±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 36767
New Yesterday: 4 Visitors: 108

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Help!! Network forensics: WireShark: detecting an intrusion

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

ryanvanderberg
Newbie
 

Help!! Network forensics: WireShark: detecting an intrusion

Post Posted: Feb 28, 20 14:53

I am faced with the task of detecting an intrusion (either internal or external) using packet analysis techniques with WireShark packet analysis tool. Please may someone explain to me how I may go about this / things I should look out for. Thanks!  

Last edited by ryanvanderberg on Mar 01, 20 01:39; edited 1 time in total
 
  

BDME
Member
 

Re: Network forensics: WireShark: detecting an intrusion

Post Posted: Feb 28, 20 16:26

Is this for school?

Anyway, if you already have your logs allow Wireshark to parse the logs, then filter the Event IDs. I would go through and if you are unfamiliar with what the event ID is referencing then google that event ID. Once you become more familiar with what Wireshark is parsing out for you then filter by time and look for event IDs pertaining to what you are looking for. I don't have it installed on my computer at this moment but it may give an explanation of what the event IDs are referencing, however I recall them sometimes being unhelpful.  
 
  

ryanvanderberg
Newbie
 

Re: Network forensics: WireShark: detecting an intrusion

Post Posted: Feb 28, 20 17:27

- BDME
Is this for school?

Anyway, if you already have your logs allow Wireshark to parse the logs, then filter the Event IDs. I would go through and if you are unfamiliar with what the event ID is referencing then google that event ID. Once you become more familiar with what Wireshark is parsing out for you then filter by time and look for event IDs pertaining to what you are looking for. I don't have it installed on my computer at this moment but it may give an explanation of what the event IDs are referencing, however I recall them sometimes being unhelpful.


Thank you for your response, which I shall print and attempt to follow. Thanks for taking the time to write such a detailed response.  
 
  

doublezero
Newbie
 

Re: Help!! Network forensics: WireShark: detecting an intrus

Post Posted: Mar 23, 20 20:21

look for ARP and MAC flooding in the network, as they are common in intrusions.
Loads of ICMP packets are also common in recon of private network though ping scans.  
 

Page 1 of 1