Open in app

Sign in

Write

Sign in

Wireshark The Super NetProtect

Raj
8 min readApr 29, 2022

WIRESHARK : World foremost and widely-used network protocol analyzer

Wireshark is an open-source tool and freely available used to analyze network packets. You could think of a network packet analyzer as a measuring device for examining what’s happening inside a network cable, just like an electrician uses a voltmeter for examining what’s happening inside an electric cable.

WHAT IN THIS WRITE UP — — — ->> THIS WRITE UP I’M SHARING SOME WIRESHARK FILTERS

— — — →> AND TIPS TO USE WHEN SEARCHING FOR MALICIOUS ACTORS

— — — →> SEARCHING FOR MALICIOUS ACTIVITIES .

  1. CREATING PROFILES

2. ADDING GEOIP DATA TO FIND FROM WHERE TRAFFIC COMING FROM

3. FILTERS FOR DIFFERENT PURPOSE AND MANY MORE

  • CREATING PROFILES

HERE IS PROFILE

IN BOTTOM RIGHT CORNER YOU CAN SEE THE “PROFILE” SECTION WHICH IS SET TO BE DEFAULT MOST PROBABLY

— >> RIGHT CLICK ON THAT YOU CAN SEE OPTION “nEW” CLICK ON IT

— >> NOW ADD ANY NAME TO THAT PROFILE AND CLICK OK

— >> NOW YOU CAN SEE YOUR NEW PROFILE .

MINE IS STUDENT WHAT’S YOURS

  • ADDING GEOIP DATA TO FIND FROM WHERE TRAFFIC COMING FROM

SEARCH FOR https://www.maxmind.com/en/geoip2-country-database

MaxMind is a Massachusetts-based digital mapping company that provides location data for IP addresses.

STEPS :

FIRST DOWNLOAD GEOIP DATA FILE FROM GIVEN LINK ON YOUR COMPUTER

AFTER DOWNLOADING OPEN WIRESHARK

  • ON TOP WIRESHARK HEADER → GO TO EDIT HEADER
  • IN BOTTOM YOU CAN SEE PREFERENCES
  • IN PREFERENCE GO TO NAME RESOLUTION AS SEEN IN SCREENSHOT
  • SLIDE DOWN TO BOTTOM YOU CAN SEE MAXMIND DATABASE DIRECTORIES
  • NOW IMPORT THAT DOWNLOADED GEOIP DATA

TO CHECK — -> GO TO LAYER AS SHOWN IN 2ND SCREENSHOT AND RIGHT CLICK ON IT APPLY AS COLUMN OPTION NOW FOR EXAMPLE SEARCH FOR HTTP TRAFFIC IN SEARCH BAR AND YOU CAN SEE THE GEO IP FROM WHICH COUNTRY IP BELONG IS SHOWN

YOU CAN SEE SOURCE GEOIP

  1. FILTERS FOR DIFFERENT PURPOSE AND MANY MORE

IN THIS SECTION I WILL SHARE FILTERS AND FOR WHICH PURPOSE THEY ARE USED.

Regular expression is used while searching for specific filter some basics

Or (for ex. A or b if anyone found show the result)

And ( a and b if both found only show result)

!= ( if a is not equal to b )

== (if a is equal to B )

EASY THINGS FIRST , IF YOU WANT TO SEARCH ANYTHING INSIDE PACKETS

FOR EX. I WANT TO SEARCH ALL SUCCESSFUL LOGIN ATTEMPTS I WILL SEARCH USING

— ->> frame contains “successful”

For specific protocol or specific ports whether tcp or udp

For ex. If you want to search all http traffic or icmp traffic

— ->> http or icmp

tcp.port == 80 (searching for http traffic )

udp.port == 53 (searching dns query using udp )

If you know some ip address and you want to search within network

For ex. I know some ip from threat actors so then i search with my network

— ->> ip.addr == 192.168.1.1

Now thats some easy filters and spoon feedings with examples now some flash ⚡ speed

If you don’t know much about wireshark because you think only using burp suite or some offensive tools you call yourself hacker waitt… I’m sorry god pardon him/her. Learn from youtube , practice on tryhackme, make write ups on medium .

most of time port shows tcp traffic we can use filter to see traffic from udp also

tcp.srcport or udp.srcport (for source ports)

tcp.dstport or udp.dstport (for destination ports)

We can also add host to find out what server we are communicating with

Search http filter ->> then select packet & go to http header where we can see host (right click on it click on apply as column )

Now you can new tab “host” which showing where your device communicating

To display protocol names instead of protocols number

In edit > preference >> tick the name resolution option which resolves mac address ,transport names, ip address.

To find what objects are coming/going within networks

We can export http objects (objects like png,exe,pdf,txt etc)

In file tab on top >> export objects >> http

— — — — —— —— — Unusual DNS activity — — — — — — — — — — —

So if we see large dns packet coming or going out it is malicious

dns.flags.response == 1 and ip.len > 500

They will try to communicate to external servers

dns.flags.response == 0 and !(ip.dest_host == <ip address here>)

— — — — — — — — — — -Unusual country codes — — — — — — — — — —

To find any connection communicating to a country where we don’t have business with .

ip.geoip.dst_country == “China”

— — — — — —— — — — Strange tcp behavior — — — — — — — — — —

We can check syn scans .syn can be used to query devices for open ports we can set filter to check how many syn packets came

tcp.flags.syn == 1 (to check syn packets)

tcp .flags.ack ==0 ( to check acknowledgment number that set to 0 )

tcp.flags.ack ==0 and tcp.flags.syn == 1 (to find strange behavior)

— >> Xmas scan <←-

In xmas scan all packets are shown ( fin, rst, syn, ack others )

tcp.flags.ack, tcp.flags.fin, tcp.flags.reset, tcp.flags.syn

We can use packet and prepare as filter for all xmas packet scans

— →> Filtering ssh packets <←-

tcp.port == 22

If we have visit of network engineer and he is working on we have to exclude its ip range so that it doesn’t get red flagged

tcp.port == 22 and ! (ip.src == 10.2.1.4/24)

— >> How to analyze traffic of non standards port <←-

go to statistics tab >> conversations >> ports

— ->> to analyze http methods like get , Post or others <←-

http.request.method == GET

http.request.method == POST

This will display all get or post data ….

