Book Image

Wireshark Essentials

Book Image

Wireshark Essentials

Overview of this book

Table of Contents (15 chapters)
Wireshark Essentials
Credits
About the Author
About the Reviewers
www.PacktPub.com
Preface
Index

Unusual traffic


While it is difficult to anticipate what methods a hacker may use in an attempt to infiltrate a network or host, there are a few things that should probably never happen on a normal, healthy network. Due to their usefulness in testing and conveying error conditions, ICMP packets are a likely target for malicious redirection. Since TCP is the predominant transport protocol in use for most applications, you should look out for abnormalities in TCP headers or payloads that could be a sign of malicious intent.

Some examples of abnormalities to look out for are discussed in the following table:

Suspicious content

Description

TCP bad flags

An illegal or unlikely combination of TCP flags. The SYN, SYN/ACK, ACK, PSH, FIN, and RST flags are normal when they're used in the appropriate places; anything otherwise warrants investigation.

SYN packet contains data

The initial TCP SYN packet should never contain payload data; it is used to establish a session only. Note, however, that...