In this blog, I was going to cover some introductory things I have learned using Wireshark and, at the end, mention Brad Duncan\u2019s filters that I have recently become acquainted with (Thanks @executemalware).<\/p>\n\n\n\n
For this example, I used a sample I downloaded from https:\/\/www.malware-traffic-analysis.net<\/a>. So, I should again mention Brad Duncan, who is kind enough to host the site and provide some good, relevant training sets\/quizzes to learn from. \u00a0For those new to the site, be sure to check the about<\/a> page for the password details.<\/p>\n\n\n\n So, let\u2019s open Wireshark (assuming you have downloaded it), then click File -> Open and select the .pcap file we downloaded and unzipped. Looking at the Open PCAP in Wireshark, I see the packet list pane, details pane, and bytes pane.<\/p>\n\n\n\n At the bottom of the screen, I see the total number of packets (51,181) Looking at the top horizontal toolbar, I can see the statistics tab. Let\u2019s look at that, too, and see some options Wireshark offers us.<\/p>\n\n\n\n One thing I have learned from SANS courses when reviewing packet captures is to use the Protocol Hierarchy option to get a lay of the land. A high-level view, if you will (lol). After that, I generally go to conversations and then check TCP and IPv4, and then filter for bytes to still get a high-level but closer look at what I am seeing here.<\/p>\n\n\n\n In our sample here, we have done that, and this is what we see: our dominant addresses in the conversation: <\/p>\n\n\n\n Now it\u2019s time to actually get some work done and see what\u2019s going on here. We have some IP addresses and byte counts, which can be useful to know or assess for different reasons, like suspected data exfiltration, but we don\u2019t know what has happened.<\/p>\n\n\n\n Looking back at the packet list pane, it is a big, jumbled mess and can be really straining to view, so maybe we can try to apply some filters. Fortunately, the same guy who provided this sample has given us some filters to apply (via an additional blog series I will link here), but we need to know how to do it first.<\/p>\n\n\n\n Click analyze and then display filters, filter macros, apply as filters, or follow.<\/p>\n\n\n\n We can go to Display Filter expressions and then filter for one of our dominant IP addresses.<\/p>\n\n\n\n It should look something like this when filtering for our dominant talker:<\/p>\n\n\n\n Then click okay and press the arrow in the packet list pane to apply your filter.<\/p>\n\n\n\n Looking at the results, we are kind of stuck\u2026. It\u2019s all encrypted and indecipherable. We have a couple of server name identifiers, but maybe we can look into something else.<\/p>\n\n\n\n So in the filter bar, I just type http and then click the arrow again. I see more activity that is a little clearer to review<\/p>\n\n\n\n Following the http, we see a domain with a Soviet Union TLD (.su). It is white pepper [.]su, and you can see some of the http below<\/p>\n\n\n\n Well, let\u2019s apply one of Mr. Duncan\u2019s filters, and see what happens next (http.request or tls.handshake.type eq 1) and !(ssdp):<\/strong><\/p>\n\n\n\n Scrolling a little bit, we see a couple more SNIs. holiday-forever[.]cc and communicationfirewall-security[.]cc.<\/p>\n\n\n\n Now, we don\u2019t exactly know what this means, but according to the lab, we are responding to an alert for Lumma stealer. Assuming this traffic was successful, in addition to being suspicious and having sufficient traffic to indicate a potential compromise, we need to identify our device and user and perform remediation actions. But how do we do that from a pcap?<\/p>\n\n\n\n Well, we searched our HTTP packet forms and searched through available data and found nothing. Unless we can review different protocols or have other tools to help us figure this out, we are screwed. Fortunately, we do have different protocols to look through.<\/p>\n\n\n\n We know the internal IP that was talking to the suspicious domains, so let\u2019s start there.<\/p>\n\n\n\n Searching the net bios name service, we gain some more insight.<\/p>\n\n\n\n We now have a MAC address, a desktop name, and an internal DHCP-assigned address, but no user. Let\u2019s pivot.<\/p>\n\n\n\n Searching Kerberos and our IP, we see a few different things:<\/p>\n\n\n\n One of these values is the ticket authentication service request (AS-REQ), so let\u2019s look there.