Wireshark Analysis & Traffic Investigation

📦 What is Wireshark?

Wireshark is the industry-standard network packet analyzer. It captures network traffic passing through your network interface and displays it in human-readable format. Wireshark shows packet headers, payloads, and traffic flow in real-time or from saved capture files (.pcap files). Forensic investigators, security analysts, and network administrators use Wireshark to troubleshoot network issues, investigate security incidents, and analyze malicious traffic.

Packet Capture Process

Wireshark operates in promiscuous mode (on shared network segments) or monitors system traffic directly. When capturing, Wireshark intercepts every packet traversing the network interface and records it. Packet capture includes full headers and (for unencrypted traffic) full payload. Captured data written to .pcap file containing packet timestamp, packet headers, and packet data. File can be analyzed in real-time during capture or post-event (forensic analysis of saved files).

Wireshark Display and Analysis

Wireshark interface displays packets in three panes: packet list (all captured packets in chronological order), packet detail (selected packet header breakdown), packet bytes (selected packet raw hexadecimal display). Color coding highlights different protocols—red for errors, green for traffic, blue for HTTPS, etc. Analysis includes traffic statistics, protocol distribution analysis, and flow reconstruction showing complete conversations between systems.

🔬 Wireshark for Forensic Investigation

Evidence Collection

Network captures provide forensic evidence of attack. Captures show attacker commands, exfiltrated data, C&C communication timing, and external system contact. Packet timestamps establish temporal evidence—proving when attack occurred. Packet sequence numbers show communication order. Traffic patterns show attack progression. Captures more reliable than endpoint logs because network capture independent of compromised endpoint—attacker cannot modify network capture if captured at network perimeter.

Investigative Questions Answered by Wireshark

• What external systems contacted? - Destination IP analysis shows external servers attacker accessed
• When did communication occur? - Packet timestamps establish communication timeline
• What data volume transferred? - Packet analysis shows data quantity indicating exfiltration scale
• What protocols used? - Protocol analysis shows communication method (HTTP, DNS, HTTPS, custom protocols)
• What commands executed? - Payload analysis shows command execution (for unencrypted protocols)
• How persistent is malware communication? - Traffic timing shows C&C heartbeat patterns or data collection frequency

Capture File Preservation

Wireshark .pcap files represent forensic evidence and require chain-of-custody preservation. Files should be checksummed (MD5, SHA-256) proving integrity. Captures should be timestamped and labeled with capture location (which network interface, which firewall). Original files retained and analysis performed on copies. Forensic reports include packet captures supporting investigative conclusions—reviewer can independently verify findings by analyzing same packet file.

🔴 Suspicious DNS Patterns

What is Normal DNS Traffic?

DNS queries are normal network activity—systems constantly resolve domain names to IP addresses. Normal queries include: web browsing (resolving www.google.com), email (resolving mail servers), cloud services (resolving service endpoints). Normal DNS shows relatively small volume, queries resolve legitimate domain names, responses include valid IP addresses, traffic patterns consistent with user activity (more queries during business hours, fewer during night).

DNS Anomalies Indicating Threats

Suspicious DNS patterns include: queries to known malicious domains (identified by threat intelligence feeds), queries to command-and-control infrastructure, unusually high query volume (possible data exfiltration using DNS tunneling), queries to non-existent domains (DNS brute-forcing reconnaissance), queries from unusual source IPs (internal system making queries instead of DNS forwarder), DNS responses with unusual answer patterns (especially complex encoded responses suggesting data hiding).

DNS Investigation Methodology

When analyzing DNS traffic, investigators: identify query originator (which system), identify queried domain (what was searched), examine DNS response (what answer received), check threat intelligence (is domain known malicious), assess query timing (is timing suspicious—queries at 3am unusual), evaluate query frequency (single query normal, 1000 queries unusual). DNS analysis often reveals compromise before endpoint detection—malware communicates with C&C via DNS before executable even runs, enabling early warning.

🔗 HTTP Traffic Anomalies

Normal HTTP Communication

HTTP traffic represents web browsing. Normal patterns: user-agent headers match browser software, referrer headers show logical browsing sequence, content-length varies by web page type, status codes mostly 200 (success) with occasional 404 (not found), traffic during business hours, destination ports standard (80 for HTTP). HTTP payload visible in captures enabling analysts to see web page requests and responses.

