 2 servers

    There's 4 count to destination: 54.191.205.204
    -What does the "count" represent? 
    -How do I know if that happens 4 time in 10 minute/1 hr/24 hr?
    -Would nmap be a good tool to narrow down if outbound traffic was sending from server1 or server2?

    I found out AWS is being managed by a software engineer at my location and I would like to collect info and troubleshoot everything on my end prior talking to him.

    Your help is greatly appreciated.

    Source/source port/destination address/destination port/transport protocol/count

    10.220.93.x 54439 54.191.205.204 443 TCP 4
    10.220.93.x 58158 65.55.252.93 443 TCP 3
    10.220.93.x 48204 162.159.200.1 123 UDP 2
    10.220.93.x 57938 199.182.221.110 123 UDP 2
    10.220.93.x 40746 54.39.13.155 123 UDP 2
    10.220.93.x 49786 199.182.221.110 123 UDP 2
    10.220.93.x 36745 216.232.132.77 123 UDP 2
    10.220.93.x 33949 216.55.208.242 123 UDP 2
    10.220.93.x 36189 208.81.1.244 123 UDP 2
    10.220.93.x 61667 65.55.252.93 443 TCP 2
    10.220.93.x 58799 216.197.156.83 123 UDP 1
    10.220.93.x 59011 199.182.221.110 123 UDP 1


Sign In or Register to comment.