dst <ip> and port <port>
src <ip> and not port <port>
host <url>
# ips
ip.addr == <ip>
ip.src == <ip> and ip.dst == <ip>
ip.src_host matches "192\\.168\\.1"
# ports
tcp.port == <port>
tcp.srcport == <port>
# protocols
http
http.requests.get == 'post'
tcp
tcp.flags.syn==1 # handshakes
arp
dns
ssh
# not, these are different
!ip.addr == <ip>
ip.addr != <ip>
# frame
frame contains “(attachment|tar|exe|zip|pdf)”
frame.number == <num>
# keywords
tcp contains <keyword>
frame contains <keyword>
# http requests and https domain names
http.request or ssl.handshake.type == 1
# failed connections
tcp.flags == 0x0002
# domains queried (e.g. C2 servers, smtp.* for spam)
dns
# no ssdp
!(udp.port eq 1900)
!ssdp
# MTA Brad's "basic"
(http.request or tls.handshake.type == 1) and !(ssdp)
# MTA Brad's "basic+"
(http.request or tls.handshake.type == 1 or tcp.flags eq 0x0002 or dns) and !(udp.port eq 1900)
# host name, MAC
dhcp # check DHCP Request
# or
nbns # mainly Windows or MacOS
# OS
http.request # folow TCP stream, check User Agent
http.user_agent
# Windows user account name / hostname (ends with $)
kerberos.CNameString # perhaps add as column
# strange certificates
tls.handshake.type == 11
shows certs
# syn floods
tcp.flags.syn == 1 and tcp.flags.ack == 0
# not .coms
((http.request or tls.handshake.type == 1) and !(ssdp)) and !(tls.handshake.extensions_server_name matches "\\.com")
# search for file
http.request.uri contains .<zip/png/...>
# check file type
Follow TCP stream, first two bytes of: MZ=exe/dll, PK=zip
If you find a file split into many parts:
Wireshark Tutorial: Examining Qakbot Infections