Home > Digital Forensics

Wireshark

Wireshark is one of the most essential tools in network forensics, used to capture, filter, and analyze packets in real time. It offers deep visibility into network traffic, protocol behavior, suspicious communications, and attacker activities. Wireshark helps investigators inspect every packet, reconstruct network sessions, identify malicious traffic patterns, and detect anomalies that may indicate compromise.

Understanding Wireshark’s Role in Forensics

Wireshark is used to analyze:

  • Live network traffic

  • PCAP files collected from sensors or other tools

  • Suspicious packets from incident response logs

  • Malware communication patterns

  • C2 channels, DNS tunneling, beaconing

  • Protocol misuse or anomalies

It provides complete packet-level visibility, enabling investigators to reconstruct exactly what happened on the network.

Key Wireshark Features for Forensic Work

1. Packet Capture and Analysis

Wireshark shows every packet with:

  • Source and destination IPs

  • Protocol types

  • Ports

  • Flags

  • Payload data

  • Timestamps

  • Length and metadata

This helps analysts reconstruct attacker actions in detail.

2. Advanced Display Filters

Filters help isolate relevant traffic instantly.

Examples:

ip.addr == 192.168.1.10
tcp.port == 443
dns
http.request
tcp.flags.syn == 1
frame contains "password"

Display filters are the core of fast investigation.

3. Protocol Decoding

Wireshark supports thousands of protocols including:

  • TCP/UDP

  • HTTP/HTTPS

  • DNS

  • SMB

  • Kerberos

  • TLS

  • FTP

  • SSH

  • DHCP

It dissects protocols automatically so traffic is easy to interpret.

4. Follow Stream Reconstruction

Wireshark can rebuild:

  • TCP streams

  • HTTP sessions

  • DNS conversations

  • TLS handshakes

This allows investigators to view conversations in context rather than isolated packets.

5. Expert Information

The “Expert Info” panel highlights:

  • Errors

  • Warnings

  • Bad checksums

  • Retransmissions

  • Malformed packets

  • Potentially suspicious activity

Useful for quick anomaly identification.

6. Color Coding

Different protocol types and event types are color-coded for clarity.
Analysts can customize rules for visibility or SOC workflows.

How Wireshark Is Used in Forensic Investigations

1. Identifying Suspicious Hosts

By analyzing traffic volumes and communication patterns, investigators can detect:

  • Unknown external IPs

  • Beaconing behavior

  • Data exfiltration

  • Port scanning

  • Inbound brute-force attempts

IP conversations and statistics panels reveal communication patterns clearly.

2. Malware Traffic Analysis

Malware commonly communicates via:

  • HTTP-based C2

  • DNS tunneling

  • Suspicious TCP handshakes

  • Encrypted exfiltration channels

Wireshark helps analysts inspect:

  • User agents

  • Host headers

  • Suspicious domains

  • Odd TLS certificates

  • POST requests with encoded payloads

3. DNS Forensics

DNS is often abused for:

  • C2 lookups

  • Data leakage

  • Domain shadowing

  • Fast-flux behavior

Key things to inspect:

  • Query domains

  • Record types

  • Unusual subdomains

  • TXT records

  • High-frequency lookups

4. HTTP/HTTPS Analysis

Wireshark reveals:

  • Requests

  • Responses

  • Cookies

  • Headers

  • Redirects

  • File downloads

Useful for phishing investigation and identifying malicious payloads.

5. TLS Investigation

While encrypted, TLS still exposes metadata:

  • SNI

  • Cert fingerprints

  • Issuers

  • Versions

  • Cipher suites

These can indicate malicious or suspicious connections.

6. Detecting Network Scanning

Indicators include:

  • SYN floods

  • Sequential port enumeration

  • Rapid connection attempts

  • ARP storms

Wireshark’s packet view and statistics make identification straightforward.

7. File Extraction

Wireshark can extract transferred files from:

  • HTTP

  • FTP

  • SMB

  • TFTP

Recovered files help confirm malware delivery or data exfiltration.

Useful Wireshark Panels for Forensics

Statistics → Conversations

Shows communication pairs.

Statistics → Endpoints

Lists hosts seen in traffic.

Statistics → Protocol Hierarchy

Shows protocol distribution.

Statistics → I/O Graphs

Visualizes activity spikes and trends.

Expert Information

Reveals anomalies and protocol issues.

Essential Display Filters for Investigators

http
dns
tcp.flags.syn == 1 and tcp.flags.ack == 0
tcp.flags.fin == 1
frame contains "password"
tcp.port == 4444
ip.addr == <suspicious IP>
ssl.handshake.type == 1
ftp
icmp
smb

These immediately isolate key evidence.

Best Practices for Using Wireshark in Forensic Cases

  • Always work on copies of PCAP files, not originals

  • Use display filters to narrow focus quickly

  • Correlate events with logs from firewall, EDR, proxy

  • Use “Follow Stream” to reconstruct conversations

  • Export objects to recover transferred files

  • Use I/O graphs to detect attack peaks

  • Regularly update protocol dissectors

  • Document findings with screenshots and extracted sessions

Intel Dump

  • Wireshark analyzes packet-level traffic including IP, TCP, UDP, DNS, HTTP, TLS, SMB, and thousands of protocols.

  • Key forensic features include display filters, stream reconstruction, protocol decoding, expert information, and statistical views.

  • Used to detect malware traffic, C2 behavior, DNS tunneling, scanning, suspicious hosts, data exfiltration, and anomalous sessions.

  • Investigators rely on filters, conversations, protocol hierarchy, file extraction, and TLS metadata to uncover attacker activity.

  • Wireshark is essential for incident response, malware analysis, and network forensic investigations.

HOME COMMUNITY CAREERS DASHBOARD