The Real (and Virtual) Adventures of Nathan the IT Guy

Nov 14 2008   4:05AM GMT

Wireshark and Wireshark Portable

Nathan Simon Nathan Simon Profile: Nathan Simon

“Wireshark is an award-winning network protocol analyzer developed by an international team of networking experts.”

One of the best network analyzing tools out there bar none, formerly known as Ethereal to you veterans.

Well today I get a call from a client, she has been having these issues where someone seemed to be connecting to her PC without her authorization. Winvnc is on the machine, and it is secured with a password. TCP Port is open and the Javaport is also open on a slightly different port. Part of the solution is to lock it down, so I set VNC to prompt when someone is connecting to the PC, which was fine, whoever it was always connecting cannot connect anymore. Although they still try to, she just denies it. How would one go about finding the culprit? Well I would say use Wireshark!

With Wireshark you can analyze a connection, in this case a 3Com Nic. What Wireshark will do is analyze every packet that comes through that card, so if a person or machine tries to connect to her machine, we’ll know about it. The program will analyze the packets and use DNS to convert IPs to names thus making it slightly easier. So lets say someone inside of the network is playing a joke on her… well tomorrow when I have Wireshark running and logging all connections to and from her PC, whatever IP is trying to access her PC on either of the ports in this situation will be identified via IP and hostname.

There are two revisions of Wireshark, or should I say two types, installable, and portable.

You can download them from here I myself like the portable one, you can have it on a USB stick, which installed WinPcap when in use, and uninstalls it when you quit the app.

If anyone has ANY questions please feel free to leave a comment! You can also check out the FAQ here


2  Comments on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • Labnuke99
    Be sure to have at least v4.1.2 of VNC installed. Some of the older versions have a vulnerability that can be exploited such that an attacker can connect without any authentication. The Sysinternals tool [A href=""]tcpview[/A] may be a quicker easier solution than using Wireshark. It will show the running applications/process, protocol, local address, remote address and port state. This may be an easier tool to use than looking through lots of Wireshark traces. I am using Wireshark though to track down a slow telnet login problem. netstat -an will also give you what ports have active and listening connections. The output is similar to this: [I] TCP ESTABLISHED TCP ESTABLISHED TCP ESTABLISHED TCP ESTABLISHED TCP LISTENING TCP LISTENING TCP LISTENING TCP LISTENING TCP ESTABLISHED TCP ESTABLISHED TCP ESTABLISHED TCP ESTABLISHED TCP ESTABLISHED TCP LISTENING TCP ESTABLISHED TCP LISTENING TCP LISTENING UDP *:* UDP *:* UDP *:* UDP *:* UDP *:* UDP *:* UDP *:* UDP *:* UDP *:* UDP *:* UDP *:* UDP *:* UDP *:* UDP *:*[/I]
    32,960 pointsBadges:
  • Nathan Simon
    You are correct I could use TCPView, although this rogue person tries to login every couple hours, although they don't actually get into the PC as stated. So what I need is an app that logs connections, as I cannot be at the system and wait for it to happen. The girl at the PC will call me right after a connection is attempted at which point I would login, stop the logging and look for the IP, port, and any other relevant info. Great suggestion though, and thanks for the comment! NS
    700 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: