Comments on: Wireshark and Wireshark Portable http://itknowledgeexchange.techtarget.com/information-technology/wireshark-and-wireshark-portable/ Wed, 25 Nov 2009 10:36:11 +0000 http://wordpress.org/?v=2.6.2 By: N8dog89 http://itknowledgeexchange.techtarget.com/information-technology/wireshark-and-wireshark-portable/#comment-3 N8dog89 Fri, 14 Nov 2008 13:17:27 +0000 http://itknowledgeexchange.techtarget.com/information-technology/wireshark-and-wireshark-portable/#comment-3 You are correct I could use TCPView, although this rogue person tries to login every couple hours, although they don't actually get into the PC as stated. So what I need is an app that logs connections, as I cannot be at the system and wait for it to happen. The girl at the PC will call me right after a connection is attempted at which point I would login, stop the logging and look for the IP, port, and any other relevant info. Great suggestion though, and thanks for the comment! NS You are correct I could use TCPView, although this rogue person tries to login every couple hours, although they don’t actually get into the PC as stated. So what I need is an app that logs connections, as I cannot be at the system and wait for it to happen. The girl at the PC will call me right after a connection is attempted at which point I would login, stop the logging and look for the IP, port, and any other relevant info. Great suggestion though, and thanks for the comment!

NS

]]> By: Labnuke99 http://itknowledgeexchange.techtarget.com/information-technology/wireshark-and-wireshark-portable/#comment-2 Labnuke99 Fri, 14 Nov 2008 12:54:09 +0000 http://itknowledgeexchange.techtarget.com/information-technology/wireshark-and-wireshark-portable/#comment-2 Be sure to have at least v4.1.2 of VNC installed. Some of the older versions have a vulnerability that can be exploited such that an attacker can connect without any authentication. The Sysinternals tool [A href="http://live.sysinternals.com/Tcpview.exe"]tcpview[/A] may be a quicker easier solution than using Wireshark. It will show the running applications/process, protocol, local address, remote address and port state. This may be an easier tool to use than looking through lots of Wireshark traces. I am using Wireshark though to track down a slow telnet login problem. netstat -an will also give you what ports have active and listening connections. The output is similar to this: [I] TCP 127.0.0.1:1075 127.0.0.1:27015 ESTABLISHED TCP 127.0.0.1:1122 127.0.0.1:9051 ESTABLISHED TCP 127.0.0.1:1123 127.0.0.1:1124 ESTABLISHED TCP 127.0.0.1:1124 127.0.0.1:1123 ESTABLISHED TCP 127.0.0.1:5354 0.0.0.0:0 LISTENING TCP 127.0.0.1:8118 0.0.0.0:0 LISTENING TCP 127.0.0.1:9050 0.0.0.0:0 LISTENING TCP 127.0.0.1:9051 0.0.0.0:0 LISTENING TCP 127.0.0.1:9051 127.0.0.1:1122 ESTABLISHED TCP 127.0.0.1:11469 127.0.0.1:11470 ESTABLISHED TCP 127.0.0.1:11470 127.0.0.1:11469 ESTABLISHED TCP 127.0.0.1:11471 127.0.0.1:11472 ESTABLISHED TCP 127.0.0.1:11472 127.0.0.1:11471 ESTABLISHED TCP 127.0.0.1:27015 0.0.0.0:0 LISTENING TCP 127.0.0.1:27015 127.0.0.1:1075 ESTABLISHED TCP 192.168.37.1:139 0.0.0.0:0 LISTENING TCP 192.168.92.1:139 0.0.0.0:0 LISTENING UDP 0.0.0.0:445 *:* UDP 0.0.0.0:500 *:* UDP 0.0.0.0:1025 *:* UDP 0.0.0.0:1026 *:* UDP 0.0.0.0:1027 *:* UDP 0.0.0.0:1028 *:* UDP 0.0.0.0:1029 *:* UDP 0.0.0.0:1532 *:* UDP 0.0.0.0:1533 *:* UDP 0.0.0.0:1534 *:* UDP 0.0.0.0:1535 *:* UDP 0.0.0.0:4500 *:* UDP 0.0.0.0:8085 *:* UDP 0.0.0.0:8086 *:*[/I] Be sure to have at least v4.1.2 of VNC installed. Some of the older versions have a vulnerability that can be exploited such that an attacker can connect without any authentication.

The Sysinternals tool tcpview may be a quicker easier solution than using Wireshark. It will show the running applications/process, protocol, local address, remote address and port state. This may be an easier tool to use than looking through lots of Wireshark traces. I am using Wireshark though to track down a slow telnet login problem.

netstat -an will also give you what ports have active and listening connections. The output is similar to this:

TCP 127.0.0.1:1075 127.0.0.1:27015 ESTABLISHED
TCP 127.0.0.1:1122 127.0.0.1:9051 ESTABLISHED
TCP 127.0.0.1:1123 127.0.0.1:1124 ESTABLISHED
TCP 127.0.0.1:1124 127.0.0.1:1123 ESTABLISHED
TCP 127.0.0.1:5354 0.0.0.0:0 LISTENING
TCP 127.0.0.1:8118 0.0.0.0:0 LISTENING
TCP 127.0.0.1:9050 0.0.0.0:0 LISTENING
TCP 127.0.0.1:9051 0.0.0.0:0 LISTENING
TCP 127.0.0.1:9051 127.0.0.1:1122 ESTABLISHED
TCP 127.0.0.1:11469 127.0.0.1:11470 ESTABLISHED
TCP 127.0.0.1:11470 127.0.0.1:11469 ESTABLISHED
TCP 127.0.0.1:11471 127.0.0.1:11472 ESTABLISHED
TCP 127.0.0.1:11472 127.0.0.1:11471 ESTABLISHED
TCP 127.0.0.1:27015 0.0.0.0:0 LISTENING
TCP 127.0.0.1:27015 127.0.0.1:1075 ESTABLISHED
TCP 192.168.37.1:139 0.0.0.0:0 LISTENING
TCP 192.168.92.1:139 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:1025 *:*
UDP 0.0.0.0:1026 *:*
UDP 0.0.0.0:1027 *:*
UDP 0.0.0.0:1028 *:*
UDP 0.0.0.0:1029 *:*
UDP 0.0.0.0:1532 *:*
UDP 0.0.0.0:1533 *:*
UDP 0.0.0.0:1534 *:*
UDP 0.0.0.0:1535 *:*
UDP 0.0.0.0:4500 *:*
UDP 0.0.0.0:8085 *:*
UDP 0.0.0.0:8086 *:*

]]>