Packet-level detailĪt the other end of the spectrum, Wireshark is also excellent for diving deep into the details of the traffic flowing on the network. This can be useful in checking if an organization’s DNS blacklist is missing any important entries based upon connections to suspicious domains. As shown, it lists the HTTP hosts contacted within a packet capture. The screenshot above is from Statistics → HTTP → Requests. For example, a single machine connecting with a number of different systems within the network may indicate attempts at scanning or lateral movement. This is useful for identifying if unusual connection patterns exist within a network. This tab summarizes the conversations between different IPv4 addresses. The screenshot above is accessed via Statistics → Conversations. These statistics have their own Dropbox menu in Wireshark’s menu ribbon. Wireshark also provides a wealth of high-level statistical data regarding a packet capture. Simply by scrolling through the packet summaries, it’s possible to get a rough idea of the mix of traffic in a capture and identify some potential abnormalities that deserve further investigation. For example, RST packets in TCP are colored red, making it easy to see if there is anomalous behavior on the network (in this case, a possible scan). Wireshark also includes visual cues for unusual packets. The colors in the capture above make it easy to differentiate DNS traffic (blue) from HTTP (green). Each line summarizes a packet, and packets are color-coded based on protocol and other attributes. The screenshot above shows a sample of Wireshark’s default view.
Wireshark is a great tool for achieving high-level awareness of the types of traffic in a packet capture or flowing live over a network. This section looks at some of the basic capabilities of Wireshark and their applications and potential utility for IR. Since most malware and cyberattacks use the network, the ability to analyze network traffic data is invaluable for incident response.
0 kommentar(er)
