Wireshark
Analyze -> Expert Info to see all the traffic patterns. You could record traffic for 5x minutes. A high number of RSTS would be bad such as 100+.
Statistics -> Flow Graph and limit it to a filter, to see port scans
Statistics -> Protocol Hierarchy can show you which protocols are on your network and generating the most bandwidth
Statistics -> Conversation can view the 5-tuple
Example Filters
- !(ip.dst == 192.168.1.0/24) && !(ip.dst == 192.168.2.0/24) && !(ip.dst == 192.168.3.0/24) && !(ip.dst == 192.168.4.0/24) && !arp && !llmnr && !dhcp
- -tcp.flags.reset==1
- -http.request
- -tcp contains hacker
- -!(arp or icmp or dns)
- -tcp.analysis.retransmission
- -frame.time >= “Jul 18, 2019 16:40:00” && frame.time <= “Jul 18, 2019 16:41:59” && frame contains “test”
- frame contains “paypal”
To view encrypted packets:
@echo off
set SSLKEYLOGFILE=c:\temp\TLS_KeyLogFile.log
start firefox
PKTMON
c:\windows\system32\pktmon.exe start –capture -f c:\temp\pktmon.etl
(optional) pktmon filter add -i IPAddr -t tcp syn (optional)
pktmon stop
pktmon etl2pcap C:\pktmon.etl –out c:\test.pcapng