Network Forensics Basics : How To Check and Analyze Unexpected Network Traffic On Windows or Linux Machine

Network Forensics Basics : How To Check and Analyze Unexpected Network Traffic On Windows or Linux Machine What’s The Typical Abnormal Scenario? Required Tools Bandwidth Monitor Packet Capture Listing Open Ports What To Do When Unexpected Traffic Is Observed? Capture Network Traffic Listing Local & Remote Open Ports Using netstat Netstat On Windows Netstat On Linux Using CurrPorts What To Do With Collected Packet Captures & netstat / CurrPorts Output Packet Capture Inspection Finding The Conversations With Most Traffic Filtering On Interesting Conversations Following The White Rabbit (aka TCP Stream) Just google it! netstat/CurrPorts Output Finding Out The Application Name Destination IP Address Source Port rDNS (Reverse DNS) & IP WHOIS Just Try To Open It Up In Your Browser IP Reputation Check Conclusion

So in one previous post, we talked about the importance of using some kind of bandwidth monitoring tool to be able to see bandwidth usage in real time for many reasons… Among those reasons was being able to keep an eye on unexpected bandwidth hoggers which could be malware traffic or unwanted applications, now we will see how to act when an abnormality is observed.

What’s The Typical Abnormal Scenario?

So you are on your machine, doing some activity that does not involve light or heavy bandwidth usage and then you notice unexpected traffic usage reported by the network monitor like below.

Out of curiosity, we would typically want to know what is behind that bandwidth usage, maybe it’s innocent windows updates or it could also be unwanted malware behavior.

Required Tools

Mainly we will need three types of tools, a bandwidth monitor, a packet capture tool and a tool to list open TCP/UDP ports along with the names of the processes using these ports.

Bandwidth Monitor

A bandwidth monitor is our alerting tool that should be previously installed and functioning as a watchdog to keep tabs on the bandwidth utilization in general… Any abnormal activity triggered here should raise an alarm, I have talked about why it’s absolutely necessary to install a bandwidth monitoring tool before in the post Why You Must Have A Live Bandwidth Monitoring Tool.

There are many real time bandwidth monitoring tools for every platform you can use Networx for windows, Netspeed GNOME extension for Linux.

A bandwidth monitoring tool is essential to alert for any unexpected network traffic!

Packet Capture

Packet capture is of utmost necessity to capture the most meaningful artifact, the traffic itself… of course when a packet capture is mentioned, we are going to use either Wireshark or tcpdump to capture the traffic but for traffic analysis later on, we are going to use Wireshark because of its powerful capture analysis tools.

Listing Open Ports

Listing ports being used is crucial in our case, it will assist in finding out which process on our system is using the ports and it will be very helpful to determine the nature of traffic in question… for this purpose we will use netstat (Windows/Linux) or a GUI tool on windows like CurrPorts which is a free, small and very effective tool.

CurrPorts is like glorified netstat with beautiful GUI

What To Do When Unexpected Traffic Is Observed?

Capture Network Traffic

When you notice unexpected traffic on the bandwidth monitor, the first thing you want to do is to capture that traffic using Wireshark… open up Wireshark and start a capture without filters on the interface being used (wireless or LAN interface) right away, leave Wireshark capturing traffic for as much time as you can… the more traffic captured the more sense it makes, after enough data has been collected, you can stop the capture.

If in doubt which interface is active, Wireshark visualises the traffic on each active interface, otherwise you can use ctrl+left click to select more than one interface, you can also tell Wireshark to list only the physical interfaces and not the virtual ones

Listing Local & Remote Open Ports

In parallel with capturing the traffic, you definitely want to either use netstat or CurrPorts to list the open ports at the time the unusual traffic is observed…

Using netstat

Netstat can be a lifesaver when there is no other tool like CurrPorts installed, mainly because it comes with Windows and all Linux distributions although the command parameters are a bit different but at the end it does the same purpose.

Netstat On Windows

Start a windows cmd shell with administrator privileges which is necessary for using the CLI parameter “b” to show the executable name used for each connection.

In cmd type netstat -nabo, here’s an explanation of each CLI parameter involved:

n	Do not resolve hostnames and port numbers which makes it way faster
a	show all connections and listening ports
b	show the executable name
o	show the process ID

With the correct parameters, netstat on Windows shows local and remote ports and addresses as well as the PID and the process name associated with each connection

