identifying suspicious network activity by using Wireshark and Process monitor

Intoduction:

In this post I’ll discuss on how to identify suspicious network traffic using Wireshark and Process monitor.

The case:

I’ve started the packet capture on my PC with WireShark and one thing captured my attention. I’ve seen many packets intended to a pc that doesn’t exist any more in the network sent by the file server!

NBNS_query_boulwa_Modif

So why the file server with the ip adress 10.x.x.6 is sending NBNS queries (NetBios Name Service) to the host BOULWA-XP asking for his IP adress?

WireShark can show me packets sent from the file server to the specific host, but it can’t tell me which program or service running in the file server that is responsible for this trafic.

To find this program or service I’ve used Process Monitor from SysInternals tool. So I started the capture for a few seconds, then I did a search on the string “BOULWA-XP”. In the result we can see the process name at the origine of the query, in this case it’s spoolsv.exe. Next I’ve applied a filter to have only the traces related to spoolsv.exe

procmon_search_boulwa_modif

spoolsv_filter

spoolsv_filter_01_modif

In the filtred trace, we can see also the spoolsv.exe process accessing the “HKCU\Printers\Connections\,,BOULWA-XP,Microsoft XPS Document Writer” registry key. This means that there is a connection to the printer “Microsoft XPS Document Writer” on the host BOULWA-XP. It can be verified by opening printers location in the control pannel.

panneau_cfg_impr_modif

So by deleting this printer from the control pannel, the network traffic related on this printer disapears from the network.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s