About WireShark

By ndveitch ·
Hi There,

I have a very strange question to ask, is it possible for a virus or malware to be intelligent enough to stop working should an analyzer be used to track it? I ask this as there seems to be something funny happening on my Exchange Server 2003. The queue would shoot up and not come down for a while. When I asked my ISP for an IP stat, it looked like I have had many Mb's of http traffic going over my diginet line.

Oh yes, my Exchange connection to my ISP is over a 256kb diginet line. My ISP manages the traffic on the line and can give me read outs of what type of traffic is on my diginet line, but that is all.

Getting back to my question, this morning when I got into the office, I noticed at around 9:45 that the mail queue was filling up and that my diginet line was maxed out. I decided to try my hand at WireShark, as I am still a novice when it comes to protocol analyzers, but you have to start somewhere. Anyway I used WireShark to get a capture of all the traffic, then about 10min later the queue was finished and the line was no longer maxed out.

Then at 1:30 today I noticed that the line was maxing out again and the queue was filling up so after about 15 min of monitoring the line there was no really change. So I ran WireShark again and just like before the queue was empty a few minutes later. It just doesn?t make any sense.

Could it just be that my timing happened to be as the line freed up, or could there be some reason as to why after running WireShark for a minute, the line cleared up? It just doesn't make any sense, well to me at the moment it doesn't make any sense.

Is there somewhere I could go to get information on how to solve this question.

Thanx in advance :)

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Well in Theory it's possible I suppose

by OH Smeg Moderator In reply to About WireShark

But in Practice I think you'll find that any infection is unlikely to work 100% of the time if it is a Mass Mailing Type thing. It should hit the Mail Servers hard once or twice a day to get out what it wants and then sit in the background doing nothing but communicating with it's controlling Servers.

That way it gets to live a lot longer as it's possible to be overlooked as Normal Network Load and not have some Admin start looking for Infections.

But the Times that you mention may also coincide with what Business's would consider as High Load times just after the bulk of the employees start and then again after their Lunch Breaks have ended. I would expect another High Load Condition just before Knock Off Time as well. That of course implies that there are many workers who work Office Hours where you are.

What happens if you leave Wireshark Running?

Also what does your ISP say is the Traffic on the Line?


Collapse -

Info from my ISP

by ndveitch In reply to Well in Theory it's possi ...

The info I got from my ISP was that there was a lot of HTTP traffic. Other than that they can't really help me much.

We do have a lot of users in the office, yet I dismissed that has it seemed to be only on that day. I have not tried running wire shark over night or for a length of time, as i'm still learning about protocol analysis and was unsure if it would be wise to run it over a period of time.

I have been keeping an eye on my traffic today and there doesn't seem to be any strange network traffic, then again there is one machine that I suspect could be a problem but the user is only back in the office tomorrow. If there is a spike in network traffic again when the user is back I will investigate further.

Just in the mean time i'm keeping Spybot and Symantec Endpoint Protection updated just to be on the safe side, but aside from that i'm not to sure if there is anything else I could do.

Thank-you for your input and I will re-post should the situation change.

Collapse -

Well you could look in on this TR Blog

by OH Smeg Moderator In reply to Info from my ISP;leftCol

It's a Blog and discussion on the use of Rescue Disc's to clean infected systems.


Collapse -

HTTP isn't SMTP or POP3 mail

by CG IT In reply to Info from my ISP

so your mail isn't what is causing the amount of bytes alloted to you to be chewed up.

Depending upon your perimeter router capabilities, you could monitor traffic using something like the Syslog. Capture some in and out traffic, run some reports and find out who is using the most web traffic.

While Wireshark is a pretty cool packet capture program, your not trying to analyze packets, rather find out who is using the Internet the most.

I would look at traffic monitoring software that can create reports by IP of how much internet traffic is used than packet analysis.

Collapse -

Isn't HTTP traffic due to OWA

by ndveitch In reply to HTTP isn't SMTP or POP3 m ...

We had assumed that the HTTP traffic could have been OWA traffic as most of the users either connect using Entourage or remotely which uses our OWA address.

I will definitely look into the network monitoring software. I am looking at implementing an Untangle firewall solution, but the email traffic goes out over a different connection to my normal DSL traffic.

I am also going to look into the Rescue CD's as i am a big fan of Hirens and I use it often.

Thank-you for all the advice.

Collapse -

Why you need monitoring program rather than packet capture

by CG IT In reply to Isn't HTTP traffic due to ...

unless your entire office is remote, OWA isn't going to generate so much traffic that your ISP starts throttling you.

If you have remote users who then can use the office's internet connection, then I can see large http traffic.

Related Discussions

Related Forums