<\/p>\n\n\n\n Looking under the Kerberos field, we see the Cnamestring, gwyatt. It looks like a first initial and last name. Let\u2019s look for the string “Wyatt” in a packet to see if we can find the user\u2019s first name.<\/p>\n\n\n\n We go to edit, find the packet, and then filter for Wyatt (be sure not to have a space at the end) and see the following:<\/p>\n\n\n\n We have our user!<\/p>\n\n\n\n Lastly, we check to see if there are any objects (files) left behind and go to File, export-objects, and search through our suspicious HTTP, and unfortunately, there is nothing like an executable.<\/p>\n\n\n\n While this is a sloppy write-up, I hope it’s beneficial to someone and gives some value. I won\u2019t spend the extra hour tidying this that I probably should, but I hope it is still good for someone to learn to use some new filters and Wireshark features. Oh yeah, and for BETTER reporting on Wireshark, check out the following: Wireshark Tutorial: Display Filter Expressions<\/a><\/p>\n\n\n\n <\/p>\n","protected":false},"excerpt":{"rendered":" Wireshark Wireshark is probably the most well-known and used protocol analyzer in information technology today. It\u2019s available (most days\u2026 except for today for some reason) at https:\/\/www.wireshark.org. Linux, Windows, Mac, whatever. It runs fine. It\u2019s also pretty easy to use. It has a Graphical User Interface (GUI \u2013 pronounced gooey) or a window for easier…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1246","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/shawngraham.io\/index.php?rest_route=\/wp\/v2\/posts\/1246","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/shawngraham.io\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/shawngraham.io\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/shawngraham.io\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/shawngraham.io\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1246"}],"version-history":[{"count":1,"href":"https:\/\/shawngraham.io\/index.php?rest_route=\/wp\/v2\/posts\/1246\/revisions"}],"predecessor-version":[{"id":1261,"href":"https:\/\/shawngraham.io\/index.php?rest_route=\/wp\/v2\/posts\/1246\/revisions\/1261"}],"wp:attachment":[{"href":"https:\/\/shawngraham.io\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1246"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/shawngraham.io\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1246"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/shawngraham.io\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1246"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"\"](\"https:\/\/shawngraham.io\/wp-content\/uploads\/2026\/03\/image-9-1024x521.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/shawngraham.io\/wp-content\/uploads\/2026\/03\/image-19-1024x604.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/shawngraham.io\/wp-content\/uploads\/2026\/03\/image-17-1024x707.png\")
<\/figure>\n\n\n\n<\/p>\n\n\n\n
![\"\"](\"https:\/\/shawngraham.io\/wp-content\/uploads\/2026\/03\/image-10-1024x360.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/shawngraham.io\/wp-content\/uploads\/2026\/03\/image-15-1024x786.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/shawngraham.io\/wp-content\/uploads\/2026\/03\/image-11-1024x322.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/shawngraham.io\/wp-content\/uploads\/2026\/03\/image-8-1024x337.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/shawngraham.io\/wp-content\/uploads\/2026\/03\/image-12-1024x279.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/shawngraham.io\/wp-content\/uploads\/2026\/03\/image-14-1024x325.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/shawngraham.io\/wp-content\/uploads\/2026\/03\/image-7-1024x285.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/shawngraham.io\/wp-content\/uploads\/2026\/03\/image-20-1024x556.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/shawngraham.io\/wp-content\/uploads\/2026\/03\/image-18-1024x625.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/shawngraham.io\/wp-content\/uploads\/2026\/03\/image-16-1024x610.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/shawngraham.io\/wp-content\/uploads\/2026\/03\/image-13-1024x569.png\")
<\/figure>\n\n\n\n