Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Wireshark Help

Posted on 2010-09-13
8
Medium Priority
?
2,140 Views
Last Modified: 2012-05-10
Afternoon all,

I need some assistance with Wireshark if anyone is available?

Quick summery:
We have a client network of more than 1000 machines on 3 VLANS, all should be patched with latest MS patches and is running ESET, however one machine (or more) is infected with Conficker and occasionally 'bursts' through the network. ESET detects and stops the reinfection, but obviously each time a warning comes up the client freaks and goes into a panic.
Unfortunately the ESET logs (on server and client) does not contain any info on the source of the infection even with logging set to Level 5.

I'm looking to use something like Wireshark to sniff the network and hopefully identify the machine(s) in question so I can clean/patch it but my Wireshark knowledge is very limited.

If anyone can help that will be greatly appreciated!

PS.
I've already tried the McAfee/Retina network scanners, ESET conficker remover on logon scripts etc etc..
0
Comment
Question by:benthomas
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
8 Comments
 
LVL 6

Accepted Solution

by:
itnetworkn earned 2000 total points
ID: 33662051
I assume you are asking how to use and setup Wireshark. I'm not sure what type of switches you are using, but create a "monitor" port, and you can capture network activity by plugging a NIC into the "monitor" port. When you create the monitor port make sure that it monitors all VLAN's. From within Wireshark, you can filter activity to narrow down the culprits.
0
 
LVL 10

Expert Comment

by:ddiazp
ID: 33672565
Hi benthomas,

Using wireshark, you will only detect this kind of packet if the infected machines issue broadcast packets as a result of the infection, since that's what the machine with wireshark would receive. Additionally, assuming you have over 300 hosts per VLAN, it will be hard to detect specific infected machines unless the number of broadcast messages they generate is high. It would also be helpful to identify what kind of protocol is used when the machines 'bursts' through the network since we can filter it through wireshark.

Now, does this burst affect all 3 VLANs? how often does it happen? Your network engineer might be able to help since he can SPAN many switchports into another one and wireshark that specific port to detect non-broadcast bursts. He might also be able to detect these bursts and where they come from by looking at interface counters.

When these bursts happen, how long does ESET take to detect and stop the burst?
0
 
LVL 6

Expert Comment

by:itnetworkn
ID: 33695537
I think I answered your question. Is there anything else I can help with?
0
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

 
LVL 6

Expert Comment

by:itnetworkn
ID: 33702208
Your question was "I'm looking to use something like Wireshark to sniff the network and hopefully identify the machine(s) in question so I can clean/patch it but my Wireshark knowledge is very limited." I believe I answered your question, and even followed up with how I could help further.
0
 
LVL 6

Expert Comment

by:itnetworkn
ID: 33719745
Your question was "I'm looking to use something like Wireshark to sniff the network and hopefully identify the machine(s) in question so I can clean/patch it but my Wireshark knowledge is very limited." I believe I answered your question, and even followed up with how I could help further.
0
 
LVL 6

Expert Comment

by:itnetworkn
ID: 33724589
Southmod - I believe I answered the poster's questions in "http:#33721148". I followed up to ask if I could help further, and did not get a response. I would like to be awarded the appropriate points that were offered in this question. If I can help further I am more then willing to do so. Thank you.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question