Wireshark Help
Afternoon all,
I need some assistance with Wireshark if anyone is available?
Quick summery:
We have a client network of more than 1000 machines on 3 VLANS, all should be patched with latest MS patches and is running ESET, however one machine (or more) is infected with Conficker and occasionally 'bursts' through the network. ESET detects and stops the reinfection, but obviously each time a warning comes up the client freaks and goes into a panic.
Unfortunately the ESET logs (on server and client) does not contain any info on the source of the infection even with logging set to Level 5.
I'm looking to use something like Wireshark to sniff the network and hopefully identify the machine(s) in question so I can clean/patch it but my Wireshark knowledge is very limited.
If anyone can help that will be greatly appreciated!
PS.
I've already tried the McAfee/Retina network scanners, ESET conficker remover on logon scripts etc etc..
I need some assistance with Wireshark if anyone is available?
Quick summery:
We have a client network of more than 1000 machines on 3 VLANS, all should be patched with latest MS patches and is running ESET, however one machine (or more) is infected with Conficker and occasionally 'bursts' through the network. ESET detects and stops the reinfection, but obviously each time a warning comes up the client freaks and goes into a panic.
Unfortunately the ESET logs (on server and client) does not contain any info on the source of the infection even with logging set to Level 5.
I'm looking to use something like Wireshark to sniff the network and hopefully identify the machine(s) in question so I can clean/patch it but my Wireshark knowledge is very limited.
If anyone can help that will be greatly appreciated!
PS.
I've already tried the McAfee/Retina network scanners, ESET conficker remover on logon scripts etc etc..
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I think I answered your question. Is there anything else I can help with?
Your question was "I'm looking to use something like Wireshark to sniff the network and hopefully identify the machine(s) in question so I can clean/patch it but my Wireshark knowledge is very limited." I believe I answered your question, and even followed up with how I could help further.
Your question was "I'm looking to use something like Wireshark to sniff the network and hopefully identify the machine(s) in question so I can clean/patch it but my Wireshark knowledge is very limited." I believe I answered your question, and even followed up with how I could help further.
Southmod - I believe I answered the poster's questions in "http:#33721148". I followed up to ask if I could help further, and did not get a response. I would like to be awarded the appropriate points that were offered in this question. If I can help further I am more then willing to do so. Thank you.
Using wireshark, you will only detect this kind of packet if the infected machines issue broadcast packets as a result of the infection, since that's what the machine with wireshark would receive. Additionally, assuming you have over 300 hosts per VLAN, it will be hard to detect specific infected machines unless the number of broadcast messages they generate is high. It would also be helpful to identify what kind of protocol is used when the machines 'bursts' through the network since we can filter it through wireshark.
Now, does this burst affect all 3 VLANs? how often does it happen? Your network engineer might be able to help since he can SPAN many switchports into another one and wireshark that specific port to detect non-broadcast bursts. He might also be able to detect these bursts and where they come from by looking at interface counters.
When these bursts happen, how long does ESET take to detect and stop the burst?