Capture Filter

dst <ip> and port <port>
src <ip> and not port <port>
host <url>

Display Filter

# ips
ip.addr == <ip>
ip.src == <ip> and ip.dst == <ip>
ip.src_host matches "192\\.168\\.1"

# ports
tcp.port == <port>
tcp.srcport == <port>

# protocols
http
http.requests.get == 'post'
tcp
tcp.flags.syn==1 # handshakes
arp
dns
ssh

# not, these are different
!ip.addr == <ip>
ip.addr != <ip>

# frame
frame contains “(attachment|tar|exe|zip|pdf)”
frame.number == <num>

# keywords
tcp contains <keyword>
frame contains <keyword>

Useful

# http requests and https domain names
http.request or ssl.handshake.type == 1

# failed connections
tcp.flags == 0x0002

# domains queried (e.g. C2 servers, smtp.* for spam)
dns

# no ssdp
!(udp.port eq 1900)
!ssdp

# MTA Brad's "basic"
(http.request or tls.handshake.type == 1) and !(ssdp)

# MTA Brad's "basic+"
(http.request or tls.handshake.type == 1 or tcp.flags eq 0x0002 or dns) and !(udp.port eq 1900)

# host name, MAC
dhcp # check DHCP Request
# or
nbns # mainly Windows or MacOS

# OS
http.request # folow TCP stream, check User Agent
http.user_agent

# Windows user account name / hostname (ends with $)
kerberos.CNameString # perhaps add as column

# strange certificates
tls.handshake.type == 11
shows certs

# syn floods
tcp.flags.syn == 1 and tcp.flags.ack == 0

# not .coms
((http.request or tls.handshake.type == 1) and !(ssdp)) and !(tls.handshake.extensions_server_name matches "\\.com")

Objects/Files

# search for file
http.request.uri contains .<zip/png/...>

# check file type
Follow TCP stream, first two bytes of: MZ=exe/dll, PK=zip

If you find a file split into many parts:

  1. Follow TCP stream for the HTTP request for 9312.zip.
  2. Show only the response traffic in the TCP stream Window.
  3. Change “Show and save data as” from ASCII to Raw.
  4. Save the data as a binary (I chose to save it as: 9312.zip.bin)
  5. Open the binary in a hex editor and remove the HTTP request headers before the first two bytes of the zip archive (which show as PK in ASCII).
  6. Save the file as a zip archive (I chose to save it as 9312.zip)
  7. Check the file to make sure it’s a zip archive.

Wireshark Tutorial: Examining Qakbot Infections

Config