On Jul 21, 2006, at 8:15 AM, Nate Andrews wrote:
Is Wireshark able to detect traffic from rootkits?
If by "detect" you mean "capture", then, as long as either
1) Wireshark isn't running on the machine with the rootkit
installed, and either
1a) the traffic is either going to or coming from the machine
running Wireshark
or
1b) promiscuous mode works on your adapter and OS, and there's no
switch involved or you can tap into the traffic going through the
switch with port mirroring
or
2) the rootkit isn't blocking traffic from getting to the packet
capture mechanism
then Wireshark can capture it (the above largely refers to issues of
capturing traffic, period; the only thing different about rootkit
traffic is that if the rootkit works *really* hard it might insert
kernel code, or a modified libpcap/WinPcap library, to hide the
traffic from applications running on the same machine that would
capture that traffic).
If by "detect" you mean "identify", i.e. raise a "this is from a
rootkit" red flag, there's nothing built into Wireshark to do that,
although there might be display filter expressions to identify
particular sorts of traffic that some particular rootkit might send out.
