Tools
T1040Wireshark
How Wireshark captures and dissects packets at the wire level and the filters and workflows analysts actually use.
View on Graph
What It Is
Wireshark is the standard tool for packet capture and protocol analysis. It places a network interface into promiscuous mode — reading every packet reaching that interface, not just packets addressed to it — and dissects the raw bytes into human-readable protocol layers.
MITRE maps packet capture tools to T1040 (Network Sniffing): adversaries use tcpdump and Wireshark to steal credentials sent over cleartext protocols, map internal network topology, and capture authentication material for lateral movement.
Essential Wireshark Concepts
Display Filters vs. Capture Filters
| Type | When Applied | Syntax | Use Case |
|---|---|---|---|
| Display filters | After capture | tcp.port==80 | Filter already-captured packets. Can use any protocol field. String-based. |
| Capture filters | During capture | port 80 | Filter packets at the kernel level before they reach Wireshark. BPF (Berkeley Packet Filter) syntax. Saves disk space. |
Rule of thumb: Capture everything and filter during analysis (display filters) unless you are on a system with very limited disk or processing power.
Color Rules
Wireshark color-codes packets by protocol. Default rules you’ll see constantly:
- Light purple: TCP traffic
- Light blue: UDP traffic
- Light green: HTTP traffic
- Light yellow: DNS traffic
- Dark pink: ICMP traffic
- Red: TCP RST (connection reset) or abnormal packets
You can create custom color rules. A useful one: color all packets with tcp.flags.syn==1 and tcp.flags.ack==0 (SYN packets) as one color, and all http.request packets as another.
Display Filter Quick Reference — The 30 You Use Every Day
Basic Protocol Filters
| Filter | What It Shows |
|---|---|
tcp | All TCP packets |
udp | All UDP packets |
icmp | All ICMP packets |
dns | All DNS packets |
http | All HTTP packets |
tls | All TLS/SSL packets |
arp | All ARP packets |
dhcp | All DHCP packets |
smb | All SMB packets |
ip | All IPv4 packets |
IP and Host Filters
| Filter | What It Shows |
|---|---|
ip.addr == 10.0.0.1 | All packets to/from 10.0.0.1 |
ip.src == 10.0.0.1 | Packets FROM 10.0.0.1 |
ip.dst == 10.0.0.1 | Packets TO 10.0.0.1 |
!(ip.addr == 10.0.0.0/8) | All packets NOT from/to the 10.0.0.0/8 range |
ip.src == 10.0.0.0/8 and ip.dst != 10.0.0.0/8 | Internal→External traffic only |
Port and Service Filters
| Filter | What It Shows |
|---|---|
tcp.port == 443 | All TCP packets to/from port 443 |
tcp.dstport == 443 | Packets TO port 443 |
tcp.srcport == 443 | Packets FROM port 443 |
tcp.port in {22 80 443 3389} | Traffic on common ports |
tcp.port >= 49152 | Traffic on ephemeral ports (rare for established services) |
tcp.port == 445 and !(ip.addr == 10.0.0.0/8) | SMB traffic involving external hosts (always suspicious) |
TCP Flag Filters
| Filter | What It Shows |
|---|---|
tcp.flags.syn == 1 and tcp.flags.ack == 0 | SYN packets only (connection requests) |
tcp.flags.syn == 1 and tcp.flags.ack == 1 | SYN-ACK packets (connection acknowledgments) |
tcp.flags.fin == 1 | FIN packets (connection terminations) |
tcp.flags.reset == 1 | RST packets (connection resets — errors or refusals) |
tcp.flags.syn == 1 and tcp.flags.fin == 1 | SYN+FIN — impossible in normal TCP. Nmap scan indicator. |
tcp.flags == 0x000 | NULL packet (no flags set) — Nmap NULL scan indicator. |
HTTP Analysis Filters
| Filter | What It Shows |
|---|---|
http.request | HTTP request methods (GET, POST, etc.) |
http.response | HTTP response codes (200, 404, 500, etc.) |
http.request.method == "POST" | HTTP POST requests — large POST bodies = potential data exfiltration |
http.host contains "evil" | HTTP requests to domains containing “evil” |
http.user_agent contains "python" | Non-browser User-Agent strings — automation tooling |
http.content_length > 1000000 | HTTP responses > 1MB — large file transfers |
http.location | HTTP redirect targets — phishing redirect chain analysis |
http.request.uri contains "admin" or http.request.uri contains "login" | Requests to admin/login pages |
