Wireshark-users: Re: [Wireshark-users] Finding an intruder

From: Steve Matzura <sm@xxxxxxxxxxxxxx>
Date: Wed, 14 Dec 2016 21:56:07 -0500
Thanks, Anne. I'll do all these things in the morning. Malcom wrote me
privately and suggested it's a bot in his modem. I'm thinking that's
not it because my friend turned all his house computers off for about
nine hours, and when he looked at his data usage the next day, it
hardly increased at all. We're pretty sure we know which machine is
doing it now because when the machine we think is doing it is turned
on, the daily data usage skyrocketed. Tomorrow we'll test further,
take some captures for a while and see what we get.

On Thu, 15 Dec 2016 03:39:58 +0100, you wrote:

>Hi, there is no 'standard' way to filter 'problem' traffic. However, if the
>problem is the AMOUNT of traffic, then just a small sample might suffice.
>Ask your friend to do  nothing specific on her computer(s) and collect
>network traffic for a few minutes. Analyse the data manually to see what is
>the type, the source, and the destination of the most of the data captured.
>
>How much is the data cap? Divide that by 30 (days) times 24 (hours) times
>60 (minutes) and you know how much per minute that is. Does the size of the
>capture per minute amount to more than this limit?
>
>Anneb
>
>2016-12-15 3:06 GMT+01:00 Steve Matzura <sm@xxxxxxxxxxxxxx>:
>
>> New to the list, been using some version of the Shark way back to
>> Ethernim days, so I'm familiar with its capabilities. It's become
>> quite sophisticated lately, hence the following problem description
>> and question.
>>
>> A friend has a cable Internet provider with data caps. Lately, he's
>> been getting nastygrams from them that he's exceeded those caps, and
>> it's only two weeks into his billing month. Something somewhere is
>> sending and receiving tremendous amounts of data, and I've been taksed
>> to find out what's doing it. So, should I just run Wireshark and
>> capture everything, collect some ridiculous amount of data and
>> hand-analyze it, or might there be a convenient filter out there in
>> Wireshark cyberspace land that could help me narrow the field and nail
>> the culprit? Antivirus, antimailware, antispyware scans all come up
>> clean and green, the DHCP client list on the router has no unknown
>> devices in it, we're stumped, so I'm turning to the best network
>> monitoring tool I know to help me dig this one out.
>>
>> Thanks in advance.
>> ____________________________________________________________
>> _______________
>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>> Archives:    https://www.wireshark.org/lists/wireshark-users
>> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
>>              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=
>> unsubscribe
>>