![Wireshark Threat Hunting – From Packets to Indicators [HTTP: DEEP-DIVE]](https://i0.wp.com/netwerklabs.com/wp-content/uploads/2026/05/wireshark02-e1779658815416.png?fit=1672%2C860&ssl=1)
Views: 2
// HTTP / HTTP2 — Deep-Dive Filter Reference
Granular Wireshark display filters for HTTP/1.1 and HTTP/2 — request methods, path & file access, credential extraction, brute force detection, SQL injection, XSS, SSRF, path traversal, XXE, command injection, all OWASP Top 10 attack patterns, payload encoding detection, and TShark extraction pipelines. MITRE ATT&CK mapped throughout.
HTTP 1.1
HTTP/2
OWASP Top 10
Injection Attacks
Brute Force
TShark CLI
Jump to section
Request Methods
Path & File Access
Response Codes
Header Analysis
Credentials
Brute Force
SQL Injection
XSS
Command Injection
Path Traversal
XXE / SSRF
OWASP Top 10
Payload Encoding
Cookies & Sessions
File Upload
HTTP/2 Filters
TShark HTTP
TShark Attack Detection
HTTP Request Methods & Traffic Classification
MTH
All HTTP Method Filters
Standard Methods
http.request.method == “GET”Read resource
http.request.method == “POST”Submit data / C2 check-in
http.request.method == “PUT”Create/replace resource
http.request.method == “PATCH”Partial update
http.request.method == “DELETE”Delete resource
http.request.method == “HEAD”Headers only — recon
http.request.method == “OPTIONS”CORS preflight / recon
http.request.method == “TRACE”Loop-back debug (XST risk)
http.request.method == “CONNECT”Proxy tunneling (C2)
Anomalous Method Combinations T1071.001
http.request.method in {“PUT” “DELETE” “PATCH” “TRACE” “CONNECT”}Unusual — investigate
http.request.method == “OPTIONS” && http.response.code == 200CORS permitted — check Allow header
http.request.method == “TRACE” && http.response.code == 200TRACE enabled — XST vector
http.request.method == “CONNECT” && tcp.dstport == 443HTTPS proxy tunnel
http.request.method == “CONNECT” && tcp.dstport != 443Non-HTTPS tunnel (very suspicious)
WebDAV Methods (T1505)
http.request.method in {“PROPFIND” “MKCOL” “COPY” “MOVE” “LOCK”}WebDAV ops (file server access)
http.request.method == “PROPFIND”Directory listing via WebDAV
http.request.method == “PUT” && http.request.uri contains “.aspx”Webshell upload via PUT
REQ
Request Volume & Anomaly Patterns
Request Rate Indicators
http.request && ip.src == <ip>All requests from one source
http.request && http.request.method == “GET” && http.content_length == 0Empty GETs (beacon heartbeat)
http.request && !http.user_agentRequests without User-Agent
http.request.method == “POST” && http.content_length == 0Empty POST (probe)
Content-Length Anomalies
http.content_length > 1000000Large body (>1MB) — exfil/upload
http.request.method == “POST” && http.content_length > 100000Large POST body
http.content_length > 0 && http.request.method == “GET”GET with body (unusual)
http.transfer_encoding contains “chunked”Chunked — evasion technique
Protocol Version Anomalies
http.request.version == “HTTP/1.0”Legacy — automated/scripted
http.request.version == “HTTP/0.9”Very old — tool fingerprint
http.request && !http.connectionMissing Connection header
http.accept_encoding contains “identity”No compression accepted (tools)
URL Path & File Access Analysis
PATH
File & Directory Path Filters (http.request.uri)
Admin & Management Panels T1078
http.request.uri contains “/admin”Admin panel access
http.request.uri contains “/wp-admin”WordPress admin
http.request.uri contains “/wp-login”WordPress login
http.request.uri contains “/phpmyadmin”phpMyAdmin
http.request.uri contains “/manager/html”Tomcat manager
http.request.uri contains “/console”JBoss/WebLogic console
http.request.uri contains “/.env”.env secrets file
http.request.uri contains “/.git”Git repository exposure
http.request.uri contains “/.svn”SVN repository exposure
http.request.uri contains “/actuator”Spring Boot actuator (RCE risk)
http.request.uri contains “/solr”Apache Solr admin
Config & Sensitive File Access
http.request.uri contains “config.php”PHP config (creds)
http.request.uri contains “web.config”ASP.NET config
http.request.uri contains “settings.py”Django settings
http.request.uri contains “application.properties”Spring config
http.request.uri contains “id_rsa”SSH key access attempt
http.request.uri contains “backup”Backup file access
http.request.uri matches “.*\.(bak|old|orig|swp|~)$”Backup file extensions
http.request.uri contains “/etc/passwd”LFI — Unix cred file
http.request.uri contains “/etc/shadow”LFI — Unix password hashes
