Scroll to top

Wireshark Basics

Baseline Vitals with WIRESHARK

Wireshark is a popular and powerful network protocol analyzer used for capturing and analyzing network traffic in real-time. It allows you to examine the data packets traversing your network, helping you understand network behavior, troubleshoot issues, and even gather intelligence about network activities. Here are some tactics and considerations for using Wireshark to gather intelligence from packet captures:

  1. Selective Capture: Wireshark can capture a large volume of data quickly. However, to focus on specific events or protocols, you should apply filters to capture only relevant packets. For example, you can filter by IP address, port, protocol, or keywords in packet contents.
  2. Purpose Definition: Clearly define your goals for capturing packets. Are you looking for evidence of malicious activity, performance issues, or application behavior? This will guide your filter selection and analysis.
  3. Baseline Comparison: Before investigating, establish a baseline of normal network behavior. This will help you spot anomalies more effectively.
  4. Capture Duration: Decide on the appropriate capture duration. Longer captures may provide more context, but they can also lead to overwhelming amounts of data. Shorter captures may focus on specific incidents.
  5. Capture Points: Choose where to capture packets. This could be on a specific device, a network segment, or even on a specific port of a network switch.
  6. Capture Privacy and Legal Considerations: Ensure that you are capturing data in compliance with legal and privacy regulations. Unauthorized capture of sensitive information could lead to legal issues.
  7. Packet Decoding: Wireshark can decode packet contents for various protocols, helping you understand the data being transmitted. This is crucial for extracting meaningful information from captured packets.
  8. Follow TCP Stream and Reassembly: For TCP sessions, Wireshark can reconstruct the entire stream of data, making it easier to analyze the conversation between hosts.
  9. Flow Analysis: Group related packets into flows to analyze the complete interaction between endpoints. This is particularly useful for understanding higher-level behaviors.
  10. Packet Marking: Wireshark allows you to mark packets of interest. Use this feature to tag packets that may be relevant for further analysis.
  11. Statistical Analysis: Use Wireshark’s statistical tools to gather insights about network performance, packet sizes, response times, and more.
  12. Timeline Analysis: Arrange packets in chronological order to visualize the sequence of events. This is valuable for understanding the timeline of activities.
  13. Filter Refinement: As you analyze packets, you may need to refine your filters to zoom in on specific patterns or anomalies.
  14. Expert Information: Wireshark provides expert information and warnings about potential issues in the capture. Pay attention to these notifications as they can highlight suspicious or abnormal behavior.
  15. Pattern Recognition: Develop an understanding of common network patterns and behaviors. This will help you quickly identify anomalies.
  16. Collaboration: If you’re part of a security or IT team, collaborate with others. Different perspectives can provide valuable insights.
  17. Documentation: Document your findings, observations, and the steps you took during analysis. This is important for future reference and knowledge sharing.
  18. Learning Resources: Wireshark offers documentation, tutorials, and community forums to help you improve your skills.

A bit more advanced work you can do with WIRESHARK

  1. Custom Dissectors: Wireshark allows you to create custom dissectors to decode proprietary or non-standard protocols. This can provide deeper insights into your network’s specific communication patterns.
  2. Scripting with Lua: Wireshark supports scripting using Lua. You can write scripts to automate tasks, extract specific data, and perform custom analysis.
  3. Tshark Command Line Tool: Tshark is the command-line version of Wireshark. It’s useful for scripting, automated capture and analysis, and working on headless servers.
  4. IoC (Indicators of Compromise) Analysis: Use Wireshark to identify IoCs like malicious IP addresses, domains, or file hashes within your network traffic. This can aid in detecting ongoing attacks or breaches.
  5. Follow UDP Streams: Similar to following TCP streams, you can reconstruct and analyze complete UDP conversations using the “Follow UDP Stream” feature.
  6. Application Behavior Analysis: Analyze application-specific behavior within network traffic. This could include dissecting HTTP requests, examining DNS queries, or deciphering VoIP protocols.
  7. Flow and Conversation Tracking: Use Wireshark to track and analyze network flows and conversations. This provides a more holistic view of communication patterns between hosts.
  8. Exporting Objects: Wireshark can extract files or objects transferred over protocols like HTTP. This is helpful for retrieving potentially malicious files for further analysis.
  9. VoIP Analysis: Wireshark has extensive capabilities for analyzing VoIP protocols like SIP and RTP. This can be useful for troubleshooting call quality issues or identifying VoIP-related attacks.
  10. Graphing and Visualization: Wireshark can generate graphs and visualizations based on captured data. This can help in identifying trends, anomalies, and patterns.
  11. Expert System Customization: You can fine-tune Wireshark’s expert system to focus on specific types of issues or behaviors that are relevant to your network.
  12. Coloring Rules: Wireshark allows you to apply custom coloring rules to packets based on specific criteria. This can help you visually highlight packets of interest.
  13. Protocol Hierarchy Analysis: Dig deeper into the protocol hierarchy statistics. This can reveal patterns in the types of traffic on your network.
  14. Decryption of SSL/TLS: Wireshark can decrypt SSL/TLS traffic if you have access to the private key. This is immensely valuable for analyzing encrypted communication.
  15. Packet Slicing: If dealing with large capture files, you can slice out specific packets or ranges to focus your analysis.
  16. Network Baseline Analysis: Compare captured traffic to established baselines to quickly identify deviations or anomalies.
  17. Statistical Analysis and Trends: Wireshark offers various statistical tools that can help you identify trends, bottlenecks, and performance issues.
  18. Expert Info Analysis: Dive into the “Expert Info” section to understand potential issues highlighted by Wireshark’s analysis engine.
  19. Correlation with Other Logs: Combine Wireshark data with other logs, such as firewall or IDS logs, for a more comprehensive view of network activity.
  20. Mobile and IoT Protocol Analysis: Wireshark has added support for mobile and IoT protocols. Explore these capabilities for analyzing traffic from these devices.

Related posts