Using Wireshark to track a botnet
Security researchers have written a Wireshark dissector that will decrypt the command and control protocol used by the Mariposa botnet. More information at Palo Alto Networks and Defence Intelligence.
Comments đź”—Comment by ManOnFire on 2009-11-02 08:05:48 +0000 đź”—Anyone have a packet capture for mariposa C&C? I would like to test the decryption plugin. Thanks!
Comment by Gerald Combs on 2009-11-04 13:47:55 +0000 🔗You might try contacting Palo Alto Networks or Defence Intelligence. I don’t see any capture file downloads on either site.
Fluffy Shark
Categories:
Pictures
Reader Ro sent in the following pictures:
See the complete set at Flickr. The shark-with-a-tube-of-frosting frightens and confuses me.
Comments đź”—Comment by maddy on 2009-10-27 12:00:08 +0000 đź”—I have the wireshark analyzer installed on my laptop, when I start to capture interface packets, It shows me my entire network/subnet desktop packets, which are not belongs to my ip also.
My pc ip is 10.173.X.34 but you can see the other desktop traffic also.which is not related to my laptop. Can you please help me why this is happening?
Comment by Gerald Combs on 2009-10-28 11:44:57 +0000 🔗That sounds like what you should normally see when you capture on a LAN connected via a hub. Even in a switched environment you will see spillover from time to time, such as broadcast or multicast packets, or unicast packets to destinations that the switch hasn’t yet learned.
I’m hoping to have a video out in the next few weeks that shows what happens when you capture on hubs vs switches. Hopefully it will explain what you’re seeing.
Debugging SSL Servers Over IPv6
An old-school method of debugging TCP-based services is to use telnet:
$ telnet www.wireshark.org 80
Trying 67.228.110.120...
Connected to www.wireshark.org.
Escape character is '^]'.
HEAD / HTTP/1.0
Host: www.wireshark.org
HTTP/1.1 200 OK
Date: Fri, 16 Oct 2009 19:31:47 GMT
Server: Apache
Accept-Ranges: bytes
Cache-Control: max-age=3600
Vary: Accept-Encoding
X-Slogan: Be good. You never know who's running Wireshark nearby.
Content-Length: 9628
Connection: close
Content-Type: text/html
Connection closed by foreign host. It’s like giving your web server a big ol’ hug.
Most telnet clients do something very clever here. If you connect to a port other than 23 (or whatever getservbyname returns when you feed it “telnet”) they will disable telnet protocol negotiation and switch to line mode. This gives you a raw, line-based connection which is just the thing you need to interact with an HTTP, POP, IMAP, FTP, or NNTP server.
Adding SSL and IPv6 to the mix complicates things. I’m in the process of making Wireshark’s public-facing services available over IPv6. It would be helpful to be able to test connectivity to each service before adding its corresponding AAAA record. Standard telnet clients support 6, but not SSL.
Recent Posts
- Those Aren't Packets: How Stratoshark Brings the Power of Wireshark to the Cloud
- What’s New In Wireshark 4.4?
- From Network Packets to Log Data: How Logray built upon Falco’s foundation
- The evolution of system introspection from BPF to Wireshark to Falco
- Wireshark Is 25: The email that started it all and the lessons learned along the way