![]()
It is filtered on web traffic that contains SSDP requests. #What is use of wireshark windows 7Figure 6 shows Emotet activity with IcedID infection traffic from December 3rd, 2018 on a Windows 7 host. (http.request or = 1) and !(ssdp)įiltering out SSDP activity when reviewing a pcap from an infection on a Windows 7 host provides a much clear view of the traffic. You can also use the following filter and achieve the same result: ![]() ![]() (http.request or = 1) and !(udp.port eq 1900) Therefore, I filter this out using the following expression: SSDP is a protocol used to discover Plug & Play devices, and it is not associated with normal web traffic. This HTTP traffic over UDP port 1900 is Simple Service Discovery Protocol (SSDP). However, I also generate pcaps of traffic using Windows 7 hosts, and this traffic includes HTTP requests over UDP port 1900 during normal activity. Filtering on web traffic using the previous tutorial's pcap. Filtering on http.request or = 1 outlines the flow of events for this web traffic.įigure 5. #What is use of wireshark windows 10In the pcap, the user was on a Windows 10 computer using Microsoft's Edge web browser. My previous tutorial contains web traffic generated when a user viewed a URL from atodaycom in August 2018. The value http.request reveals URLs for HTTP requests, and = 1 reveals domains names used in HTTPS or SSL/TLS traffic. Filters for Web-Based Infection TrafficĪs noted in my previous tutorial on Wireshark, I often use the following filter expression as a way to quickly review web traffic in a pcap: For example, if you want to specify all traffic that does not include IP address 192.168.10.1, use !(ip.addr eq 192.168.10.1) instead of ip.addr != 192.168.10.1 because that second filter expression will not work properly. When specifying a value exclude, do not use != in your filter expression.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |