Wireshark-users: Re: [Wireshark-users] Anybody seen this before?
From: GaryT <gary@xxxxxxxx>
Date: Thu, 11 Jul 2013 01:41:05 +1000
Many thanks, Martin.

On 09/07/13 22:16, Martin Visser wrote:
When you say that "the only place it can be found is in the capture file"
I'm guessing by that you mean it is being sent to an IP or port that is
unknown to you.

Answering this is tricky. The more I find the worse it becomes. For instance, initially I thought incoming packets entered through Port 41417, but while exploring I've noticed port numbers vary widely, they can also be sequential or on a rotation, and not only that, it's always my machine that initiates the discussion. Been hacked no doubt.

I'm running a single machine, no network. All traffic is straight through from router to the computer. Have searched my disk for specific strings that I know exist in the cap file and found them only in the cap text files. I was hoping to discover where any incoming data might have been stored but it remains hidden.

After the initial "Hello, nice to see you again", the Wireshark capture window describes each of a varying number of suspect TCP packets as [TCP segment of a reassembled PDU], then it will assemble these segments into a HTTP packet, containing (and identifying by packet number) all of the last batch of TCP segments that arrived. That sounds to me like it might be quite normal, but I don't know. This putting together of TCP segments can be assembling either just a few, or many, many hundreds. There doesn't appear to be any consistency around that. The assembled HTTP packets are usually described in the info column as "HTTP/1.1 200 OK (application json)". Note: my quote marks.

Anyway, after having suddenly learnt a thousand lessons I'll make a text file of one whole session and show only the suspect communications. That part is easy because all of this 'chatting' is between my machine and only one other IP address, so filtering the output is quite straightforward.

Also just because something is obscure doesn't mean it isn't normal.
For instance, these days a lot of web based applications, are
driven by javascript, with lots of embedded code - you may well see a lot
of references to sites for advertising or other reasons.

Anyway is you want to upload a capture, the most useful place is
http://www.cloudshark.org/ (Just make sure it doesn't contain information
you want to keep private)

Will prepare a file and upload.
Much appreciated.
GaryT