identifying suspicious network activity by using Wireshark and Process monitor

Intoduction:

In this post I’ll discuss on how to identify suspicious network traffic using Wireshark and Process monitor.

The case:

I’ve started the packet capture on my PC with WireShark and one thing captured my attention. I’ve seen many packets intended to a pc that doesn’t exist any more in the network sent by the file server!

NBNS_query_boulwa_Modif

So why the file server with the ip adress 10.x.x.6 is sending NBNS queries (NetBios Name Service) to the host BOULWA-XP asking for his IP adress?

WireShark can show me packets sent from the file server to the specific host, but it can’t tell me which program or service running in the file server that is responsible for this trafic.

To find this program or service I’ve used Process Monitor from SysInternals tool. So I started the capture for a few seconds, then I did a search on the string “BOULWA-XP”. In the result we can see the process name at the origine of the query, in this case it’s spoolsv.exe. Next I’ve applied a filter to have only the traces related to spoolsv.exe

procmon_search_boulwa_modif

spoolsv_filter

spoolsv_filter_01_modif

In the filtred trace, we can see also the spoolsv.exe process accessing the “HKCU\Printers\Connections\,,BOULWA-XP,Microsoft XPS Document Writer” registry key. This means that there is a connection to the printer “Microsoft XPS Document Writer” on the host BOULWA-XP. It can be verified by opening printers location in the control pannel.

panneau_cfg_impr_modif

So by deleting this printer from the control pannel, the network traffic related on this printer disapears from the network.

Cannot scan to shared folder using canon IR copier

The case:

We have a corporate Canon IR copier with scan over network feature enabled. But we cannot scan to the shared folder at the smb server.

Carnet_adresses_modif

So, lets find why.

At the beginning I suspected a permission issue on the share, so I checked the permissions that seems correct, everyone is given read and write acces to the share.

Second, I started process monitor on the computer who hosts the share, but it did not give me any clue. So I deduced that the issue is related to the network and I have to do a captue the packets on the Canon’s Ethernet interface.

To do so, I set up the SPAN (Switch Port Analyzer) feature on the Cisco Catalyst Switch to copy all the network trafic from the Canon’s interface to another interface on which I plugged a PC with Wireshark installed on it.

Here is the wireshark’s capture result:

Wireshark_netbios_issue_modif

We can see the canon copier sending Netbios broadcasts asking for the IP address of the host named AL1XXXX7P (The smb server). As it didn’t receive any response he sends a dns query to the DNS Server asking for the IP of the AL1XXXX7P.DOMAIN.LOCAL host, and the DNS server replies with the IP 10.x.x.13.
Next the copier sends a Netbios query to the 10.x.x.13 host trying to initiate a communication on UDP port 137. the smb server replies that he can’t communicate on port 137.

Ok, now we know why the scanned documents are not sent to the the smb share. So Why the SMB server cannot use his UDP 137 port?

The reason is that, a few days ago, I’ve enabled the “Disable Netbios over TCP/IP” option of the network interface. By enabling Netbios over TCP/IP again I was able to send scans again from the Canon copier to the SMB Server.

NIC_Netbios_disabled

In the following screenshot the Wireshark trace when the the Netbios communication betwen the two devices succeed:

Wireshark_netbios_success_modif