Source/Credits/Written By: Luc Deo-Gracias SEMASSA
Wireshark is a popular network protocol analyzer that allows you to capture and analyze network traffic in real-time. It is commonly used by security operations centers (SOCs) and malware analysts for various purposes, including:
- Network traffic analysis: Wireshark allows you to capture and analyze network traffic to gain insights into network behavior and identify potential security threats. It can help SOC analysts detect anomalies and investigate network breaches.
- Malware analysis: Wireshark can be used to analyze network traffic generated by malware to understand its behavior and identify its communication patterns. It can help malware analysts identify command and control servers, backdoor communication channels, and other malicious activity.
- Vulnerability assessment: Wireshark can be used to identify vulnerabilities in network protocols and applications. SOC analysts can use it to analyze network traffic for signs of vulnerabilities that can be exploited by attackers.
Overall, Wireshark is a powerful tool that can help SOC analysts and malware analysts gain insights into network behavior and identify potential security threats. It is essential for anyone working in the field of cybersecurity to be proficient in using this tool.
Wireshark Filters:
Wireshark filters allow you to narrow down the network traffic that you want to capture and analyze. Filters can be based on various criteria, such as IP addresses, protocols, port numbers, and packet contents. Here are some common types of filters that you can use in Wireshark:
1. Filter by IP address:
“ip.addr == x.x.x.x”, where “x.x.x.x” is the IP address you want to filter
2. Filter by IP address range:
“ip.addr >= x.x.x.x and ip.addr <= y.y.y.y”, where “x.x.x.x” and “y.y.y.y” are the start and end IP addresses of the range
3. Filter by network interface:
“interface == eth0” to show only packets captured on the eth0 interface
4. Filter by port:
“tcp.port == 80” or “udp.port == 53”, where “80” and “53” are the port numbers you want to filter
5. Filter by packet length:
“frame.len > 100” to show only packets that are longer than 100 bytes
6. Filter by source or destination MAC address:
“eth.src == xx:xx:xx:xx:xx:xx” or “eth.dst == xx:xx:xx:xx:xx:xx”, where “xx:xx:xx:xx:xx:xx” is the MAC address you want to filter
7. Filter by HTTP status code:
“http.response.status_code == 200” to show only packets with a status code of 200
8. Filter by HTTP method:
“http.request.method == GET” to show only packets with a GET method. You can substitute GET with other HTTP methods such as POST, PUT, DELETE, etc
9. Filter by HTTP URI:
“http.request.uri contains ‘example.com‘” to show only packets that have a URI containing “example.com“. You can substitute “example.com” with any other URI string
10. Filter by HTTP response code:
“http.response.code == 404” to show only packets with a 404 response code
11. Filter by HTTP cookie:
“http.cookie contains ‘sessionid'” to show only packets that contain a cookie with the name “sessionid”
12. Filter by TCP flags:
“tcp.flags.syn == 1” to show only packets with the SYN flag set. You can substitute SYN with any other TCP flag, such as ACK, RST, FIN, URG, or PSH
13. Filter by packet size:
“frame.len > 1000” to show only packets larger than 1000 bytes.
14. Filter by DNS domain name:
“dns.qry.name contains ‘example.com‘” to show only DNS packets that have a domain name containing “example.com“. You can substitute “example.com” with any other domain name
15. Filter by TLS handshake type:
“tls.handshake.type == 1” to show only packets with a TLS handshake type of ClientHello
These are just a few examples of the many types of filters that you can use in Wireshark. Using filters effectively can help you focus on the relevant network traffic and make it easier to analyze network behavior and identify potential security threats.