After doing some injections using the members management communication attack, more precisely using the following command: "./id2t -I inputname.pcap -o outputname.pcap -a MembersCommMgmtAttack file.csv=botnetTrace.csv bots.count=4 ip.reuse.local=0 ip.reuse.external=0 ip.reuse.total=0 hidden_mark=true"
I noticed that in the pcap file were injected 4 new bots, both with external (public) and internal (private) IP addresses, while I expect the bots to have just internal IPs.
Running the following filter in Wireshark "ip.opt.sec_prot_auth_nsa==1 && (ip.src==192.168.0.0/16 || ip.src==172.16.0.0/12 || ip.src==10.0.0.0/8)", should reveal the conversations corresponding only to Bots with private IPs.
Below an example of a conversation where the Bot's IP is external.
After doing some injections using the members management communication attack, more precisely using the following command: "./id2t -I inputname.pcap -o outputname.pcap -a MembersCommMgmtAttack file.csv=botnetTrace.csv bots.count=4 ip.reuse.local=0 ip.reuse.external=0 ip.reuse.total=0 hidden_mark=true"
I noticed that in the pcap file were injected 4 new bots, both with external (public) and internal (private) IP addresses, while I expect the bots to have just internal IPs.
Running the following filter in Wireshark "ip.opt.sec_prot_auth_nsa==1 && (ip.src==192.168.0.0/16 || ip.src==172.16.0.0/12 || ip.src==10.0.0.0/8)", should reveal the conversations corresponding only to Bots with private IPs.
Below an example of a conversation where the Bot's IP is external.
After doing some injections using the members management communication attack, more precisely using the following command: "./id2t -I inputname.pcap -o outputname.pcap -a MembersCommMgmtAttack file.csv=botnetTrace.csv bots.count=4 ip.reuse.local=0 ip.reuse.external=0 ip.reuse.total=0 hidden_mark=true" I noticed that in the pcap file were injected 4 new bots, both with external (public) and internal (private) IP addresses, while I expect the bots to have just internal IPs. Running the following filter in Wireshark "ip.opt.sec_prot_auth_nsa==1 && (ip.src==192.168.0.0/16 || ip.src==172.16.0.0/12 || ip.src==10.0.0.0/8)", should reveal the conversations corresponding only to Bots with private IPs. Below an example of a conversation where the Bot's IP is external.