Inspect past network traffic retrospectively?
Hello Community,
My company has received notice from a federal agency that one of our computers allegedly is infected with a Trojan, because network traffic with the suspicious footprint
...had been detected by a (nondisclosed) "trustworthy source".
Additionally, I have date, time and amount of the "suspicious" traffic from last Tuesday.
Is there any way to retrospectively determine (on the supposedly infected PC) which program has caused this traffic -- or which program on that PC has caused any traffic at all at the time in question?
If this should not be possible, I'd try and monitor the current traffic of that PC now with Wireshark.
I would be grateful for a tip or link on how to proceed, as I have never used Wireshark before.
Should I just let Wireshark record all of that PC's default network connection traffic, and then, in the recorded Packet List, simply enter one of the available information about the suspicious traffic (e.g. "Source Port", "Destination IP" or "Destination Host") into the Display Filter?
Thanks for any help,
David
Comments