SBN

Wireshark for Incident Response 101

Introduction to Wireshark

Wireshark is a freely available tool for network traffic analysis. It can be used to either analyze saved packet capture files or perform live traffic capture of packets flowing over the network, including support for promiscuous traffic capture.

While Wireshark is useful for its ability to capture network traffic, its traffic dissection capabilities are what makes it invaluable for incident response. The creators of Wireshark have put a great deal of effort into making the Wireshark user interface as intuitive as possible and have provided a great deal of built-in functionality for viewing and analyzing network traffic data.

Using Wireshark for IR

Since most malware and cyberattacks use the network, the ability to analyze network traffic data is invaluable for incident response. This section looks at some of the basic capabilities of Wireshark and their applications and potential utility for IR.

High-level awareness

Wireshark is a great tool for achieving high-level awareness of the types of traffic in a packet capture or flowing live over a network.

The screenshot above shows a sample of Wireshark’s default view. Each line summarizes a packet, and packets are color-coded based on protocol and other attributes. The colors in the capture above make it easy to differentiate DNS traffic (blue) from HTTP (green).

Wireshark also includes visual cues for unusual packets. For example, RST packets in TCP are colored red, making it easy to see if there is anomalous behavior on the network (in this case, a possible scan). Simply by scrolling through the packet summaries, it’s possible to get a rough idea of the mix of traffic in a capture and identify some potential abnormalities that deserve further investigation.

Statistical data

Wireshark also provides a wealth of high-level statistical data regarding a packet capture. These statistics have their own Dropbox (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Howard Poston. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/HnoWYuyDDEM/