Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Finding an intruder

From: Anne Blankert <anne.blankert () geodan nl>
Date: Thu, 15 Dec 2016 03:39:58 +0100
Hi, there is no 'standard' way to filter 'problem' traffic. However, if the
problem is the AMOUNT of traffic, then just a small sample might suffice.
Ask your friend to do  nothing specific on her computer(s) and collect
network traffic for a few minutes. Analyse the data manually to see what is
the type, the source, and the destination of the most of the data captured.

How much is the data cap? Divide that by 30 (days) times 24 (hours) times
60 (minutes) and you know how much per minute that is. Does the size of the
capture per minute amount to more than this limit?

Anneb

2016-12-15 3:06 GMT+01:00 Steve Matzura <sm () noisynotes com>:


New to the list, been using some version of the Shark way back to
Ethernim days, so I'm familiar with its capabilities. It's become
quite sophisticated lately, hence the following problem description
and question.

A friend has a cable Internet provider with data caps. Lately, he's
been getting nastygrams from them that he's exceeded those caps, and
it's only two weeks into his billing month. Something somewhere is
sending and receiving tremendous amounts of data, and I've been taksed
to find out what's doing it. So, should I just run Wireshark and
capture everything, collect some ridiculous amount of data and
hand-analyze it, or might there be a convenient filter out there in
Wireshark cyberspace land that could help me narrow the field and nail
the culprit? Antivirus, antimailware, antispyware scans all come up
clean and green, the DHCP client list on the router has no unknown
devices in it, we're stumped, so I'm turning to the best network
monitoring tool I know to help me dig this one out.

Thanks in advance.
____________________________________________________________
_______________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=
unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: