[Wireshark]Cyber security analysis and identify common cyber network attacks


Takahiro Oda
8 min readJan 15, 2022

We will cover the basics of Wireshark first, then you’ll gain the ability to threat hunt at the packet level.

capture traffic and examine the packet

  • open Wireshark and choose Ethernet
  • you can check capture options
  • let’s generate some traffic
  • Use filter to find the related IP address
ip.addr == (target IP)
/%ifconfigen0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 14:9d:99:81:0a:c9
inet6 fe80::10c2:5ce7:5c47:1822%en0 prefixlen 64 secured scopeid 0x4
inet netmask 0xffffff00 broadcast

you can see the traffic from my IP ( to and reply from as well

they show the send and reply conversation
  • you can see four sections
  • frame section shows the entire message
  • Ethernet section shows specific ethernet header
  • shows specific IPv4 info
  • specific to ICMP info
  • hexadecimal values
  • In the bottom, the detail info about packet

Examine the frame dissector

  • start capturing
  • Open Firefox and press shift + command + p to open private browser

once you open it, close it and stop capturing. Let’s filter now!!

frame contains veronica

This filters every packet containing the word “veronica”

  • Right click > Follow > HTTP steam

you can see the detail of HTTP stream. close it.

You can see the IPv4 info is organized in Wireshark

Use Wireshark packets to map a network

Network diagram

Capturing traffic using Display filters

  • show all of the arp requests and reply
  • show all DNS requests
dns.qry.name == "www.pluralsight.com"
  • show only dns query of the specific DNS query

you can see the answers section

combining multiple display filters

dns.qry.name == "www.pluralsight.com" ||dns
ip.addr eq && ip.addr ==
(ip.src == && (ip.dst ==

you can create automated filter as well.

Foundational TCP Analysis

  • Lets create a new profile from bottom right. right-click > new. Name
    “TCP plain”
  • Wireshark > preferences >+ > add Delta
  • Drag and drop to the position next to Time
  • View > coloring rules > add TCP SYN
  • statistics > conversations

we can see the statistics of TCP

  • this is the largest Delta time.
ip.addr== && tcp.port==59166 && ip.addr== && tcp.port==443 && tcp.analysis.flags

This shows error of tcp packet

Wireshark Configuration for Cyber Security Analysis

Creating a security profile

  • right bottom > right click > new. Create a profile called security operations
  • View > Time Display format > Time of Day, milliseconds
  • save useful TCP setting
  • view > coloring rule

So you can color traffics

The statistics view

  • statistics > conversations (ports, ip, bytes)

Configure GeoIP location Resolution

  • Wireshark > preferences > name resolution > MaxMind database > Edit
  • write a path to MaxMind database
  • statistics > endpoints > IPv4
  • we can see where the traffic come from

Configure custom colums

  • choose one packet > tcp > source port > right click > add as column
  • you can have your own column
  • right click source port and edit column > add “or udp.srcport” in the Fields
  • lets right click Request URI and add column too.

Name resolutions

  • Wireshark > preferences > name resolution >

exporting HTTP objects and files

  • file > HTTP object export > save
  • After exporting, you can upload malicious files to VirusTotal.

Filtering for unusual DNS activity

dns.flags.response == 1
  • check how many responses
dns.count.answers > 10
  • check answers more than 10 times
dns.flags.response == 0 and ! ip.dst == (local DNS IP address)
  • check the DNS query destination is not local DNS server (here pretending the local DNS server is in 10.0.0.x/24)
dns.flags.response == 1 and ip.len > 500
  • DNS response which contains more than 500 bytes

Filtering for traffic based on country location

ip.geoip.dst_country == "Japan"
  • filter traffic only coming from Japan

filtering for suspect TCP behavior

(tcp.flags.syn==1) && (tcp.flags.ack == 0)
  • filter only Syn packet
((tcp.flags.urg == 0) && (tcp.flags.syn == 0)) && (tcp.flags.push == 0)
  • filter for Xmas scan
tcp.port == 22 and ! ip.src == (spcific IP that ssh is allowed)
  • filter SSH that connect from strange ip address

Filtering for Executable files

http contains DOS
  • right click the file > follow > TCP stream

executable file disguises

Decrypting TLS traffic

  • Wireshark > preference >protocol > TLS

Identify Common Cyber Network Attacks with Wireshark

Detecting Port Scans

tcp.flags.syn == 1 and tcp.flags.ack == 1 and ip.dst == <target IP >
  • check ports responded to scans from target IP

Threat hunting: Analyzing a real netwrok and port scan

http.request or http.response
  • look for “post”

check TCP stream as well

!tcp.port in {80 135 443 445 995 8000}
  • check unusual ports are used or not

check TCP stream as well

MZ………………….@……………………………………… .!..L.!This program cannot be run in DOS

http.request.uri contains "png"

name is png but the content is executable file.

  • show all retransmission and strange TCP behavior

You can also see other Wireshark articles