Filter necessary to just capture internet traffic with wireshark

We have recieved some laptops from an out of business group. What I'm curious in is can we use wireshark to see if there's any kind of monitoring service? The login at Windows 7 says that monitored for authorized use, so my company is interested in if there was any monitoring involved or if it was just a ploy to help good behavior (more about curiosity really). The laptop is a T520 (2nd gen I7) with TPM and bitlocker enabled. We have all the system passwords/keys ect. Just wondering what the filter setup would be so that I only capture traffic from the laptop to the internet and back. No need scanning all the other traffic coming from within our own network (where of course these's tons and tons of).

Thank you very much for the help.

-Casey Weaver
Casey WeaverNetwork EngineerAsked:
Who is Participating?
andytagonistConnect With a Mentor Commented:
Anything can be "hidden". But if you're logged on as administrator and you don't see any kooky looking software, that probably all there is to it. Check for peculiar user accounts. Poke around the registry and see what there is to see. Start up folder & MSCONFIG, as well as services will all contain tell-tale signs of what they were up to.

But just to see what's doin' on the network, you can install WireShark on there and fire it up. Pick a network interface and start the monitoring and you'll immediately be seeing in & out traffic. From there, you can narrow it down to outbound only (I'm not in front of my machine with WireShark on it, but I'm fairly positive it's simple to rule out certain types of traffic). It's fairly intuitive once you look at it and if you're not actually doing anything on the machine, odd traffic will jump out at you.
not to skirt your main question, but let me address the actual issue:  that warning pertains to people actually on their network and in their domain--both figuratively and literally.  it's meant to let the users of that old company know they've been warned not to do anything surf porn or work a second job with the company's property, etc.
it would most certainly be in your best interest to wipe those machines and start over again.  

I've used Wireshark many times and it just works out of the box.  install it on one of these suspect systems and fire it up.  you'll immediately see traffic with little or no configuration.

there's actually no need for Wireshark.  but since you asked:
Casey WeaverNetwork EngineerAuthor Commented:
The machines are definitely going to be wiped, we have our own image and volume keys for them. Corporate was just interested in maybe some software to learn about. Can't find a thing that seems odd in program files. Does Microsoft Forefront Protection have any features like this? We're gernally a Endpoint 12 group, but we're looking to shift to a VMWare View, Windows 7, Forefront Protection setup by the end of the year.
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

Features like what?  Traffic analyzer, or phone home capability?  I don't think it has a traffic analyzer per se and I doubt it has a phone home app.

 Again, not to skirt your question, but you're really thinking way too much into this. If you have the passwords, just log onto the machine and play around with it. If you're truly paranoid, disable the nic.  Besides didn't you say the previous owner was out of business anyhow?

You mentioned Enpoint 12, which I've used and had no problems with. Never used Forefront...
Casey WeaverNetwork EngineerAuthor Commented:
We have played around with it, like I said we're logged in as admin. We're not paranoid or worried, just wondering if they've actually got some stuff on here before we wiped them. We couldn't find a thing installed. So we just wondered is there software that could have been put on that's not discoverable?

This is just strictly an educational foray :)
Aaron TomoskyConnect With a Mentor SD-WAN SimplifiedCommented:
Capture traffic from the ip of the laptop to the gateway, all that is destined fr the Internet. Unless you have vlans then that makes it a little harder
Russell_VenableConnect With a Mentor Commented:
Yes, You can use Wireshark to detect remote monitoring. Softwar monitoring takes a different approach. As for Wireshark. Wireshark will listen on a global scope if ran straight out of the box. If you have a specific protocol, Port, IP Address, or POST/REQUEST in mind you can filter it using Capture Filters. A good example of setting a filter rule would be here.  I assume the message you get is a windows login warning message?. You have to notify the user they are being monitored.  This is a standard warning message that is required to alert users that they are being monitored and can be used in law enforcement and judicial actions as required by law. If TPM enabled, I would these computers would have come from a control site on some previous government installation or some other site that controls sensitive data.
Casey WeaverConnect With a Mentor Network EngineerAuthor Commented:
Ends up that all they have is computrace, nothing else, no ability to be remotely monitored (such as screens and apps). Was just interesting to see the layout.
Casey WeaverNetwork EngineerAuthor Commented:
I got it figured out and investigated.
Interesting! Thanks for the update.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.