1

I have been playing with nmap lately, trying out arp-ping scanning and using idle hosts, etc...

Looking at Wireshark, there is always some suspicious activity when performing scans. The thing is, I do have to scan to find idle hosts to use and whichever type of scan I use is never 100% silent. There is always suspicious traffic and/or logs in the target machines.

So I had this idea: why not use Wireshark as a scanner? Instead of actively scanning machines I could just start Wireshark or a similar sniffing program and watch how machines interact with one another in the network with the data being stored in a database.

My question is, is there any program or Wireshark mode/module/etc that already does that?

Kali tests
  • 13
  • 1
  • 3
  • I don't get it, you want to save Wireshark output to do some analyzes later !??? Thats the question !? – Sarastro Apr 16 '16 at 23:43
  • I want a program that will analyse the captured packets and build a database on the hosts from the packets. Not necessarily in real time. – Kali tests Apr 16 '16 at 23:45
  • Yeah but why in a database ?? What happen with the pcap files ??? – Sarastro Apr 16 '16 at 23:49
  • Say I want to know what ports are open in a host. Do I really need to waste time going over thousands of packets and taking notes? Wouldn't it be simpler if there was a program that could do it for me in seconds? – Kali tests Apr 16 '16 at 23:52
  • First thing first , you need to edit your question to bee more clear, what you try to do, whats the problem and what you have try ..., you are starting to do some port scanning using nmap why you need to take notes? what happen to save the output in to a file !? – Sarastro Apr 16 '16 at 23:59
  • think it will pay you better if you first read about network , the OSI model and witch protocol work in witch layer before play with nmap and wireshark, its just you need the theory before understand whats happening , after that you can use the nmap -oX saveInXml.xml (for more file formats see the nmap man page) – Sarastro Apr 17 '16 at 00:09

2 Answers2

1

The process you are talking about is a form of passive scanning. Frankly, you don't even need Wireshark to do exactly what you want and without a database: you just need to manage the pcaps.

There are tons of tools that can query pcaps for data, Wireshark is only one of them.

If you are wanting to use Wireshark, in the "Analysis" and "Statistics" portion of Wireshark, there is a summary of the hosts, and even the ports that are used. As far as I can tell, that's what you are looking for.

schroeder
  • 123,438
  • 55
  • 284
  • 319
0

There are commercial tools that exist that do this. They don't listen on the machines themselves, but you take a mirror of your network ports and basically stuff your entire network traffic down a few trunks into the box. The box then performs real-time analysis.

There is an open-source project called ntop-ng that can do this (I have used this on previous network discovery projects).

There is a proprietary product called Extrahop that can do this (full disclosure, we are a customer of theirs).

Both of these require administrative access to the network you are wanting to inspect. The point of nmap (and similar products like nexpose) is to do active scanning.

If you are a hostile person, and you have the access to set up something like ntop-ng or extrahop, then you already have more than enough power to basically get whatever you want anyway.

The idea of nmap is to find out this information externally. They might both achieve similar things, but they do them in opposite ways.

And then you have an IDS like snort which basically watches your network for these patterns that you noticed in Wireshark and alerts you when it sees them.

Mark Henderson
  • 143
  • 8