The Real (and Virtual) Adventures of Nathan the IT Guy

Nov 14 2008   4:05AM GMT

Wireshark and Wireshark Portable

Nathan Simon Nathan Simon Profile: Nathan Simon

“Wireshark is an award-winning network protocol analyzer developed by an international team of networking experts.”

One of the best network analyzing tools out there bar none, formerly known as Ethereal to you veterans.

Well today I get a call from a client, she has been having these issues where someone seemed to be connecting to her PC without her authorization. Winvnc is on the machine, and it is secured with a password. TCP Port is open and the Javaport is also open on a slightly different port. Part of the solution is to lock it down, so I set VNC to prompt when someone is connecting to the PC, which was fine, whoever it was always connecting cannot connect anymore. Although they still try to, she just denies it. How would one go about finding the culprit? Well I would say use Wireshark!

With Wireshark you can analyze a connection, in this case a 3Com Nic. What Wireshark will do is analyze every packet that comes through that card, so if a person or machine tries to connect to her machine, we’ll know about it. The program will analyze the packets and use DNS to convert IPs to names thus making it slightly easier. So lets say someone inside of the network is playing a joke on her… well tomorrow when I have Wireshark running and logging all connections to and from her PC, whatever IP is trying to access her PC on either of the ports in this situation will be identified via IP and hostname.

There are two revisions of Wireshark, or should I say two types, installable, and portable.

You can download them from here I myself like the portable one, you can have it on a USB stick, which installed WinPcap when in use, and uninstalls it when you quit the app.

If anyone has ANY questions please feel free to leave a comment! You can also check out the FAQ here

NS

2  Comments on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Labnuke99
    Be sure to have at least v4.1.2 of VNC installed. Some of the older versions have a vulnerability that can be exploited such that an attacker can connect without any authentication. The Sysinternals tool [A href="http://live.sysinternals.com/Tcpview.exe"]tcpview[/A] may be a quicker easier solution than using Wireshark. It will show the running applications/process, protocol, local address, remote address and port state. This may be an easier tool to use than looking through lots of Wireshark traces. I am using Wireshark though to track down a slow telnet login problem. netstat -an will also give you what ports have active and listening connections. The output is similar to this: [I] TCP 127.0.0.1:1075 127.0.0.1:27015 ESTABLISHED TCP 127.0.0.1:1122 127.0.0.1:9051 ESTABLISHED TCP 127.0.0.1:1123 127.0.0.1:1124 ESTABLISHED TCP 127.0.0.1:1124 127.0.0.1:1123 ESTABLISHED TCP 127.0.0.1:5354 0.0.0.0:0 LISTENING TCP 127.0.0.1:8118 0.0.0.0:0 LISTENING TCP 127.0.0.1:9050 0.0.0.0:0 LISTENING TCP 127.0.0.1:9051 0.0.0.0:0 LISTENING TCP 127.0.0.1:9051 127.0.0.1:1122 ESTABLISHED TCP 127.0.0.1:11469 127.0.0.1:11470 ESTABLISHED TCP 127.0.0.1:11470 127.0.0.1:11469 ESTABLISHED TCP 127.0.0.1:11471 127.0.0.1:11472 ESTABLISHED TCP 127.0.0.1:11472 127.0.0.1:11471 ESTABLISHED TCP 127.0.0.1:27015 0.0.0.0:0 LISTENING TCP 127.0.0.1:27015 127.0.0.1:1075 ESTABLISHED TCP 192.168.37.1:139 0.0.0.0:0 LISTENING TCP 192.168.92.1:139 0.0.0.0:0 LISTENING UDP 0.0.0.0:445 *:* UDP 0.0.0.0:500 *:* UDP 0.0.0.0:1025 *:* UDP 0.0.0.0:1026 *:* UDP 0.0.0.0:1027 *:* UDP 0.0.0.0:1028 *:* UDP 0.0.0.0:1029 *:* UDP 0.0.0.0:1532 *:* UDP 0.0.0.0:1533 *:* UDP 0.0.0.0:1534 *:* UDP 0.0.0.0:1535 *:* UDP 0.0.0.0:4500 *:* UDP 0.0.0.0:8085 *:* UDP 0.0.0.0:8086 *:*[/I]
    32,960 pointsBadges:
    report
  • Nathan Simon
    You are correct I could use TCPView, although this rogue person tries to login every couple hours, although they don't actually get into the PC as stated. So what I need is an app that logs connections, as I cannot be at the system and wait for it to happen. The girl at the PC will call me right after a connection is attempted at which point I would login, stop the logging and look for the IP, port, and any other relevant info. Great suggestion though, and thanks for the comment! NS
    700 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: