[Dshield] Q: Packet Analyzer for windump, etc?

Thompson, John J ThompsonJJ at mail.medicine.uiowa.edu
Thu Aug 2 18:34:13 GMT 2001


Do any of you have any suggestions for a good way to dump/ and then analyze
the net traffic to and from a win2k web server. Theres all kinds of stuff
going on with my box and I want to see what plaintext and identifing
material I can pull out. For instance, if someone tries to put a trojan on
the server, I want to see what the filename and scripts were. 

Example snippet from windump:
13:30:37.800771 0:a0:c9:d:f2:8c 0:10:5a:a4:53:68 ip 460:
BIOCHEM1.biochemistry.uiowa.edu.1391 > www.biochem.uiowa.edu.80: P
860879926:860880332(406) ack 1426073528 win 16291 (DF) (ttl 128, id 8392)
0x0000	 4500 01be 20c8 4000 8006 ecf9 80ff 74e2	E..... at .......t.
0x0010	 80ff 7497 056f 0050 334f fc36 5500 27b8	..t..o.P3O.6U.'.
0x0020	 5018 3fa3 83fc 0000 4745 5420 2f32 6d61	P.?.....GET./2ma
0x0030	 696e 2e68 746d 2048 5454 502f 312e 310d	in.htm.HTTP/1.1.
0x0040	 0a41 6363 6570 743a 202a 2f2a 0d0a 5265	.Accept:.*/*..Re
0x0050	 6665                                   	fe

How do I analyze dumps like this?

Ive tried using IRIS but couldn't get the full dump outpt to text. Now using
windump, but having trouble analyzing the outpt. Any suggestions would be
much appreciated.

Thanks,
John




More information about the list mailing list