Посмотрел видео, добавил сюда еще и текст и картинку из моего компьютера. Видео надо будет просмотреть еще раз, там есть упоминания о том, что это за ""Data"...
Data в протоколе TCP являются подозрительными. Откроем Statistics -> Protocol Hierarchy, отфильтруем, при клике правой кнопкой по строчке открывается контекстное меню... потом снова откроем...
In [1]:
from IPython.display import Image
Image(filename='C:\\Users\\kiss\\Pictures\\pythonR\\susp.png')
Out[1]:
In []:
data and tcp and ip and eth and frame
Wireshark Tip 4: Finding Suspicious Traffic in Protocol Hierarchy¶
Опубликовано: 20 июля 2013 г. When you suspect a host has been compromised, always open the Protocol Hierarchy window (Statistics). Look for unusual applications (such as IRC or TFTP) or the dreaded "data" right under IP, TCP or UDP.
In []:
0:01hi this is Laura Chappell and this is where shark tip
0:044 if you wanna keep up on the Wireshark tips series
0:07you can follow me on twitter outdoor chapel in tips former going to go
0:12through how to look for
0:13data in statistics political hierarchy
0:17when you suspect malicious traffic they always should look for
0:21unusual protocols and applications so perhaps you don't expect to see
0:25IRC traffic in there and you don't expect to see trivial File Transfer
0:29Protocol this to their
0:31but data is also something that you want to watch for
0:34remember that we're sure cuz over 1000 I sectors
0:38it understands so many different protocols and applications
0:42that it just feels a little unusual have wear shirt just drop us
0:45at data underneath either TCP or you TP
0:49or even I P in our protocol hierarchy statistics
0:53have opened up trace file called HTTP
0:57cash deal no dash EXE and here we have someone just simply
1:01going out to the Google Web site they're going to download something
1:06so we see some DNS queries at the beginning
1:10do this Chris friend a record 94 address and then
1:13a discrete foreign ipv6 address as well we see the TCP handshake in the GET
1:18request in the okay
1:19et cetera we can see that the client does go back and make additional DNS
1:24queries along the way
1:25if we select statistics and
1:29protocol hierarchy worship will put all UHV
1:34the protocols and applications that it understands
1:37in a hierarchical structure you can't sort
1:41any of these areas in here you can sort on any of these columns in here because
1:44it is a hierarchical form a
1:46but it might help sometimes to collapse the section so it's
1:50easier to understand what's going on and then expanded out from there
1:55and when we see the percentage of packets
1:58and the percentage of bytes those are percentage of
2:01all traffic so it's obvious industries file that one hundred percent
2:06the traffic in a stressful is ipv4 traffic
2:10now I'll expand ipv4 and I can see that 4.3
2:148 percent have all the traffic in the trace file is you TP traffic
2:18whereas ninety 5.62 percent of all the traffic in the trees fell is TCP traffic
2:23when expand you TP I can see that we have
2:26DNS domain name service that's great I don't see data listed
2:30directly underneath there and not is what would be suspicious if we certainly
2:35see
2:35data sitting right underneath you TP expand TCP and I can see that
2:40underneath TCP we have HTTP and we have
2:44SSL and again the percentage is provided there are percentages
2:47all of the traffic everything looks good
2:50in this trace file now let's open up a trace father how some suspicious traffic
2:55and
2:55the trace fun going open apps called SEC
2:59dash sick client and this is a trace file that you can download from the
3:04Wireshark
3:04book website it's one of the supplements for the books
3:08we can see already that we have some DNS traffic can we have some ICMP traffic
3:13we have some TCP traffic in here I will select statistics
3:18and Percoll hierarchy and here's the dreaded
3:22data noticed that 100 percent of the traffic is ipv4
3:26and then we have some UP traffic that's DNS but then directly under TCP
3:31we see the word data that means that we're sure it doesn't recognize the
3:35application
3:36that is running over TCP so it just drops us
3:40at data when you see this
3:43you can right mouse click and apply filter based on the selected value
3:48now that will automatically create a hierarchical
3:51filter we can read the filter looks unusual its data and TCP and IP and ETH
3:56N frame
3:57it looks a little strange but it works
4:01now free look at this traffic we can see that we're short doesn't recognize this
4:06part number: 18,000 67
4:08the client's port numbers just a dynamic port number that happens to resolve to
4:13the word me I'd to but as we look through this traffic or shirt doesn't
4:18recognize it
4:18in the protocol column it just drops TCP but if we look down the packet bites
4:23pain we can definitely tell that
4:25there's user and then l space L
4:28L L and then if we keep looking we can see
4:31Nick keep looking we see some more information that we see user host
4:36and the receipt joining alright so this is
4:40IRC traffic its IRC traffic that's traveling over a non-standard port
4:45number
4:46hence the fact that Wireshark said I don't know what that is
4:49and just dropped us at data so that's definitely something you wanna watch for
4:54when you doing
4:54network forensics or even if your troubleshooting watch for this
4:58unusual indication that we have
5:01data sitting right underneath that TCP header
5:06if you wanna stay up on the washer to series you can follow me on twitter
5:09outdoor chapel and for more were short trips and training
5:13is a chapel you dot com
Посты чуть ниже также могут вас заинтересовать
Комментариев нет:
Отправить комментарий