Network Traffic Analysis with Wireshark

10 min read
Network Analysis Wireshark

Master the art of packet analysis for cybersecurity investigations, network troubleshooting, and forensic analysis using the world's most popular network protocol analyzer.

Why Wireshark Matters for Blue Team

Wireshark is the de facto standard for network traffic analysis in cybersecurity. For blue team professionals, it's an essential tool for investigating security incidents, analyzing malware communication, and understanding network behavior. With over 3,000 network protocols supported, Wireshark provides unparalleled visibility into network communications.

Getting Started with Wireshark

Installation and Setup

Wireshark is available for Windows, macOS, and Linux. For optimal performance in enterprise environments:

  • Windows: Run as administrator for full capture capabilities
  • Linux: Add user to wireshark group to avoid sudo requirement
  • Virtual environments: Ensure promiscuous mode is enabled
  • Network position: Deploy on SPAN ports or network TAPs for best visibility

Interface Overview

Key Components

Packet List Pane

Displays all captured packets with summary information including time, source, destination, and protocol.

Packet Details Pane

Shows detailed protocol breakdown of selected packet with expandable protocol layers.

Packet Bytes Pane

Displays raw hexadecimal and ASCII representation of packet data.

Display Filter Bar

Powerful filtering engine to focus on specific traffic patterns or protocols.

Essential Display Filters

HTTP Traffic Analysis

http.request.method == "GET" || http.request.method == "POST"
http.response.code >= 400
http contains "password" || http contains "login"

DNS Queries and Responses

dns.qry.name contains "malicious-domain.com"
dns.flags.response == 1 && dns.flags.rcode != 0
dns.qry.type == 16 # TXT record queries

Suspicious Network Behavior

tcp.flags.syn == 1 && tcp.flags.ack == 0 # SYN flood detection
icmp.type == 8 && data.len > 1000 # Large ICMP packets
tcp.analysis.flags # TCP analysis issues

Cybersecurity Investigation Techniques

1. Malware Communication Analysis

Command and Control (C2) Detection

  • Periodic beaconing: Look for regular communication intervals
  • Unusual user agents: Non-standard or hardcoded HTTP user agents
  • Domain generation algorithms: Random-looking domain names
  • Base64 encoded data: Obfuscated payload transmission
http.user_agent contains "bot" || http.user_agent matches "^[A-Za-z]{20,}$"

2. Data Exfiltration Detection

  • Large outbound transfers: Monitor for unusual data volumes
  • Encrypted channels: TLS/SSL traffic to suspicious destinations
  • DNS tunneling: Unusually large DNS queries or responses
  • Cloud storage uploads: Traffic to known cloud services

3. Network Reconnaissance Analysis

Port Scanning Detection

  • • TCP SYN scans
  • • UDP port sweeps
  • • Service enumeration
  • • OS fingerprinting attempts

Network Mapping

  • • ARP requests patterns
  • • ICMP ping sweeps
  • • Traceroute analysis
  • • SNMP community strings

Advanced Analysis Techniques

Protocol Analysis

Layer-by-Layer Examination

Physical/Data Link Layer

MAC addresses, VLAN tags, frame errors

Network Layer

IP headers, fragmentation, routing anomalies

Transport Layer

TCP sequence numbers, connection states, UDP flows

Application Layer

Protocol-specific analysis (HTTP, SMTP, FTP, etc.)

Statistics and Flow Analysis

Wireshark's statistics features provide valuable insights into network behavior:

  • Protocol Hierarchy: Overview of protocol distribution
  • Conversations: Point-to-point communication analysis
  • Endpoints: Most active network entities
  • IO Graphs: Traffic patterns over time

Forensic Workflow

Incident Investigation Process

  1. Capture Acquisition: Obtain packet captures from relevant timeframes and network segments
  2. Timeline Creation: Establish sequence of events using timestamps
  3. IOC Extraction: Identify indicators of compromise (IPs, domains, file hashes)
  4. Protocol Analysis: Deep-dive into suspicious communications
  5. Attribution: Correlate network evidence with other security logs
  6. Documentation: Create detailed analysis reports with evidence preservation

Best Practices and Tips

Performance Optimization

  • • Use capture filters to reduce file size
  • • Increase ring buffer for long captures
  • • Save in multiple files for easier handling
  • • Close unnecessary protocol dissectors

Security Considerations

  • • Encrypt sensitive packet captures
  • • Implement access controls for capture data
  • • Follow data retention policies
  • • Anonymize data when possible

Essential Keyboard Shortcuts

Ctrl+F

Find packet

Ctrl+G

Go to packet

Ctrl+M

Mark packet

Ctrl+Shift+F

Find next

F8

Start capture

Ctrl+E

Stop capture

Ctrl+R

Restart capture

Ctrl+Shift+P

Print packet

Conclusion

Wireshark is an invaluable tool for cybersecurity professionals, offering deep visibility into network communications and enabling detailed forensic analysis. Mastering Wireshark requires practice and understanding of network protocols, but the investment pays dividends in incident response capabilities and network security understanding.

Start with basic packet analysis and gradually work toward advanced techniques like malware communication analysis and network forensics. Remember that effective network analysis combines technical skills with investigative thinking and attention to detail.