identifying suspicious network activity by using Wireshark and Process monitor


In this post I’ll discuss on how to identify suspicious network traffic using Wireshark and Process monitor.

The case:

I’ve started the packet capture on my PC with WireShark and one thing captured my attention. I’ve seen many packets intended to a pc that doesn’t exist any more in the network sent by the file server!


So why the file server with the ip adress 10.x.x.6 is sending NBNS queries (NetBios Name Service) to the host BOULWA-XP asking for his IP adress?

WireShark can show me packets sent from the file server to the specific host, but it can’t tell me which program or service running in the file server that is responsible for this trafic.

To find this program or service I’ve used Process Monitor from SysInternals tool. So I started the capture for a few seconds, then I did a search on the string “BOULWA-XP”. In the result we can see the process name at the origine of the query, in this case it’s spoolsv.exe. Next I’ve applied a filter to have only the traces related to spoolsv.exe




In the filtred trace, we can see also the spoolsv.exe process accessing the “HKCU\Printers\Connections\,,BOULWA-XP,Microsoft XPS Document Writer” registry key. This means that there is a connection to the printer “Microsoft XPS Document Writer” on the host BOULWA-XP. It can be verified by opening printers location in the control pannel.


So by deleting this printer from the control pannel, the network traffic related on this printer disapears from the network.