Wireshark Threat Hunting – From Packets to Indicators
Posted inTraffic Analysis DFIR SOC Analyst Threat Detection and Incident Response

Wireshark Threat Hunting – From Packets to Indicators

This entry is part 15 of 7 in the series Digital Forensics and Incident Response

Views: 5

Wireshark DFIR Cheat Sheet

// Wireshark DFIR Cheat Sheet

Display filters, detection techniques, traffic analysis workflows, and TShark CLI commands for Digital Forensics & Incident Response. Filters are mapped to MITRE ATT&CK where applicable.

Wireshark 4.x
TShark CLI
MITRE ATT&CK Mapped
Filter Syntax Network & IP TCP Analysis HTTP/HTTPS DNS Tunneling C2 Beaconing Credentials Lateral Movement Exfiltration SMB/AD Protocols Malware Traffic TShark CLI Statistics Coloring Rules Shortcuts DFIR Workflow
Filter Syntax & Operators
OPS

Comparison Operators

SymbolDescriptionExample
==Equalip.src == 10.0.0.1
!=Not equalip.dst != 8.8.8.8
>Greater thantcp.len > 500
<Less thandns.qry.name.len < 5
>=Greater or equalframe.len >= 1400
containsSubstring matchhttp.host contains “evil”
matchesRegex matchhttp.uri matches “\.php\?”
in {}Set membershiptcp.port in {80 443 8080}
[n:m]Byte sliceframe[0:4] == c0:a8:01:01
LOG

Logical Operators & Special Syntax

SymbolAltMeaning
&&andBoth conditions true
||orEither condition true
!notNegate the condition
xor^^Exclusive OR
( ) Grouping / precedence
ip.addr matches both src and dst. Use ip.src or ip.dst for direction-aware filters.
!ip.addr==10.0.0.1 hides ALL packets involving that IP including related traffic. Prefer ip.src!=x AND ip.dst!=x for exclusions.
PRO

Protocol Keywords

tcpudpicmp icmpv6dnshttp http2tlsssl ftpftp-datassh telnetsmtpsmb smb2rdpkerberos ldapntlmsspdcerpc arpnbnsdhcp wlanquicnfs
frame contains “password”Raw string in any packet
frame.time >= “2024-01-01 00:00:00”Filter by time range
frame.number in {1..100}Frame range
frame.len > 1400Near-MTU packets
Network & IP Filters
IP

IP / Network Filters

Address Filters
ip.addr == 192.168.1.5Any direction to/from IP
ip.src == 10.10.10.0/24CIDR block source
ip.dst == 172.30.1.0/24CIDR block destination
ip.src == 10.0.0.1 && ip.dst == 8.8.8.8Specific conversation
!(ip.addr == 192.168.0.0/16)Exclude private RFC 1918
ARP Spoofing Detection
arp.opcode == 2ARP replies only
arp.duplicate-address-detectedDuplicate IP warning
arp && arp.opcode == 2 && arp.src.proto_ipv4 == 192.168.1.1Spoofed gateway reply
IPv6 & Multicast
ipv6.addr == fe80::/10Link-local IPv6
ip.dst == 224.0.0.0/4IPv4 multicast
ip.dst == 255.255.255.255Broadcast
TCP

TCP / UDP Analysis

Port Filters
tcp.port == 4444Meterpreter default
tcp.dstport in {80 443 8080 8443}Common web ports
tcp.port in {135 139 445}SMB/RPC ports
TCP Flag Filters
tcp.flags.syn == 1 && tcp.flags.ack == 0SYN scan (T1046)
tcp.flags == 0x002SYN only
tcp.flags == 0x029Xmas scan (FIN+PSH+URG)
tcp.flags == 0x001FIN scan
tcp.flags == 0x000NULL scan
tcp.flags == 0x014RST+ACK (port closed)
TCP Anomalies
tcp.analysis.retransmissionRetransmitted segments
tcp.analysis.duplicate_ackDuplicate ACKs
tcp.analysis.zero_windowZero window (DoS indicator)
tcp.analysis.out_of_orderOut-of-order segments
tcp.len > 0 && tcp.flags.push == 1Data transfer (PSH)
HTTP / HTTPS & Web Traffic
HTTP

HTTP Request & Response Analysis

Methods & Status Codes
http.request.method == “POST”POST requests (creds, C2 check-in)
http.request.method in {“PUT” “DELETE”}Unusual HTTP methods
http.response.code == 200Successful responses
http.response.code >= 500Server errors
http.response.code == 302Redirects
URI & Host T1071.001
http.host contains “.onion”Tor hidden service proxy
http.request.uri matches “\.php\?[a-z]=.*”C2 shell callback pattern
http.request.uri contains “/wp-admin”WordPress admin access
http.request.uri contains “cmd=”Webshell execution
http.request.uri contains “eval(“Code injection in URI
User-Agent Anomalies T1071.001
http.user_agent contains “python-requests”Scripted/automated client
http.user_agent contains “curl”curl — common in staging
http.user_agent contains “Metasploit”Metasploit user agent
http.user_agent == “”Empty user agent
!(http.user_agent contains “Mozilla”)Non-browser traffic
TLS

TLS / HTTPS & Certificate Analysis

Handshake Inspection
tls.handshake.type == 1ClientHello
tls.handshake.type == 2ServerHello
tls.handshake.type == 11Certificate
tls.record.version == 0x0301TLS 1.0 (legacy/weak)
tls.record.version == 0x0302TLS 1.1 (deprecated)
SNI & Certificate Fields T1071.001
tls.handshake.extensions_server_name contains “evil”Suspicious SNI domain
tls.handshake.certificateShow all certificates
x509sat.uTF8String contains “C2”Suspicious cert subject
tls && !tls.handshake.extensions_server_nameTLS without SNI (unusual)
JA3/JA3S Fingerprinting
Use Statistics > Endpoints and tshark -e tls.handshake.ja3 to extract JA3 hashes. Compare against known malware hashes at ja3er.com or Tria.ge.
tls.handshake.ja3 == “<hash>”Match known bad JA3
DNS Tunneling & C2 Detection
DNS

