[Dshield] Q: Packet Analyzer for windump, etc?
weilmr at slu.edu
Fri Aug 3 12:30:21 GMT 2001
"Thompson, John J" wrote:
> Do any of you have any suggestions for a good way to dump/ and then analyze
> the net traffic to and from a win2k web server. Theres all kinds of stuff
> going on with my box and I want to see what plaintext and identifing
> material I can pull out. For instance, if someone tries to put a trojan on
> the server, I want to see what the filename and scripts were.
> Example snippet from windump:
> 13:30:37.800771 0:a0:c9:d:f2:8c 0:10:5a:a4:53:68 ip 460:
> BIOCHEM1.biochemistry.uiowa.edu.1391 > www.biochem.uiowa.edu.80: P
> 860879926:860880332(406) ack 1426073528 win 16291 (DF) (ttl 128, id 8392)
> 0x0000 4500 01be 20c8 4000 8006 ecf9 80ff 74e2 E..... at .......t.
> 0x0010 80ff 7497 056f 0050 334f fc36 5500 27b8 ..t..o.P3O.6U.'.
> 0x0020 5018 3fa3 83fc 0000 4745 5420 2f32 6d61 P.?.....GET./2ma
> 0x0030 696e 2e68 746d 2048 5454 502f 312e 310d in.htm.HTTP/1.1.
> 0x0040 0a41 6363 6570 743a 202a 2f2a 0d0a 5265 .Accept:.*/*..Re
> 0x0050 6665 fe
> How do I analyze dumps like this?
> Ive tried using IRIS but couldn't get the full dump outpt to text. Now using
> windump, but having trouble analyzing the outpt. Any suggestions would be
> much appreciated.
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: http://www1.dshield.org/mailman/listinfo/dshield
More information about the list