Intermediate โฑ 60 Minutes Prereq: Module 09

Wireshark & Traffic Analysis

This is the bridge between theory and the attacker mindset. Wireshark allows you to capture, filter, and analyze the raw truth of what is happening on a network.

1. What Is Packet Capture?

Packet capture (sniffing) involves intercepting and logging traffic. To do this, your Network Interface Card (NIC) must be in Promiscuous Mode, allowing it to "hear" everything on the wire, not just data meant for your IP.

Application Data HTTP, DNS, SSH
โ†“
TCP / UDP Segment Ports (80, 443)
โ†“
IP Packet Source/Dest IP
โ†“
Ethernet Frame MAC Addresses

๐Ÿ’€ Attacker Mindset

Attackers use packet capture for reconnaissance and credential harvesting. If a protocol (like Telnet or HTTP) is unencrypted, they can read passwords directly from the wire.

2. Installing & Launching

Installation is simple on Linux:

sudo apt install wireshark

The Pre-Flight Checklist

  • โœ” Interface: Select the correct card (usually eth0 or wlan0). Use any to capture everything.
  • โœ” Privileges: Capturing packets requires Root/Sudo.
  • โœ” Traffic: Ensure network activity exists (open a browser) to confirm capture is working.

3. Packet Anatomy Inside Wireshark

Wireshark divides information into three specific panes. Understanding this layout maps directly to the OSI model.

1. Packet List (Top)

A summary of all captured packets. Shows Time, Source, Destination, Protocol, and Info.

2. Packet Details (Middle)

The hierarchical view. This is where you drill down.

  • Frame (Layer 1/2)
  • Internet Protocol (Layer 3)
  • Transmission Control Protocol (Layer 4)
  • Hypertext Transfer Protocol (Layer 7)

3. Packet Bytes (Bottom)

The raw Hexadecimal and ASCII dump of the data.

4. Display Filters (The Core Skill)

Capturing is easy; finding the needle in the haystack is the skill. Display filters allow you to hide noise without deleting data.

ip.addr == 192.168.1.5

tcp.port == 80

http || dns

tcp.flags.syn == 1

Logic Operators:

  • && (AND): Both conditions must be true.
  • || (OR): Either condition can be true.
  • ! (NOT): Exclude this condition.

5. TCP Handshake Analysis

Every reliable connection starts with the 3-Way Handshake. Seeing this in Wireshark confirms a connection attempt.

๐Ÿ’ป Client
SYN
SYN-ACK
ACK
๐Ÿข Server

Filter for Handshakes: tcp.flags.syn == 1

Flags to know:

  • SYN: Synchronization (Hello)
  • ACK: Acknowledgment (Got it)
  • RST: Reset (Stop connection immediately)
  • FIN: Finish (Graceful disconnect)

6. Following TCP Streams

Packets are fragmented. To read a full email or web page, you must reassemble them.

Right Click a packet โ†’ Follow โ†’ TCP Stream.

โš ๏ธ The "Matrix" Moment

This reconstructs the conversation as the application sees it. If the traffic is HTTP (unencrypted), you will see usernames, passwords, and page content in plain text. If it is HTTPS, you will see encrypted garbage.

7. DNS Analysis

Malware often uses DNS to "phone home" because DNS traffic is rarely blocked by firewalls.

Filter: dns

What to look for:

  • Transaction ID: A random number linking a Query to a Response.
  • Flags: Look for "Standard query" vs "Response".
  • Anomalies: Massive numbers of queries to random domains (DGA malware) or large TXT records (Data Exfiltration).

8. Detecting Suspicious Traffic

As a defender (Blue Team), Wireshark is your microscope.

Port Scanning

Look for thousands of SYN packets from a single IP to many different ports.

tcp.flags.syn == 1 && tcp.flags.ack == 0

Data Exfiltration

Look for unusually large outbound connections or suspicious file transfers.

File โ†’ Export Objects โ†’ HTTP

ICMP Tunneling

Ping packets usually contain empty data. If the "Data" field of an ICMP packet contains weird text strings, it's a tunnel.

9. ๐Ÿงช Practical Mini Lab

Perform these tasks on your own machine:

  1. Open Wireshark and start capturing on your active interface.
  2. Open a browser and visit an HTTP (not HTTPS) site if possible, or just generate traffic.
  3. Open a terminal and ping 8.8.8.8.
  4. Stop the capture.
  5. Filter for icmp and find your ping request.
  6. Filter for dns and find the query for the website you visited.
  7. Right-click a TCP packet and select Follow TCP Stream.
OR Launch Lab Simulation

๐Ÿ“Œ Module Recap

  • Promiscuous Mode is required to sniff all traffic.
  • Display Filters are essential to reduce noise (ip.addr, tcp.port).
  • TCP Handshake: SYN โ†’ SYN-ACK โ†’ ACK.
  • Follow Stream: Reassembles fragmented packets into readable data.
  • Blue Team: Look for scan patterns (SYN floods) and data exfiltration.
โ† Module 09: Linux
Next: Security Networking
Module 11 โ†’