Scribd
Upload
3 views

CSW33

The document outlines a step-by-step guide for analyzing malware traffic using Wireshark, focusing on various suspicious activities such as unusual DNS lookups, HTTP requests, and large outbound transfers. It provides specific filters and methods to track potential malware behavior, including beaconing and data exfiltration through different protocols. The guide emphasizes inspecting TCP streams and SSL/TLS handshakes for further insights into malicious communications.

Uploaded by

Tanya Singh
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
3 views

CSW33

The document outlines a step-by-step guide for analyzing malware traffic using Wireshark, focusing on various suspicious activities such as unusual DNS lookups, HTTP requests, and large outbound transfers. It provides specific filters and methods to track potential malware behavior, including beaconing and data exfiltration through different protocols. The guide emphasizes inspecting TCP streams and SSL/TLS handshakes for further insights into malicious communications.

Uploaded by

Tanya Singh
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

Experiment No.

Aim :- Wireshark Malware Tra c Analysis

1. Initial Setup

• Load the PCAP le in Wireshark.


• Go to: Statistics > Protocol Hierarchy – see what protocols are used.
• Statistics > Conversations – inspect endpoints and how much data was transferred.

2. Suspicious DNS Lookups

Malware often uses strange domains or DGAs.


Use this lter:
dns

Look for:

• Random-looking domain names (e.g., x12f32asd.biz)


fi
fi
ffi
Tip: Right-click a domain > “Apply as Filter” > “Selected” to track that domain across the
capture.

3. Look for Beaconing Behavior (C2)

ip.addr == <suspect IP>


Or:
tcp.stream eq <n>

Check “Statistics > IO Graphs”:


• Plot packets per second/minute.
• Repetitive tra c every X seconds = possible beaconing.
ffi
4. Detect Suspicious HTTP Activity

http.request

Look for:
• POST or PUT methods to unknown or external IPs.
• Suspicious User-Agent strings like curl, python, etc.
• Base64-encoded data in payloads.

Example lter for POST:


http.request.method == “POST”

5. Track Large Outbound Transfers

frame.len > 1000 && ip.dst != <internal IP range>


You’re checking for large packets sent outside the network.
ip.dst != 192.168.0.0/16 && ip.dst != 10.0.0.0/8
fi
6. Inspect TCP Streams

tcp
Then:

• Right-click a suspicious packet


• Choose: “Follow > TCP Stream”
• Inspect contents of communication (look for commands, encoded data, etc.)

7. SSL/TLS Inspection (if possible)

ssl.handshake
Or:
tls

Look for:

• Unusual SNI elds (domain names in TLS handshake)


• Suspicious self-signed certi cates
• No Server Name Indication (possible obfuscation)
fi
fi
8. Check for Ex ltration via ICMP, FTP, SMTP, etc.

Some malware uses strange protocols for data ex ltration:


icmp
ftp
smtp

Look for payloads in ICMP (shouldn't have much normally), or large amounts of outbound
data in FTP or SMTP.

Step-by-Step in Wireshark

Step 1: Open the .pcap File

• Launch Wireshark
• Open your .pcap le (File > Open)

Step 2: Go to TCP Conversations

1. Click on Statistics in the top menu bar


2. Select Conversations
3. A new window opens — go to the TCP tab
4. You'll see a table with source/destination IPs, number of packets, bytes, etc.
fi
fi
fi
Step 3: Look for Suspicious Traffic

• Sort by “Packets” or “Bytes”


• Look for:
o A single external IP communicating very frequently
o Unusual IP addresses (not in your local network)
o Communication with consistent packet sizes or intervals

Step 4: Use “Follow TCP Stream”

1. Pick one suspicious connection (row)


2. Click to highlight that row
3. Now, look at the bottom left of the Conversations window — click “Follow Stream”
This button only appears after selecting a row.
4. A new window will pop up showing the entire conversation (request +
response)between the two hosts.
Step 5: Analyse the TCP Stream

Look for:
• Suspicious POST requests (sending data out)
• Weird or obfuscated content (e.g., base64 blobs, binary data)
• Repeated messages or heartbeats (beaconing behaviour)

You might also like