Wireshark-users: Re: [Wireshark-users] Anybody seen this before?

From: Martin Visser <martinvisser99@xxxxxxxxx>
Date: Tue, 9 Jul 2013 22:16:30 +1000
When you say that "the only place it can be found is in the capture file" I'm guessing by that you mean it is being sent to an IP or port that is unknown to you.  Also just because something is obscure doesn't mean it isn't normal. For instance, these days a lot of web based applications, are driven by _javascript_, with lots of embedded code - you may well see a lot of references to sites for advertising or other reasons. 

Anyway is you want to upload a capture, the most useful place is 
http://www.cloudshark.org/ (Just make sure it doesn't contain information you want to keep private)

Also you wish to describe your capture method (is it of traffic to your machine, or is a capture at your router).

Regards, Martin


Regards, Martin

MartinVisser99@xxxxxxxxx


On 9 July 2013 16:32, GaryT <gary@xxxxxxxx> wrote:
Has anyone seen an activity whereby someone supposedly dumps a load of data on a machine but the only place it can be found is in the capture file?  AND much of the same data seems to appear repeatedly.

The "data" looks like a capture of browsing activity, showing many different URLs, search engine strings, and the resulting web site and/or domain names. When first noticing it I thought someone was taking (or reading) part of my browser cache, but looking closer I found the packets were INCOMING, not outgoing and absolutely NONE of the names could be applied to any of my (infrequent) search activity.

Initially it seemed as though hackers had been through and someone was playing games, but surely that can't be true?  However, it appears for all the world like someone is sending me a load of rubbish. I don't know enough about the structure or the format of data packets to be able to determine what's happening.

What are the rules of this list?  Can I send a part of a cap file in a message, or attach a text file perhaps?  What is common practice here?

GaryT



More information below if needed.

Information:
============
Have just joined this list, mainly to learn as much as possible. I've used Windows since the 1980s, have been through all versions up to XP where further upgrades, mainly for the sake of the publisher's bottom line became a joke.

Began using Linux in 2008 and since then learnt very litle. It's hard to switch an old brain after so many years of developed habits, good and bad. Used CommView under Windows in order to identify and observe uninvited guests and was glad to discover Wireshark to use with Linux.

Currently using Version 1.2.7, running on Ubuntu.

Specifics from the "Help-About"
*********************************************************************
Compiled with GTK+ 2.20.0, with GLib 2.24.0, with libpcap 1.0.0, with libz 1.2.3.3, with POSIX capabilities (Linux), with libpcre 7.8, with SMI 0.4.8, with c-ares 1.7.0, with Lua 5.1, with GnuTLS 2.8.5, with Gcrypt 1.4.4, with MIT Kerberos, with GeoIP, with PortAudio V19-devel (built Feb 18 2010 22:31:30), without AirPcap.

Running on Linux 2.6.32-44-generic, with libpcap version 1.0.0, GnuTLS 2.8.5, Gcrypt 1.4.4.

Built using gcc 4.4.3.
*********************************************************************

Am using Firefox 16,0,1 and recently installed a system named Ghostery which sounds a tad corny but performs impressively in the art of limiting the activities of intruders.

Apart from that, my Ubuntu machine is fairly normal :-)
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe