Wireshark-users: Re: [Wireshark-users] Rootkits
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 21 Jul 2006 12:25:00 -0700

On Jul 21, 2006, at 8:15 AM, Nate Andrews wrote:

Is Wireshark able to detect traffic from rootkits?

If by "detect" you mean "capture", then, as long as either

1) Wireshark isn't running on the machine with the rootkit installed, and either

1a) the traffic is either going to or coming from the machine running Wireshark

	   or

1b) promiscuous mode works on your adapter and OS, and there's no switch involved or you can tap into the traffic going through the switch with port mirroring

or

2) the rootkit isn't blocking traffic from getting to the packet capture mechanism

then Wireshark can capture it (the above largely refers to issues of capturing traffic, period; the only thing different about rootkit traffic is that if the rootkit works *really* hard it might insert kernel code, or a modified libpcap/WinPcap library, to hide the traffic from applications running on the same machine that would capture that traffic).

If by "detect" you mean "identify", i.e. raise a "this is from a rootkit" red flag, there's nothing built into Wireshark to do that, although there might be display filter expressions to identify particular sorts of traffic that some particular rootkit might send out.