The screenshot above filters for HTTP traffic containing the Host field, making it easy to identify HTTP requests. Wireshark filters aren’t limited to protocols they also include fields that are included in each type of packet. This enables incident responders to filter for things even if they don’t know exactly what they’re looking for, by filtering out everything that is not of interest. Wireshark filters can be combined using Boolean logic, making it possible to create complex filter expressions. Since HTTP is a common protocol for delivering malware and carrying command and control traffic, being able to drill down into that particular protocol can be useful for focusing incident response efforts.
In this case, using the built-in http filter extracts and only shows packets containing the HTTP protocol. Wireshark offers high-level protocol filtering, like that shown above. This is where Wireshark’s filtering capabilities become invaluable. It can be difficult to identify a single packet of interest in thousands or even millions of packets. In large packet captures, even Wireshark’s packet summaries can be overwhelming. Wireshark makes it easy to detect this and to extract the HTTP URI for decoding and analysis. OnionDuke sends its command-and-control data as Base64-encoded data embedded within an HTTP URI, as shown above. In this particular case, the HTTP detail is invaluable for analyzing the malware sample. As shown, Wireshark provides a breakdown and interpretation of all of the data being sent at each level of the networking stack. The screenshot above is of an HTTP request associated with the OnionDuke malware. By default, the Wireshark GUI includes packet details in a frame at the bottom of the screen. This can be useful in checking if an organization’s DNS blacklist is missing any important entries based upon connections to suspicious domains.Īt the other end of the spectrum, Wireshark is also excellent for diving deep into the details of the traffic flowing on the network. As shown, it lists the HTTP hosts contacted within a packet capture. The screenshot above is from Statistics → HTTP → Requests. For example, a single machine connecting with a number of different systems within the network may indicate attempts at scanning or lateral movement. This is useful for identifying if unusual connection patterns exist within a network.
This tab summarizes the conversations between different IPv4 addresses. The screenshot above is accessed via Statistics → Conversations. These statistics have their own Dropbox menu in Wireshark’s menu ribbon. Wireshark also provides a wealth of high-level statistical data regarding a packet capture. Simply by scrolling through the packet summaries, it’s possible to get a rough idea of the mix of traffic in a capture and identify some potential abnormalities that deserve further investigation. For example, RST packets in TCP are colored red, making it easy to see if there is anomalous behavior on the network (in this case, a possible scan). Wireshark also includes visual cues for unusual packets. The colors in the capture above make it easy to differentiate DNS traffic (blue) from HTTP (green). Each line summarizes a packet, and packets are color-coded based on protocol and other attributes. The screenshot above shows a sample of Wireshark’s default view. Wireshark is a great tool for achieving high-level awareness of the types of traffic in a packet capture or flowing live over a network. This section looks at some of the basic capabilities of Wireshark and their applications and potential utility for IR. Since most malware and cyberattacks use the network, the ability to analyze network traffic data is invaluable for incident response.
0 kommentar(er)
