Tools
Wireshark
Wireshark is a packet analysis tool used to inspect network traffic at a detailed protocol level.
- Captures live packet data from any network interface
- Dissects hundreds of protocols down to individual field values
- Display filters isolate specific traffic for focused analysis
- Follow TCP/UDP streams to reconstruct entire conversations
- Packet capture must be scoped to avoid collecting unnecessary data
Common use cases
- Capture traffic during a suspected data exfiltration to reconstruct the bytes transferred and identify the destination and protocol used
- Analyze TLS handshake packets to spot anomalous cipher suites, self-signed certificates, or connections to newly registered domains
- Follow an HTTP stream to extract the full request/response of a suspicious file download and export the payload for malware analysis