HTTP Threats and Investigation Pointers

Suspicious HTTP includes: unusual user-agent strings (generic agents, outdated browsers, programmatic clients), traffic to suspicious destinations (known malware repository sites, command-and-control servers), abnormal request frequency (thousands of requests per minute), unexpected request timing (web browsing at 3am), unusual request sizes (extremely large POST requests suggesting data exfiltration), HTTP error codes indicating scanning or brute-force (many 404 responses suggesting reconnaissance), HTTP basic authentication detected (especially to external systems—potential credential exfiltration).

HTTP Payload Analysis (Unencrypted)

For unencrypted HTTP, full request and response visible in capture. Investigators can see: web pages accessed (URLs show destination), form data submitted, cookies transmitted, authentication credentials (if not encrypted). Modern HTTP typically encrypted (HTTPS) making payload inspection impossible. However, HTTP metadata remains visible even when encrypted: destination IP reveals accessed website, request timing shows behavioral patterns, request volume indicates content quantity. Investigators often correlate encrypted HTTPS traffic with unencrypted protocols (DNS, metadata) to establish communication context.

📤 Detecting Unusual Outbound Connections

Connection Baseline Understanding

Each organization has expected outbound connection patterns. Sales teams connect to Salesforce. Engineering connects to GitHub. Everyone connects to Google, Microsoft, Amazon cloud services. Help desk connects to ticket system. Expected outbound destinations remain consistent—internal systems reach same external services repeatedly. Knowing baseline enables anomaly detection—unusual external destination indicates potential compromise, data exfiltration, or attacker C&C communication.

Investigating Suspicious Outbound Connections

When analyzing captures, forensic investigators examine outbound traffic: destination IP address (is destination known malicious, is destination unexpected location), destination port (is port expected for destination service—port 80/443 for web, port 53 for DNS, non-standard ports suspicious), traffic volume (large outbound volume may indicate data exfiltration), traffic frequency (continuous connections suggest C&C, periodic connections may suggest scheduled communication), communication timing (off-hours communication unusual).

Correlation with Endpoint Evidence

Suspicious outbound connections guide endpoint investigation. Network shows system connecting to 203.45.67.89:4567 continuously. Investigators examine that system, find running suspicious process connecting to that IP. Process memory analysis shows command execution confirming malware. Network evidence (connection pattern) + endpoint evidence (suspicious process) = conclusive compromise evidence. Without network evidence, investigators might miss malware if process carefully hides; without endpoint evidence, investigators don't know which process caused network communication.

🔐 TLS Handshake Fundamentals

What Happens During TLS Handshake?

TLS (Transport Layer Security, previously SSL) establishes encrypted communication channel. Handshake occurs before application data transmission: client initiates connection (Client Hello), server responds with certificate (Server Hello), client verifies certificate and generates encryption key (Client Key Exchange), server confirms encryption (Finished). This handshake visible in packet captures as sequence of unencrypted protocol messages establishing encryption parameters.

Handshake in Wireshark Captures

Analyzing TLS handshake reveals certificate information: domain name (Server Certificate shows accessed website), certificate issuer (reveals if legitimate Certificate Authority or self-signed), certificate validity dates (expired certificates suggest misconfiguration or man-in-the-middle), cipher suite selected (indicates encryption strength negotiated). Certificate Chain shows certificate path from end-entity through intermediates to root CA. Handshake sequence shows negotiation flow helping validate legitimate encryption vs. suspicious patterns.

Forensic Value of Handshake Analysis

Even though application data encrypted, TLS handshake reveals important information: certificate tells investigator what website or service accessed, cipher suite shows encryption strength, handshake timing shows connection establishment duration. For malware C&C communication, handshake reveals certificate used by C&C server—investigators correlate certificate details across multiple incidents identifying common C&C infrastructure. Self-signed certificates on unusual ports often indicate malware communication (legitimate services use CA-signed certificates).

🚫 Limitations of Encrypted Traffic Inspection

The Encryption Challenge

HTTPS/TLS encryption protects data from inspection. Packet capture shows encrypted application data (gibberish in hex display). Investigators cannot read transmitted data without encryption keys. In unencrypted protocols (HTTP, FTP, Telnet), full packet contents visible enabling investigator to see transmitted data. With encrypted protocols, investigator sees only headers and encrypted payload—cannot determine if transmitted file is legitimate document or exfiltrated data without other evidence.

