Mastering Network Traffic Analysis: A Hands‑On Guide to Wireshark for SOC Operations + Video

Listen to this Post

Featured Image

Introduction:

In today’s threat landscape, network traffic is the silent witness to every attack. Security Operations Center (SOC) analysts must transform raw packet captures (PCAPs) into actionable intelligence to detect anomalies, reconstruct breaches, and validate alerts. This article provides a structured, lab‑driven approach to network traffic analysis using Wireshark, focusing on practical techniques for identifying malicious behavior across HTTP, DNS, SMB, and TCP sessions.

Learning Objectives:

  • Understand network traffic flows (North‑South vs. East‑West) and their relevance in SOC monitoring.
  • Master packet dissection across the TCP/IP stack to spot protocol‑level anomalies.
  • Detect advanced techniques like DNS tunneling, packet fragmentation, and session hijacking.
  • Apply hands‑on Wireshark filters and command‑line tools to extract indicators of compromise (IOCs).

You Should Know:

1. Understanding Network Traffic Flows: North‑South vs. East‑West

In any enterprise environment, traffic is categorized by direction. North‑South traffic moves between the internal network and the outside world (e.g., user browsing the internet), while East‑West traffic flows laterally between servers or endpoints inside the data center. SOC analysts must monitor both: North‑South for initial compromise and data exfiltration, East‑West for lateral movement and privilege escalation.

Step‑by‑step guide to capturing and classifying flows:

  • Linux: Use `tcpdump -i eth0 -w capture.pcap` to capture live traffic. To isolate North‑South traffic, filter by destination IPs outside your subnet.
  • Windows: Use `netsh trace start capture=yes maxsize=250 filemode=circular` to start a trace, then `netsh trace stop` to save an ETL file (convert with etl2pcapng).
  • Wireshark filter for East‑West: `ip.src == 192.168.1.0/24 and ip.dst == 192.168.1.0/24` (adjust subnet). This shows only internal communication, helping you spot unusual server‑to‑server connections.

2. Packet Dissection Across TCP/IP Layers

Wireshark decodes packets layer by layer: Link (Ethernet), Internet (IP), Transport (TCP/UDP), and Application (HTTP, DNS, etc.). Understanding this hierarchy allows you to pinpoint where an anomaly originates—for example, a malformed TCP header might indicate a crafted exploit packet.

Step‑by‑step analysis:

1. Open a PCAP in Wireshark.

  1. Select any packet and expand the Ethernet II, IP, and TCP sections in the packet details pane.
  2. For quick navigation, use the “Packet Details” column to see protocol encapsulation.
  3. Linux command: `tshark -r capture.pcap -Y “tcp.flags.syn==1 and tcp.flags.ack==0” -T fields -e ip.src -e tcp.port` – this lists all SYN packets (connection initiation) for detecting port scans.
  4. Windows (PowerShell): Use `Get-NetTCPConnection` to view active connections and correlate with Wireshark captures.

3. Identifying Suspicious HTTP Traffic

HTTP remains a common vector for malware command‑and‑control (C2) and data exfiltration. Look for abnormal User‑Agent strings, long URIs, or non‑standard HTTP methods.

Step‑by‑step guide:

  • Apply display filter: http.
  • Examine `http.request.uri` for base64‑encoded strings or unusual parameters.
  • Wireshark filter for known bad user agents: `http.user_agent contains “curl” or http.user_agent contains “python”` (often used by attackers).
  • Linux command: `tshark -r http.pcap -Y “http.request” -T fields -e http.host -e http.request.uri -e http.user_agent` to extract all HTTP requests.
  • To detect data exfiltration, filter for large HTTP POST requests: http.request.method == "POST" and frame.len > 1000.

4. Detecting DNS Tunneling

DNS tunneling encodes data in DNS queries, bypassing firewalls. Attackers use subdomains to exfiltrate data or establish C2 channels.