DNS Analysis Filters
| Filter | What It Shows |
|---|---|
dns | All DNS traffic |
dns.qry.name contains "wyzsec" | DNS queries for domains containing “wyzsec” |
dns.qry.type == 16 | TXT record queries only — DNS tunneling indicator |
dns.flags.response == 1 | DNS responses only |
dns.resp.len > 512 | DNS responses > 512 bytes (standard UDP DNS limit) — potential tunneling |
dns.flags.rcode == 3 | NXDOMAIN responses (nonexistent domain) — DGA indicator |
Length and Time Filters
| Filter | What It Shows |
|---|---|
frame.len > 1500 | Packets larger than the standard MTU — fragmented or jumbo frames |
frame.len > 1000 and dns | Large DNS packets — potential DNS tunneling |
frame.time_delta > 2 | Packets with > 2 seconds gap — useful for beaconing analysis |
frame.len < 100 and tcp | Small TCP packets — possible TCP scanning or keepalive probes |
Compound Filters
| Filter | What It Shows |
|---|---|
tcp.port == 443 and tls.handshake.type == 1 | TLS Client Hello messages on port 443 |
http.request and !(ip.addr == 10.0.0.0/8) | HTTP requests to/from external hosts |
dns.qry.type == 16 and frame.len > 1000 | TXT queries with large responses — strong DNS tunneling indicator |
tcp.flags.syn == 1 and tcp.flags.ack == 0 and tcp.window_size < 1024 | SYN packets with unusual window size — OS fingerprinting or scanning |
smb and smb.cmd == 0x2f | SMB Server Request — Server Message Block protocol operations detail |
icmp and data.len > 64 | Large ICMP packets — ICMP tunneling indicator |
Capture Filter Quick Reference
Use these when collecting traffic live (before saving to disk).
| Filter | What It Captures |
|---|---|
port 80 or port 443 | Capture only HTTP/HTTPS traffic |
port 53 | Capture only DNS traffic |
host 10.0.0.1 | All traffic to/from 10.0.0.1 |
src host 10.0.0.1 | Traffic FROM 10.0.0.1 (monitor a single host) |
dst port 3389 | Traffic TO port 3389 (RDP) |
not arp and not icmp | Exclude ARP and ICMP noise |
tcp port 445 and src net 10.0.0.0/8 | SMB traffic from internal network |
ether host aa:bb:cc:dd:ee:ff | Traffic from a specific MAC address |
host 203.0.113.0/24 | Traffic to/from an entire subnet |
vlan and host 10.0.0.1 | Traffic from a specific VLAN to a specific host |
Investigation Workflows
Workflow 1: C2 Beaconing Investigation
Scenario: A SIEM alert flagged a host making regular HTTPS connections to an unknown external IP.
Steps:
-
Isolate the traffic:
ip.addr == IP_OF_SUSPICIOUS_HOST and tcp.port == 443 -
Look at timing patterns:
- Switch to the “Statistics → Flow Graph” view to see connection timing
- Add the
tcp.time_deltacolumn (Time since previous packet in this TCP stream) - Check the “Conversations” view (Statistics → Conversations) for connection counts and data volumes
-
Check TLS handshake metadata:
tls.handshake.type == 1 and ip.addr == IP_OF_SUSPICIOUS_HOST- Extract the Server Name Indication (SNI) — the hostname the client requested
- Check the JA3 fingerprint (Wireshark 3.2+): Statistics → JA3/JA3S → Client
- C2 frameworks have distinctive JA3 fingerprints. Cross-reference with known-threat feeds.
-
Check the process behind the connection:
- This requires Sysmon Event ID 3 on the endpoint. Cross-reference the connection timestamp with the Sysmon log.
- If the source process is
rundll32.exe,svchost.exe(non-service), or a suspicious path in AppData/Temp, it’s confirmed C2.
-
Follow the TCP stream:
- Right-click a packet → Follow → TCP Stream
- If HTTPS (encrypted), you won’t see the payload. Focus on timing, sizes, and TLS metadata.
- Unusual patterns: consistent payload sizes (e.g., exactly 512 bytes of payload each time), small requests, small responses — beaconing.
Key indicators of C2 beaconing:
- Regular intervals: connections every 60 seconds ± 5 seconds
- Small, consistent payload sizes
- Short-lived connections (connect, send, receive, close)
- No human browsing pattern (no images, CSS, favicon requests)
- Suspicious JA3 fingerprint
Workflow 2: Data Exfiltration Investigation
Scenario: An alert indicates large outbound data transfers from an internal host.
