Terms of Use For FixedByVonnie

By proceeding to access fixedByVonnie.com, you expressly acknowledge, and agree to, all of the following:

fixedByVonnie.com is a personal website and blog owned by Security Plus Pro LLC, which is being presented for informational purposes only. The views on this website are solely those of the website owner (and not those of any employer or of any professional associations affiliated with the website owner).  Any views expressed in this website and any information presented on this website, or in any of its blog entries, should not be relied on for any purpose whatsoever other than as the personal opinions of the website owner.  The website owner expressly disclaims any and all liability for any information presented on this site.  The owner of this website and its blog posts shall not be held liable, and shall be held harmless, for any errors or omissions in any information or representations contained in this website, or in any of its blog entries.  The website owner also expressly disclaims any liability for the current or future availability of any such information. The website owner makes no representations as to the accuracy or completeness of any information on this website or which may be found by following any link on this website. The website owner shall not be held liable for any losses, injuries, damages, claims, or causes of action, from the display or use of any information on this website or in any of its blog entries. If you use the information on this website, or on any of its blog entries, you do so solely at your own risk.

Wireshark 303: Finding malicious traffic on your network - fixedByVonnie

Wireshark 303: Finding malicious traffic on your network

Let’s say you and I went out to the local bar down the road and threw back a few beers.  We would get to know each other.  You would ask me what I do for a living, how’s the blog and if I had any brothers or sisters.  And I would ask you about your hobbies, whether you have a family and your role at your current company.

And let’s say during our little interaction I discover that you’re the Senior Network Engineer at a large financial firm in New York City.  You begin telling me how much you love your job, the benefits and salary.  And then I ask you the million dollar question…

Have you taken a baseline of your network?

That’s the question isn’t it?

And what should I expect to hear?

Um, no.  We don’t have time for that.

Why a baseline is so important

How can you expect to identify anomalous network activity unless you’ve studied normal activity?

For example, let’s say you have two hosts plugged into two switchports in the same VLAN. (broadcast domain)  And the two hosts are exchanging files.  If you setup a packet capture on a trunk link you woudln’t expect to see any traffic from those hosts.  Why?  Because they are on the same broadcast domain; therefore, there’s no reason why a layer 2 ethernet frame should pass over the trunk link.  The hosts will simply use unicast layer 2 physical addresses to exchange data.

What you would expect to see depends on where you capture the data and how you capture it.  If you setup a packet capture on the host you may get a different result then if you set it up on the default gateway.

Detecting malicious traffic without a baseline

But you don’t have a baseline.

Heck, the only time you use that word is when you’re playing a pickup basketball game on the weekends.

Even without a standard of normal network behavior we can still use our networking skills to identify suspicious activity.  We’re g

That creepy smiley guy in the cubicle

You know that creepy smiley guy in the cubicle next to you?  Yeah, he’s up to no good.

If he wanted to scan the network for vulnerabilities he could send a sweeping ping request to all hosts in the local subnet and then analyze the ICMP echo reply messages.  But not all devices respond to Ping.  So what’s the next option?

NMAP is the next option.

With NMAP you can send a send a TCP SYN request to port 80, you’ll send back a SYN/ACK if you’re running port 80.  IT’s a slightly more covert way of probing the network for open ports.

So today I want to show you how to detect this sort of thing in Wireshark.

In this demonstration I’ve got a Windows XP SP3 machine at and I’m using NMAP on Kali Linux ( to do some reconnaissance.  We’ll analyze the packet captures and I’ll show you exactly what you should never see on your network!

Let’s go!

Getting nasty with NMAP

Let’s start with the basics.


NMAP scan

I setup a packet capture on the link between our victim’s computer and the switchport.

Then on my capture machine, which is a Mac running Yosemite, I right-clicked the packet list area and choose Conversation Filter and picked UDP.

This is a quick way to zero in on a specific PDU type.

Lookie here:

Wireshark discover frame

Ohh, what’s this?  It looks like the host with MAC address 08:00:27:a7:79:8b is trying to scan using a weird protocol called Canon BJNP.


So this is a quick way to something fishy is going on.

The Bottom Line

The best approach to identifying malicious traffic in Wireshark is to compare the suspect capture file against a baseline capture.  If you don’t have a capture, you can still do a live capture on the wire but tracking anomalous results will definitely be harder.  Sometimes it’s easy like in the example I showed above but other times you’ll really need to dig.

Have you found anything weird on your networks using Wireshark?  Let me know in the comments!


Connect with Vonnie on Twitter

Posted in Linux, Mac OS X 10.10 Yosemite, Mac OS X 10.8 Mountain Lion, Mac OS X 10.9 Mavericks, Windows, Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Vista, Windows XP Tagged with: , , , ,