Step‑by‑step detection:

  • Look for excessive DNS queries from a single source to a single domain.
  • Wireshark filter: `dns.qry.name contains “.example.com”` – replace with suspicious domain.
  • Check for long subdomain labels (over 20 characters) or high entropy in query names.
  • Linux command: `tshark -r dns.pcap -Y “dns.flags.response == 0” -T fields -e dns.qry.name | sort | uniq -c | sort -nr` – this counts unique DNS queries; a high count with random‑looking names suggests tunneling.
  • Tool tip: Use `dnstop` to monitor live DNS traffic on Linux.

5. Analyzing SMB Sessions for Lateral Movement

Server Message Block (SMB) is used for file sharing and is often abused in ransomware attacks. Suspicious SMB activity includes repeated failed logins, unusual file shares, or large data transfers.

Step‑by‑step guide:

  • Filter for SMB traffic: `smb` or smb2.
  • Look for SMB `TreeConnect` requests to administrative shares (e.g., IPC$, C$).
  • Wireshark filter for failed SMB logins: `smb.nt_status == 0xC000006D` (STATUS_LOGON_FAILURE).
  • To extract transferred files from SMB traffic: Use Wireshark’s “Export Objects” → “SMB” menu.
  • Linux command: `sudo tcpdump -i eth0 -s 0 port 445 -w smb_capture.pcap` to capture SMB traffic specifically.

6. Spotting TCP Session Anomalies

TCP flags reveal the state of connections. Attackers use SYN floods, RST attacks, or session hijacking to disrupt or intercept traffic.

Step‑by‑step detection:

  • SYN flood detection: Filter tcp.flags.syn == 1 and tcp.flags.ack == 0. A high volume of such packets from one IP without corresponding ACKs indicates a flood.
  • RST anomalies: `tcp.flags.reset == 1` – multiple resets from a server could indicate an attempt to tear down connections prematurely.
  • TCP retransmissions: Use `tcp.analysis.retransmission` to identify packet loss, often caused by network congestion or attack tools.
  • Linux command: `ss -t -a` shows active TCP sockets; compare with Wireshark captures to find discrepancies.

7. Automating Analysis with Command‑Line Tools

While Wireshark’s GUI is powerful, command‑line tools allow scripting and bulk analysis, essential for large PCAPs.

Step‑by‑step automation:

  • Extract all IP addresses: tshark -r capture.pcap -T fields -e ip.src -e ip.dst | sort | uniq > ip_list.txt.
  • List all HTTP hosts: tshark -r capture.pcap -Y "http" -T fields -e http.host | sort -u.
  • Convert PCAP to CSV for external analysis: tshark -r capture.pcap -T fields -e frame.number -e ip.src -e ip.dst -e tcp.port -e http.request.uri -E header=y -E separator=, > output.csv.
  • Windows equivalent: Use `EditCap` (part of Wireshark tools) to split large PCAPs: `editcap -c 10000 big.pcap small.pcap` (splits every 10,000 packets).

What Undercode Say:

  • Context is King: Raw packets are meaningless without understanding the environment. Always correlate network data with endpoint logs and threat intelligence.
  • Automate, but Validate: Scripts and filters save time, but manual inspection of suspicious sessions is irreplaceable. False positives in network traffic can mask real intrusions.
  • Continuous Learning: This Wireshark lab is a foundation; advanced threats require understanding encrypted traffic (TLS/QUIC) and behavioral baselining. The SOC mindset is built one packet at a time.

Prediction:

As encryption becomes ubiquitous, network traffic analysis will shift from deep packet inspection to metadata and flow analysis (NetFlow, IPFIX). Machine learning will assist in anomaly detection, but the core skills of packet‑level forensics will remain critical for incident responders. SOC analysts who master both traditional tools like Wireshark and emerging AI‑driven platforms will lead the next generation of threat detection.

▶️ Related Video (84% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Nikolaos Argyridis – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky