Real-World Packet Analysis
Why Packet Analysis Matters
When a security alert fires, packet captures are often the definitive evidence. They tell you exactly what happened at the wire level — no interpretation, no inference, just raw bytes. As a network defender or TAC engineer, the ability to read packet captures quickly and accurately separates guessing from knowing.
Packet analysis serves multiple purposes: confirming whether an attack actually reached its target, determining what data was exfiltrated, troubleshooting application behavior, and validating that firewall rules are working as designed.
Wireshark Overview
Wireshark is the industry-standard graphical packet analyzer. It captures packets in real time from a network interface or reads from a saved .pcap/.pcapng file. Wireshark dissects each packet into its protocol layers, making it easy to inspect Ethernet frames, IP headers, TCP segments, and application payloads.
Capture Filters vs Display Filters
| Filter Type | When Applied | Language | Purpose |
|---|---|---|---|
| Capture filter | Before packets are recorded | BPF (Berkeley Packet Filter) | Limit what gets saved to disk — use on high-traffic interfaces |
| Display filter | After capture, on stored data | Wireshark display filter syntax | Show/hide packets from a full capture for analysis |
Performance Tip
Reading a Packet
Every packet on an Ethernet network consists of nested protocol layers. Wireshark displays these layers in a collapsible tree. Understanding which layer carries which information is fundamental.
Layer Breakdown
Ethernet Frame (Layer 2): Source MAC, Destination MAC, EtherType (0x0800 for IPv4, 0x0806 for ARP, 0x86DD for IPv6).
IP Header (Layer 3): Source IP, Destination IP, Protocol (6=TCP, 17=UDP, 1=ICMP), TTL, Total Length, Flags (DF, MF), Fragment Offset.
TCP Segment (Layer 4): Source Port, Destination Port, Sequence Number, Acknowledgment Number, Flags (SYN, ACK, FIN, RST, PSH, URG), Window Size, Checksum.
Application Payload (Layer 7): HTTP headers/body, DNS query/response, TLS record, raw data.
TCP Three-Way Handshake in Packets
Every TCP connection begins with a three-way handshake. Recognizing this pattern is essential for distinguishing legitimate connections from attacks like port scanning or SYN floods.
| Packet # | Direction | Flags | What it Means |
|---|---|---|---|
| 1 | Client → Server | SYN | Client requests connection; includes initial sequence number (ISN) |
| 2 | Server → Client | SYN, ACK | Server accepts; sends its ISN and acknowledges client ISN+1 |
| 3 | Client → Server | ACK | Client acknowledges server ISN+1; connection established |
TCP Four-Way Teardown
| Packet | Direction | Flags | Meaning |
|---|---|---|---|
| 1 | Initiator → Receiver | FIN, ACK | Initiator has no more data to send |
| 2 | Receiver → Initiator | ACK | Receiver acknowledges FIN |
| 3 | Receiver → Initiator | FIN, ACK | Receiver also finished; sends its own FIN |
| 4 | Initiator → Receiver | ACK | Initiator acknowledges; connection closed |
Essential Wireshark Display Filters
# Filter by IP address (source or destination) ip.addr == 192.168.1.100 # Filter specific source or destination ip.src == 10.0.0.5 ip.dst == 8.8.8.8 # Show only DNS traffic dns # Show only HTTP traffic (unencrypted) http # Show only HTTPS (TLS) tls # TCP port filtering tcp.port == 443 tcp.dstport == 80 # Show only TCP SYN packets (useful for port scan detection) tcp.flags.syn == 1 and tcp.flags.ack == 0 # Show TCP RST packets (connection resets) tcp.flags.reset == 1 # Filter by domain in DNS queries dns.qry.name contains "example.com" # Show ARP traffic arp # ICMP only icmp # Follow TCP stream: right-click a packet → Follow → TCP Stream
tcpdump Command Examples
# Capture all traffic on interface eth0 tcpdump -i eth0 # Capture to file for later analysis in Wireshark tcpdump -i eth0 -w capture.pcap # Capture only TCP traffic on port 443 tcpdump -i eth0 tcp port 443 # Capture from a specific host tcpdump -i eth0 host 192.168.1.100 # Capture DNS traffic tcpdump -i eth0 port 53 # Verbose output with timestamps and hex dump tcpdump -i eth0 -vvv -X port 80 # Capture ICMP only tcpdump -i eth0 icmp # Limit capture to 1000 packets tcpdump -i eth0 -c 1000 -w capture.pcap # Read from file and display verbose tcpdump -r capture.pcap -vvv
Detecting Attacks in Packet Captures
Port Scanning (SYN Scan / Nmap)
A port scan typically appears as a rapid series of TCP SYN packets from a single source IP to many different destination ports on a target host. The attacker rarely completes the handshake — they send SYN and wait for SYN-ACK (open port) or RST (closed port).