DNS Tunneling Detection T1071.004 T1048.003

Volume & Length Anomalies
dns.qry.name.len > 50Long hostnames (tunneling)
dns.qry.name.len > 100High-confidence tunneling
dns && frame.len > 512Abnormally large DNS packet
dns && frame.len > 200 && dns.flags.response == 1Large DNS responses
Record Type Abuse
dns.qry.type == 16TXT queries (dnscat2/iodine)
dns.qry.type == 28AAAA queries (data via IPv6)
dns.qry.type == 255ANY query (recon/amplification)
dns.qry.type == 33SRV record queries
dns.qry.type == 52TLSA record queries
Entropy & Pattern
dns.qry.name matches “^[a-z0-9]{20,}\.”High-entropy subdomain
dns.qry.name contains “dnstunnels.evil”Known C2 domain
dns && ip.dst != 8.8.8.8 && ip.dst != 1.1.1.1Non-public DNS resolvers
dns.flags.response == 0 && !dns.flags.recdesiredNon-recursive queries (recon)
dnscat2 traffic: look for repeating TXT queries with base32/base64-encoded subdomains under a single parent domain, often within 1–5 second intervals.
C2

C2 Beaconing & RAT Traffic T1071 T1572

Cobalt Strike / Empire
http.request.uri contains “/submit.php” && http.request.method == “POST”CS default check-in
http.user_agent contains “Mozilla/5.0 (compatible; MSIE 9.0”CS malleable IE profile
http.request.uri contains “/jquery-3.3.1.min.js”CS jquery profile
tcp.port == 50050CS default teamserver port
Meterpreter / Metasploit
tcp.port in {4444 4445 8888}Default Meterpreter ports
tcp.port == 443 && ip.src == <attacker-ip>HTTPS reverse shell
ssl && tcp.port == 4433Meterpreter SSL session
Beaconing Patterns T1071
http && http.request && http.content_length == 0Empty GET heartbeat
tcp && tcp.len == 4Fixed-size beacon tick
http.request.uri matches “\/[a-f0-9]{8,}\/”GUID in URI path
ICMP Tunneling T1095
icmp && data.len > 64Oversized ICMP payload
icmp.type == 8 && frame.len > 100Large echo requests
icmp && icmp.type == 8 && icmp.code == 0 && dataICMP echo with data
Credential Harvesting & Authentication
CRED

Credential Capture T1003 T1110

Cleartext Protocols
ftp.request.command == “PASS”FTP cleartext password
ftp.request.command == “USER”FTP username
telnet contains “Password”Telnet password prompt
pop.request.command == “PASS”POP3 cleartext auth
imap.request contains “LOGIN”IMAP cleartext login
http && http.request.method == “POST” && http contains “password”HTTP form credentials
NTLM / Kerberos T1550.002
ntlmssp.auth.usernameShow all NTLM auth attempts
ntlmssp.auth.domain contains “NORTHBRIDGE”NTLM for specific domain
kerberos.CNameStringKerberos requesting user
kerberos.error_code == 18KDC_ERR_PREAUTH_FAILED (wrong pw)
kerberos.error_code == 24KDC_ERR_PREAUTH_REQUIRED
Password Spraying / Brute Force T1110
kerberos.error_code == 18 && kerberos.CNameStringAS-REQ failures — spray indicator
ldap.simpleCleartext LDAP simple bind
ntlmssp.identifier && ntlmssp.messagetype == 3NTLM authenticate messages
LAT

Lateral Movement T1021 T1570

RDP & Remote Execution T1021.001
tcp.port == 3389RDP traffic
tcp.port in {5985 5986}WinRM (PowerShell remoting)
tcp.port == 22SSH lateral movement
tcp.port in {135 593}MSRPC / WMI
dcerpc.opnum == 0DCERPC Bind (WMI/DCOM)
PsExec / ADMIN$ Pattern T1570
smb2.filename contains “PSEXECSVC”PsExec service install
smb2.filename contains “ADMIN$”Admin share access
smb2.filename contains “IPC$”IPC$ connection (recon/exec)
smb2.filename contains “.exe”Executable written over SMB
Pass-the-Hash / Ticket T1550.002
ntlmssp && tcp.port == 445NTLM over SMB (PtH indicator)
kerberos && kerberos.msg_type == 12TGS-REP (ticket obtained)
kerberos && tcp.dstport == 88Kerberos to DC (TGT request)
Data Exfiltration & SMB / AD Protocols
EXFIL

Data Exfiltration T1048 T1567

Large Outbound Transfers
ip.src == 10.10.10.0/24 && tcp.len > 1000Large packets leaving LAN
http.request.method == “POST” && http.content_length > 5000Large HTTP POST
ftp-data && ip.dst != <ftp-server>FTP data to unknown host
Cloud / Web Exfil T1567.002
http.host contains “pastebin.com”Pastebin exfil
http.host contains “dropbox.com”Dropbox staging
http.host contains “mega.nz”Mega.nz exfil
tls && ip.dst == <cloud-ip> && tcp.len > 5000Encrypted bulk upload
DNS Exfil T1048.003
dns && dns.qry.name.len > 60 && dns.flags.response == 0High-entropy data in query
dns.qry.type == 16 && dns.qry.name.len > 40TXT with encoded data
Email Exfil T1048
smtp && smtp.req.command == “DATA”SMTP data send
tcp.port in {25 587 465}SMTP outbound ports
SMB

SMB2 / