Filter necessary to just capture internet traffic with wireshark

We have recieved some laptops from an out of business group. What I'm curious in is can we use wireshark to see if there's any kind of monitoring service? The login at Windows 7 says that monitored for authorized use, so my company is interested in if there was any monitoring involved or if it was just a ploy to help good behavior (more about curiosity really). The laptop is a T520 (2nd gen I7) with TPM and bitlocker enabled. We have all the system passwords/keys ect. Just wondering what the filter setup would be so that I only capture traffic from the laptop to the internet and back. No need scanning all the other traffic coming from within our own network (where of course these's tons and tons of).

Thank you very much for the help.

-Casey Weaver
LVL 8
Casey WeaverManaged Services Windows Engineer IIIAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

andytagonistCommented:
not to skirt your main question, but let me address the actual issue:  that warning pertains to people actually on their network and in their domain--both figuratively and literally.  it's meant to let the users of that old company know they've been warned not to do anything stupid...like surf porn or work a second job with the company's property, etc.
it would most certainly be in your best interest to wipe those machines and start over again.  

I've used Wireshark many times and it just works out of the box.  install it on one of these suspect systems and fire it up.  you'll immediately see traffic with little or no configuration.

there's actually no need for Wireshark.  but since you asked:  
http://wiki.wireshark.org/CaptureSetup
0
Casey WeaverManaged Services Windows Engineer IIIAuthor Commented:
The machines are definitely going to be wiped, we have our own image and volume keys for them. Corporate was just interested in maybe some software to learn about. Can't find a thing that seems odd in program files. Does Microsoft Forefront Protection have any features like this? We're gernally a Endpoint 12 group, but we're looking to shift to a VMWare View, Windows 7, Forefront Protection setup by the end of the year.
0
andytagonistCommented:
Features like what?  Traffic analyzer, or phone home capability?  I don't think it has a traffic analyzer per se and I doubt it has a phone home app.

 Again, not to skirt your question, but you're really thinking way too much into this. If you have the passwords, just log onto the machine and play around with it. If you're truly paranoid, disable the nic.  Besides didn't you say the previous owner was out of business anyhow?

You mentioned Enpoint 12, which I've used and had no problems with. Never used Forefront...
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Casey WeaverManaged Services Windows Engineer IIIAuthor Commented:
We have played around with it, like I said we're logged in as admin. We're not paranoid or worried, just wondering if they've actually got some stuff on here before we wiped them. We couldn't find a thing installed. So we just wondered is there software that could have been put on that's not discoverable?

This is just strictly an educational foray :)
0
Aaron TomoskySD-WAN SimplifiedCommented:
Capture traffic from the ip of the laptop to the gateway, all that is destined fr the Internet. Unless you have vlans then that makes it a little harder
0
andytagonistCommented:
Anything can be "hidden". But if you're logged on as administrator and you don't see any kooky looking software, that probably all there is to it. Check for peculiar user accounts. Poke around the registry and see what there is to see. Start up folder & MSCONFIG, as well as services will all contain tell-tale signs of what they were up to.

But just to see what's doin' on the network, you can install WireShark on there and fire it up. Pick a network interface and start the monitoring and you'll immediately be seeing in & out traffic. From there, you can narrow it down to outbound only (I'm not in front of my machine with WireShark on it, but I'm fairly positive it's simple to rule out certain types of traffic). It's fairly intuitive once you look at it and if you're not actually doing anything on the machine, odd traffic will jump out at you.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Russell_VenableCommented:
Yes, You can use Wireshark to detect remote monitoring. Softwar monitoring takes a different approach. As for Wireshark. Wireshark will listen on a global scope if ran straight out of the box. If you have a specific protocol, Port, IP Address, or POST/REQUEST in mind you can filter it using Capture Filters. A good example of setting a filter rule would be here.  I assume the message you get is a windows login warning message?. You have to notify the user they are being monitored.  This is a standard warning message that is required to alert users that they are being monitored and can be used in law enforcement and judicial actions as required by law. If TPM enabled, I would these computers would have come from a control site on some previous government installation or some other site that controls sensitive data.
0
Casey WeaverManaged Services Windows Engineer IIIAuthor Commented:
Ends up that all they have is computrace, nothing else, no ability to be remotely monitored (such as screens and apps). Was just interesting to see the layout.
0
Casey WeaverManaged Services Windows Engineer IIIAuthor Commented:
I got it figured out and investigated.
0
Russell_VenableCommented:
Interesting! Thanks for the update.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Analysis

From novice to tech pro — start learning today.