Listen to this Post
βNetwork traffic doesnβt lie but it does hide.β
Wireshark is an essential tool for cybersecurity professionals, enabling deep network traffic analysis. Mastering its filters can drastically improve threat detection and incident response efficiency. Below are 25 critical Wireshark filters every SOC analyst, IR specialist, and network defender should know.
Essential Wireshark Filters
1. `ip.addr == x.x.x.x` β Filter traffic to/from a specific IP (isolate suspicious hosts).
2. `ip.src == x.x.x.x` β Capture traffic originating from a specific source IP.
3. `!(ip.addr == x.x.x.x)` β Exclude known-safe IPs from analysis.
4. `icmp.type == 3` β Detect unreachable destinations (potential scanning activity).
5. `tcp or udp` β Filter transport-layer protocols quickly.
6. `tcp.port == 80` β Monitor unencrypted HTTP traffic.
7. `tcp.srcport == 1000` β Investigate traffic from a specific client-side port.
8. `http or dns` β Focus on HTTP and DNS traffic.
9. `tcp.flags.syn == 1` β Identify SYN scans or connection attempts.
10. `tcp.flags == 0x012` β Detect established TCP handshakes.
11. `tcp.analysis.retransmission` β Locate packet retransmissions (network issues or attacks).
12. `http.request.method == “GET”` β Track GET-based attacks (e.g., XSS).
13. `dns.qry.name contains “example.com”` β Filter DNS queries for a domain.
14. `tcp contains “password”` β Search for plaintext credentials.
15. `http.user_agent contains “nmap”` β Detect Nmap scans.
16. `ssl.handshake` β Analyze SSL/TLS handshakes.
17. `tcp.port == 443` β Monitor HTTPS traffic.
18. `ip.dst == x.x.x.x && tcp.port == 22` β Track SSH traffic to a host.
19. `frame.time >= “2024-01-01 12:00:00″` β Filter by timestamp.
20. `udp.port == 53` β Inspect DNS queries.
21. `smb || nbns || nbss` β Filter SMB-related traffic.
22. `tcp.stream eq 5` β Follow a specific TCP stream.
23. `http.response.code == 404` β Find failed HTTP requests.
24. `arp.opcode == 1` β Detect ARP requests (potential spoofing).
25. `bootp.option.hostname` β Extract DHCP hostnames.
You Should Know:
Practical Commands & Steps for Cybersecurity Analysis
- Capture Traffic with Tshark (CLI Alternative to Wireshark)
tshark -i eth0 -f "tcp port 80" -w http_traffic.pcap
– `-i` = Interface
– `-f` = BPF filter
– `-w` = Save to file
2. Extract Suspicious IPs from Logs
cat /var/log/syslog | grep -E "Failed password" | awk '{print $11}' | sort | uniq -c | sort -nr
3. Monitor Live Traffic for Anomalies
tcpdump -i eth0 'tcp[bash] & 2 != 0' -nn -v
– Detects SYN packets (scanning activity).
4. Automate Wireshark Filtering with Bash
wireshark -r capture.pcap -Y "http.request.method == POST && ip.src == 192.168.1.100"
5. Detect ARP Spoofing
arpwatch -i eth0 -f arp_log.dat
6. Extract Files from PCAP
foremost -v -i suspicious.pcap -o extracted_files
7. Analyze SSL/TLS Certificates
openssl s_client -connect example.com:443 | openssl x509 -noout -text
8. Check for DNS Exfiltration
tshark -r dns_traffic.pcap -Y "dns.qry.name ~ 'malicious'"
9. Find ICMP Tunneling (Covert Channels)
tcpdump -nni eth0 'icmp[bash] != icmp-echo and icmp[bash] != icmp-echoreply'
10. Extract HTTP Headers
tshark -r http_traffic.pcap -Y http.request -T fields -e http.host -e http.user_agent
What Undercode Say:
Wireshark is a must-know tool for cybersecurity professionals. Mastering these filters enhances threat detection, speeds up investigations, and helps uncover hidden malicious activity. Pairing Wireshark with CLI tools (tshark, tcpdump) and automation scripts can significantly improve SOC workflows.
Prediction:
As cyber threats evolve, deep packet inspection (DPI) and AI-driven traffic analysis will become standard in SOC operations. Wiresharkβs role will expand with more ML-powered filtering capabilities.
Expected Output:
- Efficient network traffic analysis.
- Faster incident response.
- Improved threat detection accuracy.
URLs for Further Reading:
References:
Reported By: Marcelvelica 25 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass β
