Recent Notes

See 74 more →

Wireshark for DFIR

3 min read

A few words

2024 about to come to an end, this likely to be the last note of the year. Something that I have always wanted to do but kept forgetting. A Wireshark Cheat Sheet for Digital Forensics and Incident Response (DFIR).

Initial Triage

# General overview of protocols
Statistics > Protocol Hierarchy

# Check conversations & endpoints
Statistics > Conversations
Statistics > Endpoints

Essential Wireshark Filters

Suspicious Activities

# HTTP POST Requests (potential data exfiltration)
http.request.method == "POST"

# File Downloads
http.request.method == "GET" && http.content_type contains "application"

# Command & Control Traffic
tcp.flags.syn == 1 && tcp.flags.ack == 0
dns.qry.type == 1 && dns.qry.name.len > 15

# Suspicious Ports
tcp.port == 4444 || udp.port == 4444
!(tcp.port == 80 || tcp.port == 443)

# Data Transfer
ftp || smb || http.request.method == "PUT"

SSL/TLS Analysis

# Certificate Handshakes
ssl.handshake.type == 11

# Certificate Errors
ssl.alert.description == 48 || ssl.alert.description == 62

# View Certificates
tls.handshake.certificate

# All HTTPS Traffic
tcp.port == 443 || ssl

DNS Analysis

# All DNS Traffic
dns

# DNS Queries Only
dns.flags.response == 0

# DNS with Large Queries (possible tunneling)
dns.qry.name.len > 15

# DNS TXT Records (possible C2)
dns.txt

File Extraction Methods

HTTP Objects

  1. File > Export Objects > HTTP
  2. Filter relevant objects
  3. Save suspicious files

From Stream

  1. Right-click packet
  2. Follow > TCP/HTTP/SSL Stream
  3. Show data as: Raw
  4. Save content

Hash Verification

# Calculate file hashes
sha256sum [file]
md5sum [file]

Certificate Analysis Steps

  1. Filter for certificates: ssl.handshake.type == 11
  2. Look for:
    • Issuer = Subject (self-signed)
    • Validity periods
    • Common Name (CN)
    • Locality Name
    • Organization

Data Exfiltration Indicators

  1. Large data transfers
  2. Unusual destination IPs
  3. Base64 encoded content
  4. DNS tunneling patterns
  5. Irregular protocol behavior

Quick Investigation Steps

  1. Initial Access

    • Sort by time
    • Look for first suspicious connections
    • Check initial HTTP/HTTPS requests

  2. Malware Analysis

    • Export suspicious files
    • Calculate hashes
    • Check file metadata
    • Look for C2 traffic patterns

  3. Lateral Movement

    • Check internal communications
    • Look for scanning activity
    • Monitor SMB/RDP traffic

  4. Data Exfiltration

    • Large outbound transfers
    • Unusual protocols
    • Encoded data
    • Abnormal DNS activity

Useful Statistics Views

Statistics > Protocol Hierarchy
Statistics > Conversations
Statistics > Endpoints
Statistics > HTTP > Requests
Statistics > Flow Graph

Follow Stream Options

  • Right-click > Follow > TCP Stream
  • Right-click > Follow > UDP Stream
  • Right-click > Follow > HTTP Stream
  • Right-click > Follow > SSL Stream

Timeline Analysis

  1. Use Time Display Format:
    • View > Time Display Format
    • Choose UTC for standardization
  2. Use Time References:
    • Right-click packet > Set/Unset Time Reference

Graph View