Important Wireshark filters

About the Newsletter

Join 100+ subscribers who get 0x1 actionable security bit every week.

We will look into some of the Wireshark display filters which can be used in malware analysis. We can use this Wireshark display filter after we capture pcap during dynamic malware analysis.

Why do we need to do this?

  • Help us to remove the noise from pcap
  • Easy to extract IoC (e.g Domain, IP etc) from pcap
  • Understanding of network behaviour during dynamic malware analysis

Wireshark display columns setup

But before proceeding, I will highly recommend you to follow these two tutorials to modify the column setting of Wireshark, it will make the analysis much easier and efficient.

Wireshark display filters

Display filterComments
!(ssdp or udp)This not filter can be used when you want to filter any noise from specific protocol
dns or httpIt will show all the packets with protocol dns or http.
It can be used as starting point in analysis for checking any suspicious dns request or http to identify any CC.
ip.addr == 192.168.0.1
same as
ip.src == 192.168.0.1 or ip.dst == 192.168.0.1
Matches against both the IP source and destination addresses in the IP header.
It can be used to filter when you know ip address of CC/victim machine.
http.requestDisplay all types of http request e.g GET, POST etc.
This can be also good starting point to check if malware is sending any http request to CC.
http contains "Mozilla/5.0"Search for the string in http protocol.
It is very useful if you are looking for specific strings.
http contains 6d:73:77:6f:72:64You can also search using hex instead of ascii strings.
6d:73:77:6f:72:64 == msword
http.file_data matches "^MZ"Match the given case-insensitive Perl-compatible regular expression(PCRE) with file_data.
It can be used to match any file type magic bytes which is present in http filedata.
ssl.handshake.type == 1Matches ssl client hello type request.
Good for extracting CC for malware using SSL.
tcp.port == 1300
same as
tcp.dstport == 1300 or tcp.srcport == 1300
Matches source or destination port for tcp protocol.
It's useful when malware uses custom port for communication to CC e.g Darkcomet.
tcp.port == 1300 and tcp.flags == 0x2Filter based on port and SYN flag in tcp packet.
It useful to remove the noise and extract CC.

grade

Note: When you enter invalid filter in Wireshark then the colour will change to red.

Download pcap

I will highly recommend downloading the infection traffic pcap from this link and practicing different display filters. After going through the pcap, I was able to create the following display filter which shows all valid IoCs and remove the noise from pcap.

http.request or dns.qry.name matches "(hopto|ddns)" or ssl.handshake.type == 1
or (tcp.flags == 0x2 and not tcp.dstport in {443 80})

References

Thanks for reading. Feel free to connect with me on or LinkedInĀ for any suggestions or comments.

For more updates and exclusive content, subscribe to our newsletter. Happy Reversing! šŸ˜Š

Join 100+ subscribers who get 0x1 actionable security bit every week.




Related Posts

keyboard_arrow_up