Netstat On Linux

Netstat on Linux functions exactly like on Windows, the CLI parameters are a bit different, for Linux we will use this : sudo netstat -natup

n	Do not resolve hostnames and port numbers which makes it way faster
a	Display all sockets (ports in Linux terminology)
t	Display TCP connections
u	Display UDP connections
p	Display PID (process ID) and process name

localuser@localmachine:~$ sudo netstat -tuanp Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      3544/smbd tcp        0      0 0.0.0.0:8112            0.0.0.0:*               LISTEN      3480/python tcp        0      0 0.0.0.0:32400           0.0.0.0:*               LISTEN      1009/Process x tcp        0      0 127.0.0.1:32401         0.0.0.0:*               LISTEN      1009/Process x tcp        0      0 0.0.0.0:5938            0.0.0.0:*               LISTEN      3505/Process Z tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      13712/systemd-resol tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      1004/vsftpd tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1007/sshd tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      6851/cupsd tcp        0      0 127.0.0.1:32600         0.0.0.0:*               LISTEN      2410/Process Y tcp        0      0 127.0.0.1:35481         0.0.0.0:*               LISTEN      1394/Process w [ tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      3544/smbd tcp        0      0 0.0.0.0:8989            0.0.0.0:*               LISTEN      973/mono tcp        0      0 127.0.0.1:31742         0.0.0.0:*               LISTEN      4429/ruby tcp        0      0 127.0.0.1:58846         0.0.0.0:*               LISTEN      3485/python tcp        0      0 127.0.0.1:5950          0.0.0.0:*               LISTEN      3505/Process Z tcp        0      0 127.0.0.1:31743         0.0.0.0:*               LISTEN      4429/ruby tcp        0      0 0.0.0.0:55555           0.0.0.0:*               LISTEN      3485/python tcp        0      0 0.0.0.0:63306           0.0.0.0:*               LISTEN      19843/python tcp        0      0 127.0.0.1:49782         127.0.0.1:31743         ESTABLISHED 4644/pia_nw tcp        0      0 127.0.0.1:35190         127.0.0.1:5950          ESTABLISHED 4027/Process t tcp        0      0 127.0.0.1:5950          127.0.0.1:35190         ESTABLISHED 3505/Process Z tcp        0      0 localip:39577     185.21.216.153:55236    ESTABLISHED 3485/python tcp        0    208 localip:22        192.168.1.56:14034      ESTABLISHED 16807/sshd: localuser                                                                                                              tcp       32      0 localip:40936     184.105.148.83:443      CLOSE_WAIT  1009/Process x tcp        0      0 localip:55292     54.246.140.185:80       TIME_WAIT   – tcp        1      0 127.0.0.1:56354         127.0.0.1:35481         CLOSE_WAIT  2410/Process Y tcp        0      0 127.0.0.1:31743         127.0.0.1:49782         ESTABLISHED 4429/ruby tcp        1      0 127.0.0.1:56356         127.0.0.1:35481         CLOSE_WAIT  2410/Process Y tcp       32      0 localip:36552     139.162.177.42:443      CLOSE_WAIT  1009/Process x tcp        0      0 127.0.0.1:36028         127.0.0.1:58846         ESTABLISHED 3480/python tcp       32      0 localip:45568     178.79.132.174:443      CLOSE_WAIT  1009/Process x tcp        0      0 127.0.0.1:8112          127.0.0.1:51120         TIME_WAIT   – tcp        0      0 localip:55555     91.140.117.99:53392     SYN_RECV    – tcp       32      0 localip:42860     45.79.11.43:443         CLOSE_WAIT  1009/Process x tcp       32      0 localip:35210     172.104.218.107:443     CLOSE_WAIT  1009/Process x tcp       32      0 localip:43698     45.56.116.228:443       CLOSE_WAIT  1009/Process x tcp        0      0 localip:41158     169.48.173.162:5938     ESTABLISHED 3505/Process Z tcp   169899      0 localip:57840     82.94.168.54:443        CLOSE_WAIT  13451/Process v tcp        0      0 localip:36943     46.246.123.157:32695    ESTABLISHED 3485/python tcp       32      0 localip:41840     82.94.168.50:443        CLOSE_WAIT  1009/Process x

Netstat on Linux showing us all open connections along with local & remote addresses, ports and the PID/Process name

Using CurrPorts

CurrPorts is a beautiful and simple tool that lists all the open ports along with the processes using them, one important thing to note though when using it though is to disable the “Auto Refresh” option under Options > Auto Refresh to prevent interesting connections from disappearing after being logged.

What To Do With Collected Packet Captures & netstat / CurrPorts Output

Packet Capture Inspection

Here comes the Wireshark part… The first thing we want to do is to identify the TCP/UDP conversations with most traffic and by traffic we are talking about the amount of data exchanged between peers, of course one of the peers is our local machine and the other peer is yet to be identified…

Finding The Conversations With Most Traffic

Wireshark as a powerful capture analysis tool has a very useful “Conversations” list under Statistics > Conversations, once you open up the Conversations window you will see a list of all conversations in the packet capture organized in 5 tabs: Ethernet, IPv4, IPv6, TCP, UDP. There may be more or less tabs but these are the ones most commonly present depending on the data in the capture file.

Wireshark Conversations Window is a very handy tool and the first place to look in a capture file

In our case, we will go first to the TCP tab to check the TCP conversations as these are most likely to be of interest.

• Click on the Bytes column to sort the list by total amount of bytes descendingly.
• Now we can see which TCP conversations exchanged most data in the packet capture.
• The IP address under “Address A” column should be our local IP address
• Note the local port under “Port A” column.
• Note the remote IP address and port under “Address B” and “Port B” columns.

Here we see that there are some conversations of interest, two conversations with most traffic are between our local IP at ports 16067,16068  and a remote public IP 93.184.221.240 at port 80.

