Important Wireshark filters

, ,

We will look into some of the Wireshark display filters which can be used in malware analysis. We can use this Wireshark display filter after we capture pcap during dynamic malware analysis.

Why we need to do this?

  • Help us to remove the noise from pcap
  • Easy to extract IoC (e.g Domain, IP etc) from pcap
  • Understanding of network behaviour during dynamic malware analysis

Wireshark display columns setup

But before proceeding, I will highly recommend you to follow this two tutorials to modify the column setting of Wireshark, it will make the analysis much easier and efficient.

Wireshark display filters

Display filterComments
!(ssdp or udp)This not filter can be used when you want to filter any noise from specific protocol
dns or httpIt will show all the packets with protocol dns or http.
It can be used as starting point in analysis for checking any suspicious dns request or http to identify any CC.
ip.addr == 192.168.0.1
same as
ip.src == 192.168.0.1 or ip.dst == 192.168.0.1
Matches against both the IP source and destination addresses in the IP header.
It can be used to filter when you know ip address of CC/victim machine.
http.requestDisplay all types of http request e.g GET, POST etc.
This can be also good starting point to check if malware is sending any http request to CC.
http contains "Mozilla/5.0"Search for the string in http protocol.
It is very useful if you are looking for specific strings.
http contains 6d:73:77:6f:72:64You can also search using hex instead of ascii strings.
6d:73:77:6f:72:64 == msword
http.file_data matches "^MZ"Match the given case-insensitive Perl-compatible regular expression(PCRE) with file_data.
It can be used to match any file type magic bytes which is present in http filedata.
ssl.handshake.type == 1Matches ssl client hello type request.
Good for extracting CC for malware using SSL.
tcp.port == 1300
same as
tcp.dstport == 1300 or tcp.srcport == 1300
Matches source or destination port for tcp protocol.
It's useful when malware uses custom port for communication to CC e.g Darkcomet.
tcp.port == 1300 and tcp.flags == 0x2Filter based on port and SYN flag in tcp packet.
It useful to remove the noise and extract CC.

grade

Note: When you enter invalid filter in Wireshark then the colour will change to red.

Video Tutorial

Apologies for bad sound quality

Download pcap

I will highly recommend to download the infection traffic pcap from this link and practice different display filter. After going through the pcap, I was able to create following display filter which shows all valid IoCs and remove the noise from pcap.

http.request or dns.qry.name matches "(hopto|ddns)" or ssl.handshake.type == 1
or (tcp.flags == 0x2 and not tcp.dstport in {443 80})

References

Hope you enjoyed the post, please comment if you have any suggestions/feedbacks….

Related Posts

No results found.

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.

Menu