Security

Wireshark and Wireshark Portable

“Wireshark is an award-winning network protocol analyzer developed by an international team of networking experts.”

One of the best network analyzing tools out there bar none, formerly known as Ethereal to you veterans.

Well today I get a call from a client, she has been having these issues where someone seemed to be connecting to her PC without her authorization. Winvnc is on the machine, and it is secured with a password. TCP Port is open and the Javaport is also open on a slightly different port. Part of the solution is to lock it down, so I set VNC to prompt when someone is connecting to the PC, which was fine, whoever it was always connecting cannot connect anymore. Although they still try to, she just denies it. How would one go about finding the culprit? Well I would say use Wireshark!

With Wireshark you can analyze a connection, in this case a 3Com Nic. What Wireshark will do is analyze every packet that comes through that card, so if a person or machine tries to connect to her machine, we’ll know about it. The program will analyze the packets and use DNS to convert IPs to names thus making it slightly easier. So lets say someone inside of the network is playing a joke on her… well tomorrow when I have Wireshark running and logging all connections to and from her PC, whatever IP is trying to access her PC on either of the ports in this situation will be identified via IP and hostname.

There are two revisions of Wireshark, or should I say two types, installable, and portable.

You can download them from here I myself like the portable one, you can have it on a USB stick, which installed WinPcap when in use, and uninstalls it when you quit the app.

If anyone has ANY questions please feel free to leave a comment! You can also check out the FAQ here

NS

Sysinternals Saves the Day

Once again I saved the day…. Win Antispyware, we’ve all seen it, we’ve all tried to clean it, but how successful can you be with automatic removal tools that never seem to do the job? Well today I used two very important tools, one was process explorer and the other was an application called autoruns, both can be found over at http://live.sysinternals.com/.

First I used Autoruns to find the rogue apps that were loading, if you are a veteran you will know which apps are the bad ones, just remove them one by one, if you have downloaded and placed process explorer into the same folder, you can right click on the name and it will pinpoint the process in process explorer.

Process Explorer can then stop or suspend the application that is responsible for the adaware you are trying to remove. Once it is stopped or suspended you locate the file in the command prompt or windows explorer and delete it. Once you have cornered all the processes responsible and gotten rid of them, remove any system restore points and create a nice new and clean one.

Process explorer can be found here

Autoruns can be found here

Each link will give you a more detailed description on the apps discussed in my blog.