- Pattern: one source IP, same destination IP, sequential or randomized destination ports
- High SYN-to-ACK ratio — many SYNs, few completed handshakes
- Short time window — hundreds of ports probed in seconds
- Wireshark filter: tcp.flags.syn==1 and tcp.flags.ack==0
ARP Spoofing Detection
ARP spoofing occurs when an attacker sends fraudulent ARP replies associating their MAC address with a legitimate IP address — typically the gateway. This poisons the ARP caches of other hosts, causing them to send traffic through the attacker (classic MITM setup).
- Look for duplicate ARP replies: two different MAC addresses claiming the same IP
- Wireshark filter: arp.opcode == 2 (ARP replies only)
- Check for a single MAC sending ARP replies for multiple IPs in quick succession
- Wireshark will flag these with a yellow info bar: 'Duplicate IP address detected'
DNS Tunneling Indicators
DNS tunneling encodes data inside DNS queries and responses to bypass firewalls. The attacker controls a domain and its name server — all exfiltrated data travels as subdomains of that domain.
- Unusually long subdomain names (full domain name exceeding 100 characters)
- High frequency of DNS queries to the same parent domain
- Rare or unusual DNS record types in responses: TXT, NULL, CNAME with random-looking content
- High entropy in subdomain labels — random-looking strings instead of readable words
- Large DNS response sizes (normal DNS responses are under 512 bytes; suspicious ones may be much larger)
ICMP Flood Detection
An ICMP flood (ping flood) sends a massive volume of ICMP Echo Request packets to overwhelm the target. In a capture, you will see thousands of ICMP packets from one or more sources to a single destination, with very small inter-packet gaps.
- Wireshark filter: icmp and icmp.type == 8 (Echo Requests only)
- High packets-per-second rate from the same source
- In a DDoS, source IPs are spoofed and highly varied
- Look at Statistics → Conversations to quickly see top talkers
TLS Certificate Inspection
Even without decrypting TLS traffic, you can inspect the certificate presented during the handshake. Wireshark dissects the Certificate message within the TLS handshake.
- Check the Subject CN or SAN — does it match the destination domain?
- Check the issuer — is it a recognized public CA or a self-signed cert?
- Check validity dates — expired certificates may indicate malware C2 infrastructure
- Look for certificates issued for suspicious domains: IP addresses as CN, wildcard misuse, newly registered domains
Tip
Practical Analysis Workflow
Start with statistics: use Statistics → Protocol Hierarchy to understand the traffic mix, and Statistics → Conversations to identify top talkers.
Apply broad filters first (e.g., show only DNS, or only traffic from a suspect IP), then narrow down to specific packets of interest.
Follow TCP streams (right-click → Follow → TCP Stream) to reconstruct the full application-layer conversation between two endpoints.
Export objects: File → Export Objects → HTTP allows you to reconstruct files transferred over unencrypted HTTP directly from the capture.
Use time deltas: enable the Time column in relative format to spot unusually long delays (server processing time) or suspiciously regular intervals (beaconing malware).
Course Complete