http.request.uri contains “wp-config.php”WordPress DB creds
API & Upload Endpoints
http.request.uri contains “/api/v”API versioned endpoint
http.request.uri contains “/graphql”GraphQL endpoint (introspect risk)
http.request.uri contains “/upload”File upload endpoint
http.request.uri contains “/swagger”Swagger/OpenAPI docs (recon)
http.request.uri contains “/v2/api-docs”Springfox API docs
RSP
Response Code Analysis T1595
Success & Redirect Codes
| Filter | Code | DFIR Context |
|---|---|---|
| http.response.code == 200 | OK | Successful — confirms resource exists |
| http.response.code == 201 | Created | Resource created (file upload, webshell) |
| http.response.code == 301 | Moved | Permanent redirect |
| http.response.code == 302 | Found | Temp redirect — post-login bounce |
Auth & Forbidden Codes
| Filter | Code | DFIR Context |
|---|---|---|
| http.response.code == 400 | Bad Request | Malformed request — fuzzing indicator |
| http.response.code == 401 | Unauthorized | Auth required — brute force target |
| http.response.code == 403 | Forbidden | Auth failed or ACL blocked |
| http.response.code == 404 | Not Found | Dir busting / path fuzzing |
| http.response.code == 405 | Method Not Allowed | Method probe — recon |
| http.response.code == 429 | Too Many Requests | Rate limit triggered |
| http.response.code == 500 | Server Error | App crash — injection payload hit |
| http.response.code == 503 | Service Unavailable | DoS / overload condition |
Scanning / Fuzzing Signature Patterns
http.response.code == 404 && ip.dst == <scanner>Dir-busting (gobuster/ffuf)
http.response.code in {200 301 302} && http.response.code != 404Scan hits — valid paths found
http.response.code == 500 && http.request.method == “POST”POST crash — injection probe
http.response.code >= 400 && ip.src == <host>All client/server errors to host
HTTP Header Analysis
HDR
Request Header Field Filters
User-Agent Fingerprinting T1071.001
http.user_agent contains “sqlmap”SQLmap scanner
http.user_agent contains “nikto”Nikto web scanner
http.user_agent contains “nmap”Nmap script engine
http.user_agent contains “Metasploit”Metasploit module
http.user_agent contains “hydra”Hydra brute force tool
http.user_agent contains “masscan”Masscan scanner
http.user_agent contains “dirbuster”DirBuster path scanner
http.user_agent contains “gobuster”Gobuster scanner
http.user_agent contains “wfuzz”WFuzz fuzzer
http.user_agent contains “python-requests”Scripted automation
http.user_agent contains “curl”curl — tooling / recon
http.user_agent contains “wget”wget — staged download
http.user_agent == “”Empty UA — automated
!(http.user_agent contains “Mozilla”) && !(http.user_agent contains “Chrome”)Non-browser traffic
http.user_agent matches “[Bb]ot|[Ss]canner|[Cc]rawler”Generic bot pattern
Host & Origin Headers
http.host contains “127.0.0.1”Loopback in Host (SSRF probe)
http.host contains “169.254.169.254”AWS metadata SSRF
http.host != http.request.uriHost/URL mismatch (routing attack)
http.referer contains “javascript:”JS in Referer (XSS probe)
http.x_forwarded_for contains “127.0.0.1”IP spoofing in X-Forwarded-For
http.origin contains “null”Null origin (CSRF / CORS bypass)
Suspicious Custom Headers
http contains “X-Forwarded-For: 127”Internal IP injection
http contains “X-Custom-IP-Authorization”Auth bypass header attempt
http contains “X-Original-URL”URL override (Nginx bypass)
http contains “X-Rewrite-URL”URL rewrite abuse
http contains “X-Api-Key:”API key in header — capture
http contains “Authorization: Bearer”JWT / OAuth token
CRED
HTTP Credential Extraction T1552
HTTP Basic Authentication
HTTP Basic Auth sends base64(user:password) in the
Authorization header — fully readable in cleartext. No decryption needed.http.authorizationAny Authorization header
http.authbasicBasic auth credentials (decoded)
http.authorization contains “Basic”Basic auth header present
http.www_authenticate contains “Basic”Server requesting basic auth
http.www_authenticate contains “Digest”Digest auth challenge
Form-Based Login Capture T1078
http.request.method == “POST” && http contains “password”Plaintext password in POST
http.request.method == “POST” && http contains “passwd”passwd field in POST
http.request.method == “POST” && http contains “pwd=”pwd= field
http.request.method == “POST” && http contains “username=”username field in POST
http.request.method == “POST” && http contains “email=”email login field
http.file_data contains “password”Password in raw file data
Token & API Key Capture
http.authorization contains “Bearer”JWT / OAuth Bearer token
http.cookie contains “session”Session cookie value
http.cookie contains “token”Auth token in cookie
http.cookie contains “PHPSESSID”PHP session ID
http.cookie contains “JSESSIONID”Java EE session ID
http.cookie contains “ASP.NET_SessionId”ASP.NET session
http.request.uri contains “api_key=”API key in URL (bad practice)
http.request.uri contains “access_token=”OAuth token in URL
Brute Force & Credential Stuffing Detection
BRF
Brute Force Indicators T1110.001 T1110.003
Login Failure Patterns
http.response.code == 401 && ip.src == <attacker>Repeated auth failures
http.response.code == 403 && ip.src == <attacker>Access denied — rate limited
http.response.code == 401 && http.request.uri contains “login”Failed login endpoint
http.request.method == “POST” && http.request.uri contains “login” && ip.src == <ip>POST login flood from one IP
http.authorization && http.response.code == 401Basic auth retry loop
Password Spray Signatures T1110.003
Spray pattern: same password, many usernames, from one source. Ratio of 401/403 responses vs total requests >80% = strong indicator. Use
tshark -z stats to measure.http.request.method == “POST” && http.file_data contains “password=Password1”Common spray password
http.request.method == “POST” && http.file_data contains “password=Welcome1”Common spray password
http.request.method == “POST” && http.file_data contains “password=Summer”Seasonal spray pattern
Tool Signatures
http.user_agent contains “hydra”Hydra password tool
http.user_agent contains “Medusa”Medusa brute force tool
http.user_agent contains “Burp”Burp Suite intruder
http.user_agent contains “ZAP”OWASP ZAP scanner
http.request.method == “POST” && tcp.len < 100 && ip.src == <ip>Tiny repeated POSTs (form brute)
OWA / Microsoft 365 Targeted
http.request.uri contains “/owa/auth” && http.request.method == “POST”OWA login endpoint
http.request.uri contains “/autodiscover”Exchange autodiscover (auth recon)
http.request.uri contains “/EWS/Exchange.asmx”Exchange Web Services endpoint
http.request.uri contains “/Microsoft-Server-ActiveSync”ActiveSync auth endpoint
SCAN
Directory Busting & Fuzzing Detection T1595
Directory Scanning Patterns
Indicators: sequential 404s from one IP, static User-Agent across all requests, uniform request timing, sequential URI incrementing.
http.response.code == 404 && ip.src == <scanner>404 flood — path guessing
http.request.method == “GET” && ip.src == <ip>All GET requests from scanner
http.request.uri contains “.”Extension probing in path
Tool-Specific URI Patterns
http.request.uri contains “FUZZ”wfuzz placeholder in URI
http.request.uri contains “/.well-known”ACME / discovery endpoint
http.request.uri contains “/.htaccess”.htaccess probe
http.request.uri contains “/.htpasswd”.htpasswd credential probe
http.request.uri matches “.*(test|debug|dev|staging|old)\.”Dev environment probing
http.request.uri contains “robots.txt”robots.txt read (recon)
http.request.uri contains “sitemap”Sitemap read (path enumeration)
Parameter Fuzzing Indicators
http.request.uri contains “?id=”ID parameter probe
http.request.uri matches “\?[a-z]+=\d{1,6}$”IDOR sequential enumeration
http.response.code == 500 && ip.src == <fuzzer>Server crash = injection hit
SQL Injection Detection — T1190 / OWASP A03
SQLI
SQL Injection — URI & Query String T1190
Classic SQL Metacharacters in URI
http.request.uri contains “‘”Single quote — SQL delimiter
http.request.uri contains “–“SQL comment (– or #)
http.request.uri contains “;”Statement terminator
http.request.uri contains “/*”Inline comment delimiter
http.request.uri contains “xp_cmdshell”MSSQL OS command exec
http.request.uri contains “UNION SELECT”UNION-based extraction
http.request.uri contains “UNION ALL SELECT”UNION ALL extraction
http.request.uri contains “OR 1=1”Boolean bypass (classic)
http.request.uri contains “‘ OR ‘1’=’1”Auth bypass pattern
http.request.uri matches “.*(%27|%22|%3B).*”URL-encoded SQL chars
Advanced SQLi Patterns
http.request.uri contains “SLEEP(“Time-based blind SQLi
http.request.uri contains “WAITFOR DELAY”MSSQL time-based blind
http.request.uri contains “BENCHMARK(“MySQL time-based blind
http.request.uri contains “pg_sleep”PostgreSQL time-based blind
http.request.uri contains “INFORMATION_SCHEMA”Schema enumeration
http.request.uri contains “sys.tables”MSSQL table enumeration
http.request.uri contains “@@version”DB version fingerprint
http.request.uri contains “database()”MySQL current database
http.request.uri contains “user()”MySQL current user
http.request.uri contains “LOAD_FILE(“MySQL file read
http.request.uri contains “INTO OUTFILE”MySQL file write (webshell)
SQLmap Specific Signatures
http.user_agent contains “sqlmap”sqlmap default UA
http.request.uri contains “AND SLEEP”sqlmap time-based probe
http.request.uri matches “.*(\)|\(|AND|OR).*SELECT.*”Boolean SQLi pattern
SQLI
SQL Injection — POST Body & Encoded Payloads
POST Body SQL Injection
http.file_data contains “‘ OR”OR injection in body
http.file_data contains “UNION SELECT”UNION inject in body
http.file_data contains “SLEEP(“Time-based in body
http.file_data contains “xp_cmdshell”MSSQL RCE in body
http.file_data contains “1=1”Always-true condition
http.file_data contains “DROP TABLE”Destructive SQL
http.file_data contains “INSERT INTO”Data injection attempt
URL-Encoded SQLi (Bypass Filters)
http.request.uri matches “.*%27.*”%27 = single quote
http.request.uri matches “.*%3B.*”%3B = semicolon
http.request.uri matches “.*%2D%2D.*”%2D%2D = — comment
http.request.uri matches “.*%55%4E%49%4F%4E.*”%55%4E%49%4F%4E = UNION
http.request.uri matches “.*0x[0-9a-fA-F]{4,}.*”Hex-encoded payload
Error Response Signatures (SQLi Confirmed)
Server error messages in responses confirm vulnerable injection points. These appear in response bodies.
http contains “SQL syntax”MySQL syntax error leaked
http contains “Unclosed quotation mark”MSSQL error leaked
http contains “ORA-01756”Oracle DB error leaked
http contains “pg_query()”PostgreSQL error leaked
http contains “Microsoft OLE DB”MSSQL OLE DB error
http contains “Warning: mysql_”Old MySQL warning disclosed
Cross-Site Scripting (XSS) Detection — OWASP A03
XSS
XSS in URI & Parameters
Script Tag Variants
http.request.uri contains “<script”Raw script tag in URL
http.request.uri matches “.*%3Cscript.*”%3C = < (encoded)
http.request.uri contains “javascript:”JS protocol in URL
http.request.uri contains “vbscript:”VBScript protocol
http.request.uri contains “onload=”Event handler attribute
http.request.uri contains “onerror=”onerror handler (img XSS)
http.request.uri contains “onclick=”onclick event injection
http.request.uri contains “onmouseover=”Mouse event handler
http.request.uri contains “alert(“XSS PoC alert() probe
http.request.uri contains “confirm(“XSS confirm() variant
http.request.uri contains “document.cookie”Cookie theft payload
http.request.uri contains “document.location”Redirect payload
DOM XSS & Encoded Variants
http.request.uri contains “eval(“eval() execution
http.request.uri contains “fromCharCode”String.fromCharCode evasion
http.request.uri contains “<”HTML entity encoded <
http.request.uri contains “<”Decimal entity encoded <
http.request.uri matches “.*%3Cscript%3E.*”Double URL-encoded tag
http.file_data contains “<script”Script tag in POST body
http.file_data contains “alert(“Alert in POST body
CMD
Command Injection & Code Execution T1059
OS Command Injection in URI
http.request.uri contains “;”Command chaining
http.request.uri contains “|”Pipe — command chaining
http.request.uri contains “&&”&& command chain
http.request.uri contains “`”Backtick — subshell exec
http.request.uri contains “$(“Subshell exec: $(command)
http.request.uri contains “/bin/sh”Direct shell reference
http.request.uri contains “/bin/bash”Bash shell reference
http.request.uri contains “cmd.exe”Windows command shell
http.request.uri contains “powershell”PowerShell execution
http.request.uri contains “wget http”Download via injected wget
http.request.uri contains “curl http”Download via injected curl
Web Shell Patterns T1505.003
http.request.uri matches “.*\.(php|asp|aspx|jsp)\?.*cmd=”Webshell cmd parameter
http.request.uri contains “?cmd=”cmd webshell parameter
http.request.uri contains “?exec=”exec webshell parameter
http.request.uri contains “?c=”Short cmd parameter
http.file_data contains “system(“PHP system() in body
http.file_data contains “exec(“exec() function call
http.file_data contains “passthru(“PHP passthru() call
http.file_data contains “shell_exec(“PHP shell_exec() call
Path Traversal, LFI/RFI, XXE & SSRF
LFI
Path Traversal & LFI/RFI T1083
Directory Traversal Patterns
http.request.uri contains “../”Classic traversal
http.request.uri contains “..%2F”URL-encoded traversal
http.request.uri contains “..%5C”Windows encoded traversal
http.request.uri contains “..\\”Windows path traversal
http.request.uri contains “%2e%2e%2f”Double-encoded traversal
http.request.uri contains “…./”Filter bypass: …./ → ../
http.request.uri contains “%252e%252e”Double URL-encoded dots
LFI Target Files
http.request.uri contains “/etc/passwd”Unix user list
http.request.uri contains “/etc/shadow”Unix password hashes
http.request.uri contains “/proc/self/environ”Process environment (log poison)
http.request.uri contains “/var/log/apache”Apache log (log poisoning)
http.request.uri contains “C:\\Windows\\win.ini”Windows LFI target
http.request.uri contains “C:\\Windows\\System32\\drivers\\etc\\hosts”Windows hosts file
http.request.uri contains “/boot.ini”Windows boot config
RFI — Remote File Inclusion
http.request.uri contains “?file=http://”Remote file via HTTP
http.request.uri contains “?page=http://”Remote page inclusion
http.request.uri contains “?include=ftp://”Remote file via FTP
http.request.uri contains “php://input”PHP stream wrapper
http.request.uri contains “php://filter”PHP filter wrapper (file read)
http.request.uri contains “data://text”Data URI wrapper
http.request.uri contains “expect://”PHP expect RCE wrapper
XXE
XXE & SSRF Detection T1190
XXE — XML External Entity OWASP A05
XXE payloads are usually in POST bodies (XML or multipart). Match on
http.file_data or http.content_type.http.file_data contains “<!DOCTYPE”DOCTYPE declaration — XXE setup
http.file_data contains “<!ENTITY”External entity definition
http.file_data contains “SYSTEM”SYSTEM keyword — file/URI ref
http.file_data contains “file:///”File URI in XML (LFI via XXE)
http.file_data contains “http://<attacker>”OOB XXE callback
http.content_type contains “text/xml” && http.request.method == “POST”XML POST — inspect for XXE
http.content_type contains “application/xml” && http.request.method == “POST”XML API call
SSRF — Server-Side Request Forgery OWASP A10
http.request.uri contains “169.254.169.254”AWS EC2 metadata service
http.request.uri contains “metadata.google.internal”GCP metadata endpoint
http.request.uri contains “169.254.170.2”AWS ECS metadata
http.request.uri contains “127.0.0.1”Localhost SSRF redirect
http.request.uri contains “0.0.0.0”All-interface SSRF
http.request.uri matches “.*@127\.0\.0\.1.*”URL auth bypass to localhost
http.request.uri contains “burpcollaborator.net”OOB SSRF via Burp Collaborator
http.request.uri contains “interact.sh”OOB SSRF via interactsh
http.request.uri contains “file://”Local file via SSRF
http.request.uri contains “dict://”DICT protocol SSRF
http.request.uri contains “gopher://”Gopher — Redis/Memcached SSRF
OWASP Top 10 — Complete Attack Coverage
A01
Broken Access Control
T1078
http.request.uri matches “\?id=\d+” && ip.src == <ip>IDOR sequential probe
http.request.uri contains “/admin” && http.response.code == 200Unauthorized admin access
http.request.uri contains “../../”Directory traversal
http.request.method in {“PUT” “DELETE”} && http.response.code == 200Modify/delete without auth
http.response.code == 200 && http.request.uri contains “/api/users”Unrestricted API access
A02
Cryptographic Failures
T1557
http && tcp.dstport == 80Plaintext HTTP traffic
http.authorization contains “Basic”Basic auth over HTTP
http.cookie && !http.set_cookie.secureSession cookie without Secure flag
tls.record.version == 0x0301TLS 1.0 — weak encryption
http.request.method == “POST” && tcp.dstport == 80Cleartext credential submission
A03
Injection
T1190
http.request.uri contains “UNION SELECT”SQL injection
http.request.uri contains “<script”XSS injection
http.request.uri contains “|”OS command injection
http.file_data contains “<!ENTITY”XXE injection
http.request.uri contains “ldap://”LDAP injection
http.request.uri contains “${jndi:”Log4Shell JNDI inject
A04
Insecure Design
T1592
http.request.uri contains “/debug”Debug endpoint exposed
http.request.uri contains “/test”Test endpoint in production
http.response.code == 200 && http contains “stack trace”Stack trace in response
http contains “Exception in thread”Java exception leaked
http contains “undefined variable”PHP error disclosure
A05
Security Misconfiguration
T1083
http.response.code == 200 && http.request.uri == “/”Default page served
http.server contains “Apache/2.4”Version disclosure in header
http.request.uri contains “/server-status”Apache mod_status exposed
http.request.uri contains “/.git/config”Git config exposed
http contains “X-Powered-By:”Framework version disclosure
http.request.uri contains “phpinfo”phpinfo() page exposed
A06
Vulnerable Components
T1190
http.request.uri contains “${jndi:ldap://”Log4Shell (CVE-2021-44228)
http.request.uri contains “${jndi:rmi://”Log4Shell RMI variant
http.request.uri contains “/actuator/env”Spring Boot env endpoint
http.request.uri contains “/actuator/heapdump”Spring heap dump exposure
http.request.uri contains “struts2”Apache Struts probe
http.user_agent contains “CVE-“PoC exploit tool UA
A07
Auth Failures
T1110
http.response.code == 401 && ip.src == <ip>Repeated auth failures
http.cookie contains “session=” && http.request.uri contains “/admin”Session token probing
http.request.uri contains “?token=null”Null token probe
http.request.uri contains “reset_token”Password reset token reuse
http.request.uri contains “remember_token”Persistent token abuse
A08
Software & Data Integrity
T1195
http.content_type contains “application/x-java-serialized”Java deserialization payload
http.file_data matches “.*rO0AB.*”Base64 Java serial magic bytes
http.request.uri contains “viewstate=”ASP.NET ViewState (deserialization)
http.content_type contains “application/x-www-form-urlencoded” && http.file_data contains “__VIEWSTATE”ViewState manipulation
A09
Security Logging Failures
T1562
http.request.uri contains “/logs”Log file access attempt
http.request.uri contains “access.log”Web access log access
http.request.uri contains “error.log”Error log access
http contains “%0a” && http contains “%0d”CRLF injection (log forging)
http.request.uri contains “%0a”Newline injection in log
A10
SSRF
T1190
http.request.uri contains “169.254.169.254”Cloud metadata SSRF
http.request.uri contains “?url=http”URL parameter SSRF
http.request.uri contains “?dest=http”Redirect destination SSRF
http.request.uri contains “?redirect=http”Redirect SSRF
http.request.uri contains “?next=http”Next-page SSRF
http.request.uri contains “?proxy=http”Proxy SSRF parameter
Payload Encoding & Obfuscation Detection
ENC
Encoding & Obfuscation Patterns
URL Encoding Evasion
http.request.uri matches “.*%[0-9a-fA-F]{2}.*”Any URL-encoded char
http.request.uri contains “%2527”Double-encoded single quote
http.request.uri contains “%252e%252e”Double-encoded .. (traversal)
http.request.uri contains “%00”Null byte injection
http.request.uri contains “%0a”Newline (CRLF/log inject)
http.request.uri contains “%0d%0a”CRLF injection
Log4Shell / JNDI Injection CVE-2021-44228
Log4Shell appears in any HTTP header or field that gets logged. Check User-Agent, Referer, X-Forwarded-For, and POST bodies — not just the URI.
http contains “${jndi:ldap://”Log4Shell LDAP lookup
http contains “${jndi:rmi://”Log4Shell RMI lookup
http contains “${jndi:dns://”Log4Shell DNS OOB probe
http contains “${${::-j}${::-n}${::-d}${::-i}:”Nested lookup bypass
http contains “${${lower:j}ndi:”Lower case bypass
http.user_agent contains “${jndi:”Log4Shell in User-Agent
http.referer contains “${jndi:”Log4Shell in Referer
Unicode & Character Set Bypasses
http.request.uri contains “/”Unicode slash (U+2F)
http.request.uri contains “%c0%af”Overlong UTF-8 / (Tomcat)
http.request.uri contains “%e0%80%af”3-byte overlong /
http.request.uri contains “%ef%bc%8f”Full-width slash bypass
SPR
Spring4Shell, Deserialization & Modern CVE Patterns
Spring4Shell / Spring RCE CVE-2022-22965
http.request.uri contains “class.module.classLoader”Spring4Shell payload
http.file_data contains “class.module.classLoader”Spring4Shell in POST body
http.request.uri contains “class.classLoader”Spring ClassLoader access
Java Deserialization
http.file_data matches “.*rO0ABX.*”Java serial object (base64)
http.file_data contains “ysoserial”ysoserial gadget chain
http.content_type contains “application/x-java-serialized-object”Java serial content-type
http.content_type contains “application/x-java-marshalled-object”Java marshalled object
PHP Object Injection
http.file_data contains “O:4:\”Evil\””PHP serialized object
http.file_data matches “.*O:[0-9]+:\”.*\”:.*”PHP serialized object pattern
http.request.uri contains “unserialize(“PHP unserialize in URL
Template Injection (SSTI) T1059
http.request.uri contains “{{7*7}}”Twig/Jinja SSTI probe
http.request.uri contains “{{config}}”Flask/Jinja config dump
http.request.uri contains “${7*7}”FreeMarker/Thymeleaf SSTI
http.request.uri contains “#{7*7}”Expression language injection
http.request.uri contains “<%= 7*7 %>“ERB template injection
COOK
Cookie & Session Analysis
Session Cookie Capture
http.cookieAll requests with cookies
http.set_cookieServer setting a cookie
http.cookie contains “PHPSESSID”PHP session token
http.cookie contains “JSESSIONID”Java session token
http.cookie contains “session”Generic session cookie
http.cookie contains “auth”Auth cookie
http.cookie contains “jwt”JWT token in cookie
http.cookie contains “token=”Token in cookie
Cookie Security Flag Analysis
http.set_cookie && !http.set_cookie.httponlyCookie missing HttpOnly
http.set_cookie && !http.set_cookie.secureCookie missing Secure flag
http.set_cookie && !http.set_cookie.samesiteMissing SameSite (CSRF risk)
http.set_cookie.path == “/”Cookie scoped to whole domain
Session Hijacking Indicators
http.cookie contains “PHPSESSID” && ip.src == <attacker>Replayed session token
http.cookie && http.response.code == 403Invalid session attempt
http.request.uri contains “?session_id=”Session ID in URL (fixation)
http.request.uri contains “?PHPSESSID=”PHP session fixation
UPL
File Upload Abuse & Content-Type Attacks T1105
File Upload Detection
http.content_type contains “multipart/form-data”File upload form
http.request.method == “POST” && http.content_type contains “multipart”Multipart POST upload
http.file_data contains “Content-Disposition: form-data”Form field in multipart
http.file_data contains “filename=”Filename in upload
Malicious Extension in Upload
http.file_data contains “filename=\”shell.php\””PHP webshell upload
http.file_data matches “.*filename=\”.*\.(php|asp|aspx|jsp|jspx).*\””Server-side exec extensions
http.file_data contains “filename=\”.php\””Double extension bypass .jpg.php
http.file_data contains “filename=\”.htaccess\””.htaccess upload (exec bypass)
MIME Type & Content-Type Mismatches
http.content_type contains “application/octet-stream”Binary blob — inspect content
http.content_type contains “image/jpeg” && http.file_data contains “<?php”PHP in JPEG (polyglot)
http.content_type contains “text/plain” && http.file_data contains “<script”XSS payload in text/plain
http.response.code == 200 && http.request.uri matches “.*\.(php|asp)$”Server executed uploaded file
Magic Byte Verification Bypass
Attackers prepend valid magic bytes (e.g. JPEG
FF D8 FF) before a PHP payload to bypass file type checks. Use byte-slice filters to detect.frame[0:4] == ff:d8:ff:e0JPEG magic bytes
frame[0:4] == 89:50:4e:47PNG magic bytes
frame[0:4] == 47:49:46:38GIF magic bytes (GIF89a)
frame[0:2] == 50:4bZIP / Office (PK) magic bytes
HTTP/2 Protocol Filters
H2
HTTP/2 Frame & Stream Filters
HTTP/2 Frame Types
| Filter | Type | Purpose |
|---|---|---|
| http2.type == 0 | DATA | Request/response body payload |
| http2.type == 1 | HEADERS | Header block — contains method, path, status |
| http2.type == 2 | PRIORITY | Stream dependency & weight |
| http2.type == 3 | RST_STREAM | Terminate stream immediately |
| http2.type == 4 | SETTINGS | Connection parameters |
| http2.type == 6 | PING | Keepalive / latency probe |
| http2.type == 7 | GOAWAY | Graceful shutdown — error context |
| http2.type == 8 | WINDOW_UPDATE | Flow control adjustment |
| http2.type == 9 | CONTINUATION | Header block fragment |
Stream & Connection Filters
http2.stream_id == 1First HTTP/2 stream
http2.stream_id > 0 && http2.type == 0All DATA frames
http2.type == 3RST_STREAM — aborted requests
http2.error_code != 0All HTTP/2 error frames
http2.error_code == 0x1PROTOCOL_ERROR
http2.error_code == 0xbENHANCE_YOUR_CALM (rate limited)
http2.length > 16384Oversized frame (attack indicator)
H2F
HTTP/2 Header & Pseudo-Header Filters
HTTP/2 Pseudo-Headers (in HEADERS frames)
HTTP/2 uses pseudo-headers (prefixed with
:) instead of the HTTP/1.1 request line. These appear in HPACK-compressed HEADERS frames.http2.header.name == “:method”HTTP method pseudo-header
http2.header.name == “:path”Request path
http2.header.name == “:authority”Host (equiv to HTTP/1 Host:)
http2.header.name == “:status”Response status code
http2.header.value contains “POST”POST method in H2
http2.header.value contains “/admin”Admin path in H2
HTTP/2 Attack Surfaces
http2.header.value contains “‘”SQL quote in H2 header value
http2.header.value contains “${jndi:”Log4Shell in H2 header
http2.header.value contains “../”Path traversal in H2
http2.type == 1 && http2.header.value contains “<script”XSS in H2 header
http2 && http2.length == 0 && http2.type == 0Empty DATA frame (beacon)
HTTP/2 DoS / Protocol Abuse
http2.type == 6 && ip.src == <attacker>PING flood
http2.type == 3 && ip.src == <attacker>RST flood (Rapid Reset CVE-2023-44487)
http2.type == 1 && ip.src == <attacker>HEADERS flood
CVE-2023-44487 (HTTP/2 Rapid Reset): Look for a high rate of HEADERS frames immediately followed by RST_STREAM from a single source — often hundreds per second.
TShark — HTTP Forensic Extraction Pipelines
CLI
TShark — HTTP Request & Auth Extraction
All HTTP Requests — Method, Host, URI, User-Agent
tshark -r cap.pcap -Y “http.request” \
-T fields -e frame.time -e ip.src -e http.request.method \
-e http.host -e http.request.uri -e http.user_agent \
-E header=y -E separator=”|” | tee http_requests.csv
All POST Bodies (Credentials, Form Data)
tshark -r cap.pcap -Y “http.request.method==POST” \
-T fields -e frame.time -e ip.src -e http.host \
-e http.request.uri -e http.file_data \
-E separator=”|”
Extract HTTP Basic Auth Credentials
tshark -r cap.pcap -Y “http.authbasic” \
-T fields -e ip.src -e http.host -e http.authbasic \
-E header=y -E separator=”|”
Extract All Cookies
tshark -r cap.pcap -Y “http.cookie” \
-T fields -e frame.time -e ip.src -e http.host \
-e http.request.uri -e http.cookie \
-E separator=”|” | sort -u
All Authorization Headers (Bearer / API Keys)
tshark -r cap.pcap -Y “http.authorization” \
-T fields -e frame.time -e ip.src -e http.host -e http.authorization \
-E separator=”|”
Unique User-Agent Strings (Tool Fingerprint)
tshark -r cap.pcap -Y “http.request” \
-T fields -e ip.src -e http.user_agent \
| sort | uniq -c | sort -rn
HTTP Response Code Summary
tshark -r cap.pcap -Y “http.response” \
-T fields -e http.response.code \
| sort | uniq -c | sort -rn
Export All HTTP Objects (Files, Images, Scripts)
tshark -r cap.pcap –export-objects http,/tmp/http_objects/
# Then scan with:
find /tmp/http_objects/ -type f | xargs file
find /tmp/http_objects/ -name “*.php” -o -name “*.exe” -o -name “*.ps1”
CLI
TShark — Attack Detection & IOC Extraction
Detect SQL Injection Attempts in URIs
tshark -r cap.pcap -Y “http.request” \
-T fields -e ip.src -e http.host -e http.request.uri \
| grep -iE “(union|select|sleep|waitfor|benchmark|xp_cmdshell|’|%27|–)”
Detect XSS Payloads in Requests
tshark -r cap.pcap -Y “http.request” \
-T fields -e ip.src -e http.request.uri -e http.file_data \
| grep -iE “(<script|javascript:|onerror=|onload=|alert\(|document\.cookie)”
Detect Log4Shell Probes Across All Headers
tshark -r cap.pcap -Y “http” \
-T fields -e frame.time -e ip.src \
-e http.user_agent -e http.referer -e http.file_data \
| grep -iE ‘\$\{jndi:’
Detect Path Traversal Attempts
tshark -r cap.pcap -Y “http.request” \
-T fields -e ip.src -e http.request.uri \
| grep -E “(\.\.\/|\.\.\\\\|%2e%2e|%252e%252e|%c0%af)”
Brute Force — Count 401/403 by Source IP
tshark -r cap.pcap \
-Y “http.response.code==401 || http.response.code==403” \
-T fields -e ip.dst \
| sort | uniq -c | sort -rn | head -20
Directory Scanning — Count 404s by Source IP
tshark -r cap.pcap -Y “http.response.code==404” \
-T fields -e ip.dst \
| sort | uniq -c | sort -rn | head -20
SSRF — Outbound Requests to Cloud Metadata IPs
tshark -r cap.pcap -Y “ip.dst==169.254.169.254 || ip.dst==metadata.google.internal” \
-T fields -e frame.time -e ip.src -e ip.dst -e http.request.uri
Extract All Uploaded Filenames
tshark -r cap.pcap \
-Y “http.request.method==POST && http.content_type contains multipart” \
-T fields -e ip.src -e http.host -e http.file_data \
| grep -oE ‘filename=”[^”]+”‘
HTTP / HTTP2 Deep-Dive — Supplement to Wireshark DFIR Cheat Sheet — OWASP Top 10 + MITRE ATT&CK Mapped — TekGenX Consulting BV
![Wireshark Threat Hunting – From Packets to Indicators [SMB: DEEP-DIVE]](https://i0.wp.com/netwerklabs.com/wp-content/uploads/2026/05/wireshark02-e1779658815416.png?fit=75%2C39&ssl=1){kind=small}