Packet capture rate at 14,000 per second without anything running, is my PC compromised ?

On 26 February, I was sitting in an internet cafe shop, running Wireshark and Snort to measure traffic on the computer that I was sitting at. The rate of packet capture per second was too high (peaked at 14,000) that Wireshark got malfunctioned, whereas Snort still worked normally https://imgbox.com/41aBuJK2 . So, I saved only Snort log files instead of pcap files from Wireshark https://mega.nz/folder/11MF1aYI#cNcAE... .

Recording video: https://www.youtube.com/watch?v=5m6gI...

When analyzing the log files on Wireshark, I only see that almost all of conversations of my client computer are with an another computer in the shop, whose local IP address is 192.168.1.242. However, I'm pretty sure that kids in the internet cafe shop plus the owner did not do anything to transfer files between my computer and theirs. Additionally, this has already occurred many times in not just only that internet shop but also other shops.

As I have been cyber-spied on intensely by Vietnam. I suspect that this is Vietnam cyber-espionage on me. Since this is a nation state actor, it is not surprising when its cyber-spies are capable of hiding their identity by using one of the computers in internet cafe shops to intrude into the other ones.

laurentz1241

asked 2022-02-26 20:49:56 +0000, updated 2022-02-27 20:22:12 +0000

edit flag offensive 0 remove flag close merge delete

Comments

fixed 192.168.1.242, not 192.168.1.241

laurentz1241 (2022-02-27 07:22:21 +0000) edit

@SYN-bit @grahamb , please give some thoughts about this. I put pcap files captured by Wireshark in Caploader (trial version) and then double-clicked on the conversation that generated the highest number of capture packets (screenshot: https://imgbox.com/jRVUD3Wa) to see the content of the conversation. The contents show Porttugese and Indonesian texts like this:

Indonesian: https://controlc.com/9b236d03 (https://imgbox.com/7JQvpq1S)

Portugese: https://controlc.com/bc035899 (https://imgbox.com/HSqgxFG1)

Download links to the pcap files are put in the description of this Youtube video: https://www.youtube.com/watch?v=2xoBF...

laurentz1241 (2022-03-04 09:23:56 +0000) edit

Videos aren't useful when attempting to analyze traffic. Please post the capture files on a public share and then a link to them back here.

grahamb (2022-03-04 10:22:42 +0000) edit

@grahamb I uploaded the capture files to Mega.nz, which you can download them here:

Link 1 (1.08 Gb): https://mega.nz/file/DrwCzaKQ#UruEWmr... Link 2 (3.15 Gb): https://mega.nz/file/Cq4UxY4K#QIFQucZ... Link 3 (1.16 Gb): https://mega.nz/file/OuhgQaLA#2A1d_Vc...

For capture files in link1 & link2, I opened them in Caploader (free trial version) and double-clicked on the most intense conversation to see the content of the conversation, and then I copied and pasted the contents here:

https://controlc.com/9b236d03 https://controlc.com/bc035899

As I'm just a layman in Wireshark analysis, these codes look meaningless to me. Please help me to analyze them, grahamb.

laurentz1241 (2022-03-04 11:28:50 +0000) edit

add a comment see more comments

1 Answer

Sort by

oldest

newest

most voted

I looked at the first capture file listed, as noted in the answer to your similar question by @SYN-bit, by opening the Statistics -> Protocol Hierarchy dialog you can see the traffic is mostly iSCSI traffic, reads and writes between 192.168.1.142 (probably your machine) & 192.168.1.210.

Using the Statistics -> Conversations dialog, TCP tab (check the Name resolution option) you can see again that most traffic is to the isci-target port (3260) on 192.168.1.210. There are some other smaller conversations to the same IP on ports, 6894, 6895 but these seem to be binary data with nothing standing out.

There is another conversation on port 1000 that does have some vaguely interesting text in it (use the filter tcp.stream == 4 and right click any packet and select Follow -> TCP Stream), where it seems that .242 is sending queries about temperatures and hardware info to .142 which responds with some information. This may or my not be malicious.

You can also view some of the contents of the data transfer over iSCSI, again by clearing the display filter, selecting one of the iSCSI packets and using Follow -> TCP Stream. Looks to be a mix of binary, English, JavaScript??, Portuguese and some other languages.

You should determine what the other computer is (.210) and why your computer is reading and writing data to it over the iSCSI protocol. The text in the follow stream window for the iSCSI traffic might be a clue to you about the data transfer.

23.8k

grahamb

answered 2022-03-04 13:10:57 +0000, updated 2022-03-04 17:29:02 +0000

edit flag offensive 0 remove flag delete link

Comments

@grahamb Thanks for your answer. Is iSCSI traffic generated when 2 computers in the same local network communicating to each other ? When a computer in a local network is compromised by hackers and then it is used to communicate with other computers in the local network, is the traffic that is generated from the communications between them iSCSI ? It is sure that other users plus the owner in the internet shop that I sat in did not do anything. Therefore, the possibility that one of the computers in the shop (192.168.1.210) was compromised to intrude into my computer is most likely.

laurentz1241 (2022-03-04 14:59:32 +0000) edit

@grahamb I've gotten a couple more questions from your above answer. Why does the conversation on port 1000 (screenshot https://imgbox.com/CFYDMLd6) correspond to filter "tcp.stream == 4" rather than tcp.stream == 1 or 2 or 3 or 5, etc. ?

After selecting one of the iSCSI packets and using Follow -> TCP Stream, there are a mix of binary, English, JavaScript??, Portuguese and some other languages shown, how to understand the meaning of these binary, Javascript, Portugese, English and what effects do they have on my computer ?

laurentz1241 (2022-03-04 15:15:45 +0000) edit

The tcp stream indexes are a synthetic property calculated by Wireshark for each tcp flow (source IP and port, Destination IP and port) as they occur in the capture. The first packet for that flow is the 5th (counting from 0) stream encountered in the capture file. The tcp stream index does not appear anywhere in the traffic.

The stream "Follow" dialog shows what data is being transferred over the stream. As the stream in this case is iSCSI this would seem to be the contents of disk blocks, i.e. files. The data with the light red background is being sent from .142, the data with the light blue background is being sent to .142. I have no idea what the contents are about, but from the protocol used it would seem to be some form of file transfer.

grahamb (2022-03-04 16:28:12 +0000) edit

@grahamb Thanks. Is iSCSI traffic generated when 2 computers in the same local network transferring files with each other ? if 192.168.1.210 was compromised, and then it was used to transfer files with my computer 192.168.1.142, then iSCSI traffic would be generated, right?

laurentz1241 (2022-03-04 17:19:14 +0000) edit

I'm not that familiar with iSCSI, but yes, it's a networking protocol to transfer files, usually between a client and some form of storage array.

From what I can see it's your PC that's controlling the data transfer and issuing the commands, both reads and writes. Unfortunately the info isn't available from the capture file, but if it happens again you could use other tools to locate the process causing this transfer, e.g. TCPView.

grahamb (2022-03-04 17:32:05 +0000) edit

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer

Packet capture rate at 14,000 per second without anything running, is my PC compromised ? edit

Comments

1 Answer

Comments