Wireshark: Capture, Filter & Inspect packets within seconds (2016 version)


In this example, we are going to use a .pcap file from the malware-traffic-analysis site. We have chosen to use a sample which would hold exploit kit behavior.

Download the .pcap file from the official site, and double click on the downloaded .pcap file. If everything worked correctly, you should see this screen.

Malicious Wireshark Traffic example
Malicious Traffic example

The exercise challenges us to answer the following questions:

  • What is the host name of the Windows computer that gets infected?
    • Use the NBNS protocol to find the answer.
  • What is the IP address of the Windows computer that gets infected?
    • Once you have found the host name, you will be able to find the IP in the Source tab.
  • What is the MAC address of the Windows computer that gets infected?
    • Click on the host that has been infected, and search for the Src: mac address.

Usefull resources

Malware-Traffic-Analysis.net – The perfect website to deep dive into malware traffic analysis with Wireshark or any other network analysis tool that is capable of reading .pcap files.

Wireshark.org – The official wireshark site holds a WIKI, on the WIKI you can find answers, tips and guides.

HowToGeek – The HowToGeek tutorial is from 2014, but it still contains usefull information.

If you still have questions left, feel free to leave a comment or use the Cyberwarzone forum