wireshark
Analyzed .pcap files for investigation.
Link
How I Use It
Wireshark is my key weapon for traffic analysis, whether it is analyzing traffic live looking for juicy information to steal or pcaps after a breach to figure out what happend. Wireshark is the first packet sniffer I learned in Grad school and still my default to this day.
| Category | What I did | Why I did it |
|---|---|---|
| PCAP Triage | Filter and identify suspicious flows and IoCs from captures. | We can use the captures to identify file names and connections to identify IoCs to further our investigations. |
| Extract Files | Extract files and other artifacts from the traffic. | Malicious files can be extracted out of the traffic so we can review them. |
| Protocol Debugging | Inspect TCP streams, reassemble HTTP traffic, and analyze TLS handshakes for anomalies. | Follow entire TCP and HTTP streams so you can get an idea of the full picture of a conversation. |
| IOC Extraction | Use alongside INETSim to analyze malware traffic. | I run Wireshark on REMNux to get a better idea of what malware is doing when I execute it. |
| Steal Goodies | Check unencrypted traffic for juicy tidbits like credentials. | Protocols like http, ftp, and telnet have historically been cleartext so we can sometimes see credentials and other juicy goodies. |
Proof
- Webstrike Lab - Identify attacker actions from TCP Stream.
- Meerkat - Identify credentials in the traffic.
- Web Investigation Lab - Investigate a SQL Injection attack from the traffic.
- PoisonedCredentials Lab - Analyze protocols to piece together attacks.
Features I Use Most
Follow TCP Stream - Right-click packet → Follow → TCP Stream
Why: Reconstruct full conversations, especially for plaintext protocols (HTTP, FTP, Telnet)
Export Objects - File → Export Objects → HTTP
Why: Extract files transferred over HTTP without manual carving
What I Learned the Hard Way
Filters are necessary
Wireshark just keeps sniffing. The conversation you were watching 30 seconds ago? Buried under 500 ARP requests. Use display filters or drown in noise.
Sometimes, you really have to drill-down in a request
Finding a hostname once took me embarrassingly long because I didn’t realize how many nested sections Wireshark hides data in. Sometimes you have to expand like 5 layers deep to find what you need.
When Wireshark Let Me Down
HTB Meerkat - I was trying to get a count of password spraying but was struggling to address duplicate attempts to get a unique count. So, I used tshark to export out and wrote a python parser script to get the count.