Wireshark-users: Re: [Wireshark-users] Finding an intruder

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Anne Blankert <anne.blankert@xxxxxxxxx>
Date: Thu, 15 Dec 2016 03:39:58 +0100
Hi, there is no 'standard' way to filter 'problem' traffic. However, if the problem is the AMOUNT of traffic, then just a small sample might suffice. Ask your friend to do  nothing specific on her computer(s) and collect network traffic for a few minutes. Analyse the data manually to see what is the type, the source, and the destination of the most of the data captured.

How much is the data cap? Divide that by 30 (days) times 24 (hours) times 60 (minutes) and you know how much per minute that is. Does the size of the capture per minute amount to more than this limit?

Anneb

2016-12-15 3:06 GMT+01:00 Steve Matzura <sm@xxxxxxxxxxxxxx>:
New to the list, been using some version of the Shark way back to
Ethernim days, so I'm familiar with its capabilities. It's become
quite sophisticated lately, hence the following problem description
and question.

A friend has a cable Internet provider with data caps. Lately, he's
been getting nastygrams from them that he's exceeded those caps, and
it's only two weeks into his billing month. Something somewhere is
sending and receiving tremendous amounts of data, and I've been taksed
to find out what's doing it. So, should I just run Wireshark and
capture everything, collect some ridiculous amount of data and
hand-analyze it, or might there be a convenient filter out there in
Wireshark cyberspace land that could help me narrow the field and nail
the culprit? Antivirus, antimailware, antispyware scans all come up
clean and green, the DHCP client list on the router has no unknown
devices in it, we're stumped, so I'm turning to the best network
monitoring tool I know to help me dig this one out.

Thanks in advance.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe