![]() Using the methods from this tutorial, we can better utilize Wireshark to help us identify affected hosts and users. This cap is from a Windows host in the following AD environment: Go to the frame details section and expand lines as shown in Figure 13. For Windows hosts in an Active Directory (AD) environment, we can find user account names in from Kerberos traffic. However, for those lucky enough to find HTTP web-browsing traffic during their investigation, this method can provide more information about a host. This cap is from an Android host using an internal IP address at 172.16.4.119. With HTTP-based web browsing traffic from a Windows host, you can determine the operating system and browser. Client Identifier details should reveal the MAC address assigned to 172.16.1[. Go to the frame details section and expand the line for Bootstrap Protocol (Request) as shown in Figure 2.Įxpand the lines for Client Identifier and Host Name as indicated in Figure 3. ![]() Select one of the frames that shows DHCP Request in the info column. Note : With Wireshark 3.0, you must use the search term DHCP instead of boot. ![]() ![]() Open the cap in Wireshark and filter on boot pas shown in Figure 1. DHCP traffic can help identify hosts for almost any type of computer connected to your network. ![]() If you have access to full packet capture of your network traffic, a cap retrieved on an internal IP address should reveal an associated MAC address and hostname. In most cases, alerts for suspicious activity are based on IP addresses. This tutorial offers tips on how to gather that cap data using Wireshark, the widely used network protocol analysis tool. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |