Network Forensics with Wireshark Deep Dive

In today's interconnected world, a network breach is a matter of "when," not "if." When an incident occurs, network forensics—the application of investigative techniques to capture, record, and analyze network traffic—becomes critical for understanding the scope, identifying the root cause, and collecting evidence. Wireshark, the world's foremost network protocol analyzer, is an indispensable tool for this task. This deep dive moves beyond basic packet sniffing to explore the advanced methodologies an investigator uses to dissect complex attacks, reconstruct timelines, and automate analysis within a high-stakes forensic context.

Advanced Capture and Display Filter Construction

The foundation of any efficient investigation is collecting the right data. While promiscuous mode captures all traffic, this creates excessively large files. Capture filters, applied during data collection using Berkeley Packet Filter (BPF) syntax, restrict what is saved to disk. For a forensic investigation, you must construct precise filters. For example, to capture only DNS queries and replies to or from a suspect IP, you might use: host 192.168.1.100 and port 53. To exclude noisy broadcast traffic from your capture, you'd add not broadcast and not multicast.

Once you have a packet capture (PCAP), display filters are your primary lens for analysis. These are far more powerful and flexible than capture filters. Optimizing them is key. Use comparison operators (==, !=, >, <) and logical operators (and, or, !, in). To filter for all HTTP POST requests and responses involving a specific subnet, you could use: (http.request.method == "POST") && (ip.src==192.168.10.0/24 or ip.dst==192.168.10.0/24). Mastering display filters like tcp.stream eq 5 to follow a complete conversation, or tcp.analysis.flags to find abnormal TCP behaviors, turns a haystack of packets into a manageable set of needles.

Protocol-Specific Forensic Analysis Techniques

A forensic analyst must think like the protocols they examine. Each protocol reveals different artifacts.

• HTTP/HTTPS Analysis: For unencrypted HTTP, inspect the Hypertext Transfer Protocol section in the packet details. Look for GET or POST requests to unusual URIs, abnormal User-Agent strings, or command-and-control traffic masquerading as web traffic. With encrypted HTTPS (TLS), you cannot see the payload, but the metadata is valuable. Analyze the Client Hello packet to see the list of requested cipher suites (outdated suites can indicate scanning tools) and the Server Name Indication (SNI) extension, which reveals the requested domain name even though the traffic is encrypted.

• DNS Forensics: Malware often uses DNS for command and control (C2) or data exfiltration. Look for signs beyond simple name resolution. Detect DNS tunneling by examining unusually long subdomains (e.g., abc123def456.malicious.com), high query frequency to a single domain, or requests for TXT records, which can carry payloads. A sudden spike in NXDOMAIN (non-existent domain) responses can indicate malware searching for its C2 server via domain generation algorithms (DGA).

• SMB Analysis: The Server Message Block protocol is a prime target for lateral movement and ransomware. Use the filter smb2 or smb to isolate this traffic. Forensic clues include repeated failed authentication attempts (NT_STATUS_LOGON_FAILURE), which indicate brute-force attacks, and Tree Connect requests to administrative shares like \\server\ADMIN__MATH_INLINE_0__ from unexpected workstations.

Identifying Malicious Traffic Patterns and Extracting Artifacts

Beyond protocol details, you must recognize broader attack signatures. A rapid succession of SYN packets to many different ports on a single host indicates a port scan. A TCP SYN flood denial-of-service attack will appear as a vast number of SYN packets without completing the three-way handshake. You can visualize this using Wireshark’s Statistics > Flow Graph feature.

Artifact extraction is a core forensic function. Wireshark allows you to pull out files transferred over the network. For HTTP, use File > Export Objects > HTTP to recover downloaded files or uploaded documents. For SMB, you can reconstruct transferred files via File > Export Objects > SMB. For any TCP stream, you can export the raw data of the entire conversation (right-click a packet > Follow > TCP Stream > Save as Raw) to examine exfiltrated data or payloads. Always calculate and verify file hashes (like MD5 or SHA-256) of extracted artifacts for evidentiary integrity.

Timeline Reconstruction and Automated Scripting

Network events are inherently chronological. Timeline reconstruction is critical for understanding the sequence of an attack. Use Wireshark’s Time column (set to Seconds Since Beginning of Capture) and the Statistics > Conversations tool to map out when communications began and ended. Filtering by a specific IP and sorting by time can show the progression of an attack: initial reconnaissance (scanning), exploitation (specific payload delivery), and post-exploitation (C2, lateral movement, exfiltration).

For large-scale investigations, manual analysis is impractical. This is where Wireshark scripting with TShark (the command-line version) and Lua or Python becomes essential. You can write scripts to automate repetitive tasks. For instance, a Python script using the pyshark library could iterate through a PCAP, extract all DNS queries for a suspicious domain, output the source IPs, and calculate the query frequency. A Lua script within Wireshark could create a custom dissector to decode a proprietary or obfuscated protocol used by malware. Automation ensures consistency and allows you to process evidence at scale.

Common Pitfalls

1. Neglecting Context with Overly Aggressive Filters: Applying a display filter too early can hide crucial context. If you filter only for http, you might miss the DNS query that resolved the malicious domain or the preceding TCP scan that identified the open port 80. Always analyze the full stream (tcp.stream) and examine traffic slightly before and after the event of interest.
2. Misinterpreting Encrypted Traffic as Benign: The presence of TLS (the lock icon) does not mean traffic is safe. Malware routinely uses encrypted channels to hide C2 traffic. Focus on the TLS handshake metadata (SNI, certificates, cipher suites) and behavioral patterns (timing, volume, destination) to identify malicious encrypted flows.
3. Failing to Document the Forensic Process: From the moment you start a capture, you must maintain a chain of custody. This means documenting how the PCAP was obtained (interface, filter used, time), hashing the file immediately after capture, and noting every analytical step. Not doing this can render your evidence inadmissible in legal proceedings.
4. Ignoring Time Synchronization: If the clocks on the capturing system and the network devices are not synchronized, your reconstructed timeline will be inaccurate and misleading. Always note timezone settings and consider using Network Time Protocol (NTP) timestamps present in packets for correlation.

Summary

• Wireshark is a forensic platform, not just a sniffer. Mastery of advanced capture filters (BPF syntax) and display filters is the first step to efficient, targeted analysis.
• Forensic analysis requires protocol-level expertise. Understand the specific artifacts and anomalies within HTTP/HTTPS, DNS, and SMB that indicate malicious activity, such as C2 communication, data exfiltration, or lateral movement.
• The core tasks of network forensics are pattern recognition (scanning, floods), artifact extraction (exported files, stream data), and timeline reconstruction to establish the attack narrative.
• Automation via TShark and scripting (Lua/Python) is necessary for handling large-scale incidents, ensuring consistent analysis, and decoding custom protocols.
• Always maintain forensic integrity by documenting your process, preserving the chain of custody, and validating findings with multiple data points to avoid common analytical pitfalls.