We can dive into the other conversations as well but for the sake of brevity we are going to check those two only.

Filtering On Interesting Conversations

After finding out which conversations are behind most traffic, it makes sense to take a closer look at those conversations in Wireshark in an attempt to see the packet stream data.

Good for us, there is an easy way to apply a display filter from the Conversations window

Right click on the conversation with most traffic and then “Apply as Filter > Selected > A ↔ B”.

Go to the main Wireshark window, now a display filter is applied to match only the selected conversation.

Please do keep in mind that looking at the data exchanged may or may not make much sense depending on the type of traffic being filtered, the main reason for this is that the traffic may be encrypted or simply not in a human readable format but it’s a first attempt to try to understand the nature of the traffic.

Following The White Rabbit (aka TCP Stream)

Now that we have filtered out other noise in the capture file, we just want a quick look at the data exchanged so we will tell Wireshark to “Follow the TCP stream”, just right click on any packet in the packet list and go to Follow > TCP Stream

Following the TCP stream is a very quick way to look at the actual data exchanged

After following the TCP stream, we will get a window with the actual data exchanged in conversation, scroll down through that window to see if any data makes sense.

It’s also worth to note that even if the stream is HTTPS and we were lucky enough to capture the TLS handshake, we can also determine the domain or server name from the server certificate or the SNI (Server Name Indication) extension in the CLIENT HELLO message.

In our case, most of the stream was not human readable but it’s good for us that the traffic was just HTTP traffic so I was able to locate the below ASCII data showing that the other end of the communication was a server named tlu.dl.delivery.mp.microsoft.com

TCP stream data shows clearly the nature of our traffic, the blue text is client request and the red text is server response

 

Just google it!

At this point, it wouldn’t hurt to find out what the server name we found in the packet data really is, a quick Google search for the server showed that I am not alone checking this traffic,for example here at Microsoft forums, seems like it’s related to Windows Update detection engine.

A quick Google search (or whatever search engine) can be really helpful

Something important to note is that, the presence of the Host HTTP header pointing to a certain server cannot be trusted to be really pointing to that server, after all this is a Host header that is set by the client and not the domain itself! Any malware can be programmed to specify any Host header to evade detection by IPS devices! We need to do further checks to verify the nature of the connection.

netstat/CurrPorts Output

At this point, assuming we did not find anything useful in the TCP stream for any reason because of encryption or it being not simply human readable, there is something very useful that we can do right now which is locating the local application that was handling the request.

Finding Out The Application Name

To find out the local application/program that was handling the request on our machine, we are going to check the netstat or CurrPorts output that was taken earlier during the active traffic, of particular interest to us will be the destination IP address and the local source port of the communication.

Destination IP Address

Of course the destination IP address is a strong link between the traffic and the process that was handling the traffic locally but to find out the specific TCP stream, we will also need the source port.

Source Port

The source port of the traffic is an ephemeral port, that is, it’s a local port that is assigned by the OS to the process when the process wants to communicate with another peer.

As per the CurrPorts output, the process svchost.exe located at C:\windows\system32\svchost.exe was the source of the communication

Thanks to the friendly output of CurrPorts, it was easy to determine the process behind the communication, it is also very important to note the Process Path as any malware can be given the name of a legitimate process, even if the path seems to be correct

The only way to truly verify the integrity of the executable is to calculate the MD5 or SHA hash and compare it with hashes for known executables.

rDNS (Reverse DNS) & IP WHOIS

Another trick is that we can simply try to find out the “owner” of the IP address that we are communicating with, we can do a reverse DNS query, or check the results from any online website that provides WHOIS lookup.

We can also find more information like the geographical location of the IP addresses, some countries are known to be a source of many attacks, that is if the real IP address is not hidden some way or another.

A simple WHOIS lookup shows the owner of the IP and the subnet to be Edgecast.

In our case, the owner of the IP is Edgecast, a CDN company owned by Verizon.

Just Try To Open It Up In Your Browser

Simply go to your browser address bar and try accessing the IP just like any other website, try both HTTP and HTTPS access, in our case, typing http://93.184.221.240/ returned a 404 Not Found but https://93.184.221.240/ returned something very useful! The original domain hosted at this IP address 🙂

After the certificate error which is normal because we are accessing the website via its IP and not via the domain name, checking the server certificate showed it to be issues by Microsoft for a domain (msecnd.net)

IP Reputation Check

Another check that we can make in case all our previous attempts failed is to check the reputation of the IP address against live IP reputation databases, there are actually a lot of options, just search for “IP reputation check” and a lot of results will come up, here’s a check at Cisco Talos which shows nothing suspicious about this IP.

A check at Cisco Talos shows nothing abnormal about this IP address

Conclusion

We’ve gone through a lot of actions that can be taken when abnormal traffic usage is observed, the most important thing is to capture artifacts as soon as an abnormality is observed, capture as much data as you can to be able to conclude better results and not be sorry later, packet capture, source & destination IP’s, ports’ usage and process name should be more than enough to shed a light on whatever’s happening in the background, maybe it’s benign traffic like OS updates or undesired traffic like spyware or malware.