What Remains Visible With Encryption

Despite encryption, metadata remains visible: source and destination IP addresses, destination port, communication timing, packet sequence (shows when data transmitted), packet sizes (shows communication pattern), handshake details (shows certificate information), traffic volume (shows total data transferred). Skilled analysts extract conclusions from metadata: pattern analysis (timing reveals C&C heartbeat), volume analysis (large transfer volume suggests data exfiltration), certificate analysis (unusual certificate reveals suspicious service), correlation with threat intelligence (known C&C IP address).

Investigation Without Payload Visibility

Forensic investigation proceeds without payload access through: network flow analysis (traffic patterns show communication structure), timeline reconstruction (when communication occurred), external intelligence (threat feeds identify C&C servers), endpoint correlation (process analysis shows which application generated traffic), statistical analysis (volume patterns reveal exfiltration), behavioral analysis (communication frequency shows automated vs. manual activity). While less informative than unencrypted payload inspection, metadata analysis sufficient for many investigations to establish compromise and communication patterns.

🔍 Approaches to Encrypted Traffic Investigation

HTTPS Inspection (Enterprise Approach)

Some organizations implement HTTPS inspection (man-in-the-middle proxy) to decrypt HTTPS traffic for security monitoring. Organization installs proxy certificate on devices, proxy intercepts HTTPS connections and decrypts using organization key. Proxy inspects decrypted content for threats, re-encrypts to destination, and forwards. Enables threat detection but raises privacy/legal concerns (organization sees all user HTTPS traffic including personal accounts). Requires policy, technical implementation, and user consent/notification.

Certificate Pinning Verification

Certificate pinning forces clients to accept only specific certificates. Legitimate applications pin organization certificates. Pinned certificate observed in captures confirms legitimate application. Unexpected certificate suggests man-in-the-middle attack or malware using different certificate. By understanding expected certificates for critical applications (banking apps, internal services), investigators detect suspicious certificates indicating compromise or attack.

Server Name Indication (SNI) Analysis

SNI (Server Name Indication) transmitted in unencrypted form during handshake. While encryption hides which website visited, SNI reveals destination domain. SNI analysis shows which websites contacted even with encryption. Example: packet shows HTTPS connection to server IP 203.45.67.89, SNI reveals destination is www.google.com. Without SNI, investigator only knows destination IP; SNI enables domain identification.

DNS Correlation

Before HTTPS connection, system performs DNS query resolving domain to IP. Investigators correlating network captures identify: system queries attacker-controlled domain via DNS, then connects to resulting IP via HTTPS. DNS query visible (unencrypted), HTTPS connection encrypted. Together they establish attacker-controlled domain accessed—the domain itself provides context (malicious domain name suggests intent) even if payload encrypted. Many investigations rely on DNS correlation establishing accessed domains.

🔄 Incident Reconstruction Using Network Data

Establishing Attack Timeline

Network captures provide precise timeline of attack progression. Packet timestamps (accurate to microsecond) establish exact sequence of events. Investigators reconstruct: attacker initial reconnaissance (DNS queries, port scans), credential compromise timing (failed login attempts, successful authentication), lateral movement (internal system-to-system connections), data exfiltration (large outbound connections). Timeline often reveals attack duration (hours, days, weeks of internal presence before detection). Timeline comparison with endpoint logs validates evidence—network timestamp 14:32:17 when attacker spawned process correlates with endpoint log entry at same moment confirming coordination.

Identifying Attacker Infrastructure

Network analysis reveals external systems attacker contacts. Packet captures show destination IP addresses, ports, and connection patterns. Investigators collect all external IPs contacted, run through threat intelligence feeds identifying known C&C servers, malware repositories, attacker infrastructure. Attacker-controlled servers often share hosting characteristics (same IP block, same hosting provider, same network AS number). Identifying external infrastructure enables: infrastructure takedown coordination (notify hosting provider to remove servers), identifying other victims (check logs for other internal systems contacting same C&C), correlating attacks (same infrastructure across multiple incidents suggests same attacker group).

