[Wireshark]Cyber security analysis and identify common cyber network attacks

overview

Takahiro Oda
8 min readJan 15, 2022

We will cover the basics of Wireshark first, then you’ll gain the ability to threat hunt at the packet level.

capture traffic and examine the packet

  • open Wireshark and choose Ethernet
  • you can check capture options
  • let’s generate some traffic
  • Use filter to find the related IP address
ip.addr == 1.1.1.1 (target IP)
/%ifconfigen0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=50b<RXCSUM,TXCSUM,VLAN_HWTAGGING,AV,CHANNEL_IO>
ether 14:9d:99:81:0a:c9
inet6 fe80::10c2:5ce7:5c47:1822%en0 prefixlen 64 secured scopeid 0x4
inet 192.168.3.9 netmask 0xffffff00 broadcast 192.168.3.255

you can see the traffic from my IP (192.168.3.9) to 1.1.1.1 and reply from 1.1.1.1 as well

they show the send and reply conversation
  • you can see four sections
  • frame section shows the entire message
  • Ethernet section shows specific ethernet header
  • shows specific IPv4 info
  • specific to ICMP info
  • hexadecimal values
  • In the bottom, the detail info about packet

Examine the frame dissector

  • start capturing
  • Open Firefox and press shift + command + p to open private browser

once you open it, close it and stop capturing. Let’s filter now!!

frame contains veronica

This filters every packet containing the word “veronica”

  • Right click > Follow > HTTP steam

you can see the detail of HTTP stream. close it.

You can see the IPv4 info is organized in Wireshark

Use Wireshark packets to map a network

Network diagram

Capturing traffic using Display filters

arp
  • show all of the arp requests and reply
dns
  • show all DNS requests
dns.qry.name == "www.pluralsight.com"
  • show only dns query of the specific DNS query

you can see the answers section

combining multiple display filters

dns.qry.name == "www.pluralsight.com" ||dns
ip.addr eq 192.168.3.9 && ip.addr == 52.88.45.204
(ip.src == 192.168.3.9) && (ip.dst == 52.88.45.204)

you can create automated filter as well.

Foundational TCP Analysis

  • Lets create a new profile from bottom right. right-click > new. Name
    “TCP plain”
  • Wireshark > preferences >+ > add Delta
  • Drag and drop to the position next to Time
  • View > coloring rules > add TCP SYN
  • statistics > conversations

we can see the statistics of TCP

  • this is the largest Delta time.
ip.addr==192.168.3.9 && tcp.port==59166 && ip.addr==75.2.53.94 && tcp.port==443 && tcp.analysis.flags
tcp.analysis.flags

This shows error of tcp packet

Wireshark Configuration for Cyber Security Analysis

Creating a security profile

  • right bottom > right click > new. Create a profile called security operations
  • View > Time Display format > Time of Day, milliseconds
  • save useful TCP setting
tcp.flags.syn==1
  • view > coloring rule

So you can color traffics

The statistics view

  • statistics > conversations (ports, ip, bytes)

Configure GeoIP location Resolution

  • Wireshark > preferences > name resolution > MaxMind database > Edit
  • write a path to MaxMind database
  • statistics > endpoints > IPv4
  • we can see where the traffic come from

Configure custom colums

  • choose one packet > tcp > source port > right click > add as column
  • you can have your own column
  • right click source port and edit column > add “or udp.srcport” in the Fields
  • lets right click Request URI and add column too.

Name resolutions

  • Wireshark > preferences > name resolution >

exporting HTTP objects and files

  • file > HTTP object export > save
  • After exporting, you can upload malicious files to VirusTotal.

Filtering for unusual DNS activity

dns.flags.response == 1
  • check how many responses
dns.count.answers > 10
  • check answers more than 10 times
dns.flags.response == 0 and ! ip.dst == 10.0.0.0/24 (local DNS IP address)
  • check the DNS query destination is not local DNS server (here pretending the local DNS server is in 10.0.0.x/24)
dns.flags.response == 1 and ip.len > 500
  • DNS response which contains more than 500 bytes

Filtering for traffic based on country location

ip.geoip.dst_country == "Japan"
  • filter traffic only coming from Japan

filtering for suspect TCP behavior

(tcp.flags.syn==1) && (tcp.flags.ack == 0)
  • filter only Syn packet
((tcp.flags.urg == 0) && (tcp.flags.syn == 0)) && (tcp.flags.push == 0)
  • filter for Xmas scan
tcp.port == 22 and ! ip.src == 10.0.0.1/24 (spcific IP that ssh is allowed)
  • filter SSH that connect from strange ip address

Filtering for Executable files

http contains DOS
  • right click the file > follow > TCP stream

executable file disguises

Decrypting TLS traffic

  • Wireshark > preference >protocol > TLS

Identify Common Cyber Network Attacks with Wireshark

Detecting Port Scans

tcp.flags.syn == 1 and tcp.flags.ack == 1 and ip.dst == 10.0.2.15 <target IP >
  • check ports responded to scans from target IP

Threat hunting: Analyzing a real netwrok and port scan

http.request or http.response
  • look for “post”

check TCP stream as well

!tcp.port in {80 135 443 445 995 8000}
  • check unusual ports are used or not

check TCP stream as well

MZ………………….@……………………………………… .!..L.!This program cannot be run in DOS

http.request.uri contains "png"

name is png but the content is executable file.

tcp.analysis.flags
  • show all retransmission and strange TCP behavior

You can also see other Wireshark articles

--

--

No responses yet