[Dshield] Q: Packet Analyzer for windump, etc?

Matt Weil weilmr at slu.edu
Fri Aug 3 12:30:21 GMT 2001


http://www.ethereal.com/
Matt

"Thompson, John J" wrote:

> Do any of you have any suggestions for a good way to dump/ and then analyze
> the net traffic to and from a win2k web server. Theres all kinds of stuff
> going on with my box and I want to see what plaintext and identifing
> material I can pull out. For instance, if someone tries to put a trojan on
> the server, I want to see what the filename and scripts were.
>
> Example snippet from windump:
> 13:30:37.800771 0:a0:c9:d:f2:8c 0:10:5a:a4:53:68 ip 460:
> BIOCHEM1.biochemistry.uiowa.edu.1391 > www.biochem.uiowa.edu.80: P
> 860879926:860880332(406) ack 1426073528 win 16291 (DF) (ttl 128, id 8392)
> 0x0000   4500 01be 20c8 4000 8006 ecf9 80ff 74e2        E..... at .......t.
> 0x0010   80ff 7497 056f 0050 334f fc36 5500 27b8        ..t..o.P3O.6U.'.
> 0x0020   5018 3fa3 83fc 0000 4745 5420 2f32 6d61        P.?.....GET./2ma
> 0x0030   696e 2e68 746d 2048 5454 502f 312e 310d        in.htm.HTTP/1.1.
> 0x0040   0a41 6363 6570 743a 202a 2f2a 0d0a 5265        .Accept:.*/*..Re
> 0x0050   6665                                           fe
>
> How do I analyze dumps like this?
>
> Ive tried using IRIS but couldn't get the full dump outpt to text. Now using
> windump, but having trouble analyzing the outpt. Any suggestions would be
> much appreciated.
>
> Thanks,
> John
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: http://www1.dshield.org/mailman/listinfo/dshield




More information about the list mailing list