Knowing these options and using them as you see fit during traffic capture sessions can mean the difference between having all the information you need for an investigation and exposing yourself to some serious headaches.įor more helpful hints on Wireshark, see the wiki at. You can set the files to break into smaller chunks so that they fit on a CD or DVD easily. You can set the maximum number of minutes or hours that the capture runs. You can set the maximum file size to a specific number of bytes, kilobytes, or megabytes. You can set limits to file sizes in several different ways. The creators of Wireshark and its predecessor, Ethereal, knew that files can get large in a hurry, so they have a few helpful items in the Capture dialog box. Note that you should test to see how big this file gets over the space of an hour or two and make sure you have sufficient storage space for the resulting file before you leave the sniffer running unattended for long periods. In Wireshark the capture filter would be dst host (the x's are the IP address of the server).
By setting the capture filter on the sniffer of your choice to just the traffic going to the server you can reduce the capture file considerably. You may have to gather some rather large files to catch one of the attempts. Using an open source tool such as Wireshark to capture traffic going to the server and then searching for either all requests going to the input page or field names on the page may give you a good accounting of the malicious traffic and the IP address of the source. If there are no logs of incorrect attempts to fill out a form or other inputs, you may have to resort to network traffic sniffer logs. If the Web designer writes failed input information to a log file, you will probably see the various attempts to get the attack right. In The Official CHFI Study Guide (Exam 312-49), 2007 Investigating Code Injection AttacksĮvidence of a code injection attack is rarely found in the Web server logs.
0 kommentar(er)
