[Wireshark]Cyber security analysis and identify common cyber network attacks

overview

8 min readJan 15, 2022

We will cover the basics of Wireshark first, then you’ll gain the ability to threat hunt at the packet level.

capture traffic and examine the packet

open Wireshark and choose Ethernet

you can check capture options

let’s generate some traffic

Use filter to find the related IP address

ip.addr == 1.1.1.1 (target IP)

/%ifconfigen0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    options=50b<RXCSUM,TXCSUM,VLAN_HWTAGGING,AV,CHANNEL_IO>
    ether 14:9d:99:81:0a:c9 
    inet6 fe80::10c2:5ce7:5c47:1822%en0 prefixlen 64 secured scopeid 0x4 
    inet 192.168.3.9 netmask 0xffffff00 broadcast 192.168.3.255

you can see the traffic from my IP (192.168.3.9) to 1.1.1.1 and reply from 1.1.1.1 as well

they show the send and reply conversation

you can see four sections

frame section shows the entire message

Ethernet section shows specific ethernet header

shows specific IPv4 info

specific to ICMP info

hexadecimal values

In the bottom, the detail info about packet

Examine the frame dissector

start capturing
Open Firefox and press shift + command + p to open private browser

Go to www.pluralsight.com/teach/author-tools/veronicas-plant-nursery

once you open it, close it and stop capturing. Let’s filter now!!

frame contains veronica

This filters every packet containing the word “veronica”

Right click > Follow > HTTP steam

you can see the detail of HTTP stream. close it.

You can see the IPv4 info is organized in Wireshark

Use Wireshark packets to map a network

Network diagram

Capturing traffic using Display filters

arp

show all of the arp requests and reply

dns

show all DNS requests

dns.qry.name == "www.pluralsight.com"

show only dns query of the specific DNS query

you can see the answers section

combining multiple display filters

dns.qry.name == "www.pluralsight.com" ||dns

ip.addr eq 192.168.3.9 && ip.addr == 52.88.45.204

(ip.src == 192.168.3.9) && (ip.dst == 52.88.45.204)

you can create automated filter as well.

Foundational TCP Analysis

Lets create a new profile from bottom right. right-click > new. Name
“TCP plain”

Wireshark > preferences >+ > add Delta

Drag and drop to the position next to Time

View > coloring rules > add TCP SYN

statistics > conversations

we can see the statistics of TCP

this is the largest Delta time.

ip.addr==192.168.3.9 && tcp.port==59166 && ip.addr==75.2.53.94 && tcp.port==443 && tcp.analysis.flags

tcp.analysis.flags

This shows error of tcp packet

Wireshark Configuration for Cyber Security Analysis

Creating a security profile

right bottom > right click > new. Create a profile called security operations

View > Time Display format > Time of Day, milliseconds

save useful TCP setting

tcp.flags.syn==1

view > coloring rule

So you can color traffics

The statistics view

statistics > conversations (ports, ip, bytes)

Configure GeoIP location Resolution

Wireshark > preferences > name resolution > MaxMind database > Edit

write a path to MaxMind database

statistics > endpoints > IPv4

we can see where the traffic come from

Configure custom colums

choose one packet > tcp > source port > right click > add as column

you can have your own column

right click source port and edit column > add “or udp.srcport” in the Fields

lets right click Request URI and add column too.

Name resolutions

Wireshark > preferences > name resolution >

exporting HTTP objects and files

file > HTTP object export > save

After exporting, you can upload malicious files to VirusTotal.

Filtering for unusual DNS activity

dns.flags.response == 1

check how many responses

dns.count.answers > 10

check answers more than 10 times

dns.flags.response == 0 and ! ip.dst == 10.0.0.0/24 (local DNS IP address)

check the DNS query destination is not local DNS server (here pretending the local DNS server is in 10.0.0.x/24)

dns.flags.response == 1 and ip.len > 500

DNS response which contains more than 500 bytes

Filtering for traffic based on country location

ip.geoip.dst_country == "Japan"

filter traffic only coming from Japan

filtering for suspect TCP behavior

(tcp.flags.syn==1) && (tcp.flags.ack == 0)

filter only Syn packet

((tcp.flags.urg == 0) && (tcp.flags.syn == 0)) && (tcp.flags.push == 0)

filter for Xmas scan

tcp.port == 22 and ! ip.src == 10.0.0.1/24 (spcific IP that ssh is allowed)

filter SSH that connect from strange ip address

Filtering for Executable files

http contains DOS

right click the file > follow > TCP stream

executable file disguises

Decrypting TLS traffic

Wireshark > preference >protocol > TLS

Identify Common Cyber Network Attacks with Wireshark

Detecting Port Scans

tcp.flags.syn == 1 and tcp.flags.ack == 1 and ip.dst == 10.0.2.15 <target IP >

check ports responded to scans from target IP

Threat hunting: Analyzing a real netwrok and port scan

http.request or http.response

look for “post”

check TCP stream as well

!tcp.port in {80 135 443 445 995 8000}

check unusual ports are used or not