Steps:
-
Isolate outbound traffic from the host:
ip.src == INTERNAL_HOST and !(ip.dst == 10.0.0.0/8) -
Analyze by protocol:
# DNS tunneling check dns.qry.name and ip.src == INTERNAL_HOST # HTTP exfiltration check http.request.method == "POST" and ip.src == INTERNAL_HOST # All TCP traffic sorted by destination tcp and ip.src == INTERNAL_HOST and !(ip.dst == 10.0.0.0/8) -
Check packet sizes:
- Sort by
frame.len(descending) — are there abnormally large packets? - For DNS:
dns.resp.len > 512is suspicious.dns.resp.len > 1400is almost certainly tunneling.
- Sort by
-
Look for unusual protocols on standard ports:
- SSH traffic on port 22 from a server that doesn’t do SSH
- DNS traffic on non-standard ports
- ICMP traffic with large payloads
-
Extract and examine:
- File → Export Objects → HTTP (if HTTP traffic) — extract downloaded/uploaded files, then decode payloads with CyberChef
- Statistics → Endpoints — see all IPs the host contacted
- Statistics → Conversations — see total data transferred per conversation
Key indicators of data exfiltration:
- Large outbound transfers to a single external IP (multiple MB)
- DNS TXT queries with long subdomains (> 30 chars) and large responses (> 512 bytes)
- SSH/SFTP from servers to external IPs
- HTTP POST requests with large
Content-Lengthheaders - Off-hours data transfers
Workflow 3: Port Scan Investigation
Scenario: A firewall alert indicates inbound port scanning.
Steps:
-
Isolate traffic from the scanning IP:
ip.src == SCANNING_IP and tcp.flags.syn == 1 -
Check if it’s a half-open scan:
tcp.flags.syn == 1 and tcp.flags.ack == 0 and ip.src == SCANNING_IPCount unique destination ports. If there are many, it’s a scan.
-
Check for abnormal flag combinations:
ip.src == SCANNING_IP and (tcp.flags == 0x029 or tcp.flags == 0x000)(Xmas scan = 0x029, NULL scan = 0x000)
-
Check scan duration:
- Statistics → Conversations — look at the timing range
- A full subnet scan completes in seconds to minutes
- A slow scan (over hours or days) with small numbers of packets is more sophisticated
Key indicators:
- TCP connections to closed ports (RST received for non-listening services)
- Random or sequential destination port patterns
- Abnormal TCP flag combinations (SYN-only, FIN, Xmas, NULL)
- Sequential IP scanning (10.0.0.1, 10.0.0.2, 10.0.0.3, etc.)
Workflow 4: Protocol Anomaly Investigation
Scenario: A detection rule flagged unusual protocol behavior.
Steps:
-
Check the TCP analysis flags (View → Coloring Rules → TCP Analysis):
- TCP Retransmission: Packet loss — could be network issue or intentional evasiveness
- TCP Duplicate ACK: Sign of packet loss or network congestion
- TCP Fast Retransmission: Host detected packet loss and retransmitted — common in C2 under poor network conditions
- TCP Out-of-Order: Packets arrived out of sequence — sometimes used by attackers to evade IDS
- TCP Window Update: Receiver changed window size — could indicate buffer manipulation
- ZeroWindow / WindowFull: Receiver buffer is full — DoS or misconfiguration
-
Check for protocol header anomalies:
- Mismatched protocol/port (e.g., HTTP on port 53)
- Invalid flag combinations
- Unusual TTL values (TTL != 64 for Linux, != 128 for Windows — possible IP spoofing)
Useful Wireshark Preferences for Analysts
Enable these for faster analysis:
- Resolve MAC addresses → ON (identifies hardware vendors)
- Resolve transport names → ON (shows port names like “http” not just “80”)
- Use custom HTTP headers → ON (captures User-Agent, Referer, etc.)
- Enable TCP analysis → ON (shows retransmissions, dup ACKs, window issues)
- Show TCP sequence numbers in bytes → ON (easier to track data transfer amounts)
- Edit → Preferences → Appearance → Layout: Put packet list on top, packet details middle, packet bytes bottom
Related
- Snort and Suricata — detection and response for T1040 techniques
- Zeek (formerly Bro) — detection and response for T1040 techniques
- Wireshark 4.6.6 Release — how wireshark 4.6.6 released helps detect and analyze threats
- Network Security Basics — detection and response for T1040, T1046 techniques
