by Bartletton Posted on

Detecting Malicious Activity in a Wireshark Capture

Wireshark is a powerful network analysis tool that can be used to capture, analyze, and troubleshoot network traffic. It’s also a useful tool for detecting malicious activity on your network. In this blog post, we’ll explore how to use Wireshark to detect potential security threats.

  1. Filter by Protocol

The first step in detecting malicious activity is to filter the Wireshark capture by protocol. You can use Wireshark’s built-in protocol filters to narrow down the traffic to specific protocols, such as HTTP, DNS, or TCP. For example, to filter by HTTP traffic, you can use the following display filter:

http

This filter will display all HTTP traffic in the capture.

  1. Look for Unusual Traffic Patterns

Once you’ve filtered the capture by protocol, look for unusual traffic patterns. This can include a large number of packets from a single source IP address, a high volume of traffic to a specific destination IP address or port, or traffic patterns that don’t match the expected behavior for a particular protocol. These patterns can be indicative of a malicious activity, such as a DDoS attack, port scanning, or data exfiltration. For example, to look for a high volume of traffic to a specific destination IP address, you can use the following display filter:

cssCopy codeip.dst == <destination IP address>

Replace <destination IP address> with the IP address you want to filter by.

  1. Analyze HTTP Traffic

HTTP is a common protocol used by attackers to communicate with malware or command-and-control servers. To analyze HTTP traffic, use Wireshark’s built-in display filters to look for specific HTTP methods, such as POST or GET, or to search for specific user agent strings that are known to be associated with malware or malicious activity. For example, to filter by HTTP POST requests, you can use the following display filter:

Copy codehttp.request.method == POST

This filter will display all HTTP POST requests in the capture.

  1. Look for DNS Queries to Suspicious Domains

Attackers often use DNS to communicate with malware or command-and-control servers. To analyze DNS traffic, look for DNS queries to suspicious domains that are known to be associated with malware or phishing attacks. You can use Wireshark’s built-in display filters to search for specific domain names or to look for DNS queries that are sending a large volume of traffic to a single IP address. For example, to filter by DNS queries to a specific domain name, you can use the following display filter:

javascriptCopy codedns.qry.name == <domain name>

Replace <domain name> with the name of the domain you want to filter by.

  1. Analyze TLS Traffic

TLS is used to encrypt network traffic, but attackers can use it to hide their activity from network security tools. To analyze TLS traffic, look for unusual cipher suites or TLS versions that are known to be vulnerable to attacks. You can also look for TLS certificates that are signed by suspicious or untrusted certificate authorities. For example, to filter by TLS traffic using a specific cipher suite, you can use the following display filter:

javascriptCopy codessl.handshake.ciphersuite == <cipher suite>

Replace <cipher suite> with the name of the cipher suite you want to filter by.

  1. Look for Suspicious Port Scans

Attackers often use port scanning to identify open ports and services on a target network. To detect port scanning activity, look for TCP SYN packets that are sent to a large number of ports or to a range of IP addresses. You can also look for TCP SYN-ACK packets that

are sent in response to these SYN packets, indicating that the port is open. For example, to filter by TCP SYN packets sent to a specific IP address, you can use the following display filter:

cssCopy codetcp.flags == SYN && ip.dst == <IP address>

Replace <IP address> with the IP address you want to filter by.

  1. Look for Suspicious Network Connections

Finally, look for suspicious network connections that are not associated with normal network traffic. This can include connections to known malicious IP addresses or domains, or connections to unusual ports that are not associated with common services. For example, to filter by connections to a specific IP address, you can use the following display filter:

cssCopy codeip.addr == <IP address>

Replace <IP address> with the IP address you want to filter by.

By using these display filters and techniques, you can quickly identify potential security threats in your network traffic and take appropriate action to mitigate them. However, keep in mind that Wireshark is just one tool in your arsenal, and it’s important to use a variety of tools and techniques to ensure the security of your network.