Damage Assessment

Network captures enable forensic investigators to determine attack scope and severity. Data exfiltration quantification through traffic volume analysis—large outbound data transfers indicate substantial data loss. Lateral movement extent through internal traffic analysis—how many internal systems did attacker touch? Are critical systems compromised? Command execution evidence through network traffic patterns—attacker communication frequency suggests active control vs. dormant malware. Investigators answer organizational leadership's key question: how bad is this incident? Impact assessment drives response severity—small isolated infection vs. enterprise-wide compromise requiring full network rebuild.

🦠 Malware Communication Detection

C&C Communication Patterns

Command-and-control malware exhibits characteristic traffic patterns. Infected system regularly contacts attacker-controlled server: heartbeat communications (periodic connections, often daily or hourly), consistent port/protocol use (malware hardcoded to specific C&C server), unusual timing patterns (3am communications unusual for user workstation), binary or obfuscated protocols (malware traffic often binary rather than human-readable), repeated failed connection attempts (malware trying backup C&C servers if primary unavailable). These patterns distinguish malware traffic from legitimate applications.

Identifying Compromised Systems

SOC analysts using Wireshark and network flow data identify compromised systems through: system contacting known malicious IP (threat intelligence feeds provide lists), system exhibiting unusual outbound connections (connecting to uncommon destinations), system showing scanning behavior (attempting connections to many ports on multiple systems), system DNS querying suspicious domains, system encryption traffic to unusual destinations (legitimate applications use known service certificates). Once suspected system identified, full forensic investigation proceeds—capture extended, endpoint forensics initiated, isolation planned if necessary.

Botnet Detection and Attribution

When multiple internal systems show similar traffic patterns (same external IP, same port, same timing pattern), indicators suggest botnet infection—multiple systems infected with same malware communicating with same C&C. Botnet detection reveals infection scale (100 infected systems = massive breach vs. single infected = contained incident). Investigators attempt identifying botnet type through traffic pattern analysis (Mirai botnet has signature communication pattern, Emotet has different pattern). Botnet attribution to known malware family enables leveraging threat intelligence about that malware's capabilities, typical targets, and effective defense strategies.

🛡️ Insider Threat Investigation

Data Exfiltration Detection

Network monitoring reveals data exfiltration through unusual outbound traffic. Normal traffic patterns show typical bandwidth consumption. Data exfiltration shows: large outbound data transfers at unusual times, data transfers to external email services (Gmail, Hotmail—personal accounts), data transfers to cloud storage services (Box, Dropbox, OneDrive—personal services), compressed or encrypted archives being transmitted (legitimate users rarely send encrypted archives to external services), multiple simultaneous data transfers (suggesting bulk exfiltration vs. normal traffic).

Behavioral Analysis

Insider threat investigations correlate network data with behavioral indicators: employee working unusual hours (system activity during off-hours suspicious), employee accessing unfamiliar systems (lateral movement to systems not normally accessed), employee accessing unusual data (employee accessing files outside job scope), employee downloading unusual data volume (normal daily usage vs. sudden large bulk transfers). Network data alone insufficient—investigations combine network evidence with employee access logs, job responsibilities, and contextual information to assess threat level and investigative direction.

📊 Threat Hunting Using Network Data

Proactive Investigation Strategy

Traditional incident response reactive—incident detected, response initiated. Threat hunting proactive—security team searches for undetected compromise. Analysts use Wireshark and network flow data searching for indicators: systems contacting known malicious IPs, unusual external connections, DNS queries to known malicious domains, lateral movement patterns, suspicious port usage. Threat hunting often discovers compromise before attacker initiates damage—early identification enables containment before data exfiltration.

Hypothesis Testing with Network Data

Threat hunters develop hypothesis: "Which systems accessed attacker IP 203.45.67.89?" Query network logs finding affected systems. "Which systems queried known C&C domain?" Network DNS logs reveal systems. "Which systems show unusual outbound volume?" Flow data analysis identifies statistical outliers. These hypotheses tested against network data enabling targeted investigation vs. unfocused searching. Successful threat hunting relies on network data analytics enabling correlation and pattern matching across billions of network events.

📚 Official Wireshark Documentation

For comprehensive Wireshark functionality reference, official documentation provides authoritative guidance. Wireshark User Guide covers installation, interface overview, packet capture, filtering, analysis features. Display Filter Reference documents all available display filters and their syntax. Wireshark Security Policy details responsible vulnerability disclosure. Community resources and forums provide peer support and technique sharing.