Full Report
Troy Wojewoda // In honor of Shark Week1, I decided to write this blog to demonstrate various techniques I’ve found useful when analyzing network traffic with Wireshark, as well as […] The post Welcome to Shark Week: A Guide for Getting Started with Wireshark and TShark appeared first on Black Hills Information Security, Inc..
Analysis Summary
# Tool/Technique: Wireshark and TShark
## Overview
Wireshark and its command-line utility, TShark, are de facto tools used for analyzing captured network traffic. They function as network protocol analyzers, capable of extensively decapsulating (breaking apart) various layers of network traffic to analyze communication between hosts, ranging from troubleshooting to unraveling malicious threats.
## Technical Details
- Type: Tool
- Platform: Multi-platform (analysis machine)
- Capabilities: Packet capture analysis, layer decapsulation, time display formatting, network name resolution (MAC, IP, Port), command-line processing via TShark.
- First Seen: Wireshark has been a long-standing tool; the article references version 4.0.7 (as of publication).
## MITRE ATT&CK Mapping
Since Wireshark/TShark are analysis/defense tools, direct TTPs are not mapped, but their use supports defensive actions related to analysis:
- TA0005 - Defensive Evasion (Their output can reveal evasion)
- TA0006 - Credential Access (Their data can reveal credential transmission)
- TA0007 - Discovery
## Functionality
### Core Capabilities
- **Packet Analysis:** Analyzing captured network traffic by dissecting layers of network communication.
- **Time Display Customization:** Allows analysts to select display formats for timestamps (e.g., UTC Date and Time of Day).
- **Name Resolution Control:** Ability to resolve MAC addresses (OUI), IP addresses (Reverse DNS), and TCP/UDP ports to human-readable names.
- **Command-Line Analysis (TShark):** Enables scripting and automation of traffic analysis tasks.
### Advanced Features
- **OUI Resolution:** Translates the first three octets of a MAC address to the assigned vendor name.
- **Reverse DNS Resolution:** Performs lookups on source/destination IP addresses.
- **Protocol Association:** Maps TCP/UDP ports to associated application protocols (e.g., Port 80 to HTTP).
- **Data Extraction and Processing:** TShark can pipe output to standard Unix utilities (`sort`, `uniq`) for statistical analysis and summarization of packet fields (like User Agents).
## Indicators of Compromise
This tool *identifies* IOCs; it does not generate them. IOCs would be *derived* from its output, such as:
- File Hashes: N/A (Tool focus)
- File Names: N/A (Tool focus)
- Registry Keys: N/A (Tool focus)
- Network Indicators: Raw IP addresses or fully qualified domain names extracted during protocol analysis (must be defanged if listed).
- Behavioral Indicators: Identification of unusual protocols on non-standard ports or repetitive connection patterns within captured data.
## Associated Threat Actors
N/A. Wireshark/TShark are freely used by security professionals, defenders, and malicious actors alike for analysis and reconnaissance.
## Detection Methods
Detection focuses on monitoring for the *execution* or *output* of TShark/Wireshark in unauthorized contexts, or detecting network activity that appears suspicious *after* analysis.
- Signature-based detection: Signatures for the Wireshark/TShark executables being run on endpoints where they are not expected.
- Behavioral detection: Monitoring for unusual data filtering or mass data export processes typical during forensic analysis activities.
- YARA rules: N/A (Tool focus)
## Mitigation Strategies
- **Tool Security:** Keep Wireshark updated to the latest version to patch known bugs and vulnerabilities.
- **Environment Isolation:** Utilize Wireshark within a virtual environment, especially when analyzing packet captures from untrusted sources/zones, to ensure the analysis machine does not become compromised.
- **Time Synchronization:** Ensure the system time of the capture machine is synchronized (e.g., using NTP via NIST or CISA guidance) to maintain accurate timestamps crucial for correlation.
- **OPSEC Consideration:** Disable automatic name resolutions (Reverse DNS, Port Association) if privacy or operational security is a concern during analysis.
## Related Tools/Techniques
- packet capture utilities (e.g., tcpdump)
- Network Forensics and Detection techniques.