reqopvisa.blogg.se - Wireshark display filters cheat sheet

Security professionals often document indicators related to Windows infection traffic such as URLs, domain names, IP addresses, protocols, and ports. These indicators are often referred to as Indicators of Compromise (IOCs). Indicators consist of information derived from network traffic that relates to the infection. These infections can follow many different paths before the malware, usually a Windows executable file, infects a Windows host. This tutorial uses examples of Windows infection traffic from commodity malware distributed through mass-distribution methods like malicious spam (malspam) or web traffic.

Filters for other types of infection traffic.

Filters for web-based infection traffic.

This tutorial covers the following areas: Instead, it shows some tips and tricks for Wireshark filters. This is not a comprehensive tutorial on how to analyze malicious network traffic. And you should also have a basic understanding of how malware infections occur. Keep in mind you must understand network traffic fundamentals to effectively use Wireshark.

Pcaps for this tutorial are available here.

It covers display filter expressions I find useful in reviewing pcaps of malicious network traffic from infected Windows hosts. Today's post provides more tips for analysts to better use Wireshark. To better accomplish this work, I use a customized Wireshark column display as described my previous blog about using Wireshark. As a Threat Intelligence Analyst for Palo Alto Networks Unit 42, I often use Wireshark to review packet captures (pcaps) of network traffic generated by malware samples.