— ->> Filtering for executables <←-

First look for traffic and find any host then right click on that packet and prepare as filter

http.request.uri == “/file.txt”

Or look for any file that is in txt format

http.request.uri matches “/*.txt” (* is for look any file that has .txt ,matches is regex avoid == )

However hackers are now more intelligent and they use other means or files format to download on machines because of Antivirus or firewall . we can use filter

http contains dos

  • Dos is almost written in any executables content for example executables start with “ this file cannot run in dos”
  • We can also check file if MZ is written in that executables (MZ means a binary file)

— — — — — — — — — Network and host discovery scans — — — — — — —

Threat actors first step is reconnaissance -> in active recon they scan for open ports, services running on that port, to find possible vulnerabilities.

Scans like ~arp scans, ~icmp ping sweeps, ~tcp syn to common ports , ~udp scans.

Arp is used to get machine mac address

arp.opcode == 1 for request (request came for arp)

arp.opcode == 0 for reply (the machine replies back)

— ->> To find any machine tries to show open ports

tcp.flags.syn == 1 and tcp.flags.ack == 1 and ip.dst == <ip> or we can replace ip.dst(destination ip) with ip.src (source ip)

— ->> To find out what ip address broadcasting to find mac of others

arp.opcode == 1 1 for request

2 for reply

— ->> If any device replied back to attacker

arp.opcode == 2

— ->> To find whether any ping reply given to attacker

icmp.type == 0

— — — — — — — — — — — OS fingerprinting — — — — — — — — — — —

  • Pattern to watch
  • Host to host traffic
  • Unusual ttl patterns
  • Duplicate sequence number in syn
  • Strange flags tcp options

tcp null scan

tcp.flags == 0x000

— —— — — — — — — -HTTP enumeration — — — — — — — — — -

— ->> To find out user agent (like tools in packets use to scan ports for example gobuster)

http.user_agent contains gobuster

— >> searching for unusual port

!tcp.port in {443 1433 445 995 8000..8005}

— ->> To find nmap stealth scan (nmap tries to send small tcp windows size packet to reduce triggering of alert)

tcp.flags.syn == 1 and tcp.flags.ack == 0 and tcp.window_size <= 1024

— ->> Suspect geoip country

ip.geoip.country == Russia

— ->> If want to search using country code

ip.geoip.country_iso == CN

— ->> Strange dns

dns.qry.name matches “(us | mx | cr )”

— ->> To find out connections made to any foreign country for ex. china

ip.geoip.dst_country == “china”

— ->> To search for domain connecting using different country codes

dns.qry.name contains attackerwebsite (used regex contains == doesn’t display anything)

— ->> Search for outdated TLS/bad user agents

http.request.uri matches “ (tar|exe|zip|pdf|bin|php)”

— ->> To look for Ftp file transfer

ftp.request.command == “RETR”

— ->> Finding unencrypted strings

frame contains torrent

— ->> Looking for old tls versions

tls.handshake.extensions.supported_version in {0x0300 0x0301 0x0302}

— ->> To look for dns exfiltration

dns and ip.len > 200

What to look for data exfiltration

  • Client sending more data than normal
  • Lots of suspected dns/icmp message
  • Outbound ftp
  • Suspect smtp/smb/http/https

— ->> Filter for outbound syn/ack

tcp.flags.syn == 1 and tcp.flags.ack == 1 and (!ip.dst == 10.0.0.0/8) ( inset local ip range to find any global ip)

— ->> Filter to look for brute force attacks

frame contains admin ( as admin used most of time for username purpose so what attacker do they put admin in username and bruteforce password using password list )

— ->> Reverse shell behavior

tcp.port in { 1234 4444 1337 6001 } (most of script kiddies who learned from there favorite hacker use known port they used to gave walkthrough)

To look for reverse shell traffic

  • Any outbound tcp syn from server
  • Geoip location of target
  • Ports like 4444, 1234, 5555, 1337 etc.

If you got attacked what are the indicators of compromise

  • Suspect dns activity
  • Scan activity
  • Strange tcp ports
  • Http activity (clear GET/POST traffic)
  • Extractable http objects (upload to virustotal.com to check for file hash

If there is botnet attack what to look in

  • Suspect http activity (Post, strange user agent, strange files)
  • Suspect dns activity ( strange domain names)
  • Unusual geoip location
  • Command & control traffic
  • Could become a spam bot (tcp port 25, 587 )

Some top things to always look for

  • Tcp syn scan
  • Unusual port numbers
  • Geoip location to suspect country codes
  • Domain calls including suspect countries
  • Unencrypted web traffic/file transfer
  • Outdated tls /bad user agents
  • Large dns (or other) packets for sustained periods — data exfiltration
  • Outbound syn/ack replies (syn came from outside network)
  • Brute force password behavior (ftp, ssh, rdp, http)
  • Reverse shell behavior
  • Also look for https traffic decrypt tls session to get what’s going inside the traffic

Reference

Chris greer youtube channel

David bombal youtube channel

Pcap file from malware-traffic-analysis

Wireshark
Netwok Security
Soc Analyst
Pcap Analysis
Cybersecurity

--

--

Raj

Written by Raj

5 Followers

Newbie

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams