0

Running Wireshark on a PC for network monitoring and I noticed something strange. Application data is being exchanged with websites that are not open in the browser, or on any other device on the network over TCP.

These were not unkown addresses, but definitely were not open in the browser and shouldn't be exchanging anything over TCP at the time. Wireshark is showing that the connection was between the IP of the PC running Wireshark and these websites so I'd be able to see if the webpage was being accessed. These also seemed like small connections (if that makes sense) it wasn't the kind of data exchange I'd expect for loading a full webpage but certainly application data, but almost like the adapter on the PC was being used to "scan" for previously visited websites.

PC is connected to the network by LAN and promiscuous mode turned off.

Has the PC been infected with malware or am I just looking at some sort of cookies function? Cache update?

Improve this question
6
  • 1
    Why do you say "websites"? Was the traffic actual HTTP on port 80 and/or TLS on port 443? Did you capture any TLS SNIs (if so, what hostnames were in the SNIs)? If this wasn't on 80 or 443 then it might not have been web traffic at all. Well for that matter even if it was on 80 or 443 it might just be something innocuous like an autoupdater checking a web service to see if you have the latest version of whatever app it is.
    – Spiff
    Commented Dec 7, 2023 at 1:13
  • 1
    It’s impossible for us to say if your infected with malware you haven’t provided any diagnostic information.
    – Ramhound
    Commented Dec 7, 2023 at 1:14
  • I'm pretty new to this, so what would you need to diagnose this? The source and destination was either my own machine IP or one of the 3 or 4 select websites that users are known to access/have accessed in the past. I have wireshark resolve the addresses so it would give me URLs instead of IPs. On my end it was port 59960 and of the other end was 443. Info section simply said "application data" and packet sizes were around 150 bytes typically, with 4 or 5 exchanged, then a half hour break, then repeat. Firefox was open but not access these addresses. edit: clarity/corrections
    – Instream
    Commented Dec 7, 2023 at 1:44
  • 1
    Did you say some of the connections were both from and to your own machine? You can use your OS's networking commands to find the owner of the ports in question (ports below 49152 are usually server/listener ports that stay open as long as the process that owns it is running; ports above 49152 are ephemeral and often short-lived). As for the connections to external servers, it might be "web push". Check your browser preferences for which sites you've subscribed to push notifications from and see if that explains it.
    – Spiff
    Commented Dec 7, 2023 at 2:58
  • 1
    A couple tips: @-tag me when replying so I get notified (since I'm not the owner of the post you're replying to). Don't conflate host names (fully-qualified domain names) with URLs; hostnames by themselves are not URLs. Don't put too much weight on the reverse DNS lookups Wireshark does with IP addresses; it might give the name of the cloud provider hosting the site instead of the actual name of the site you were connecting to.
    – Spiff
    Commented Dec 7, 2023 at 3:17

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .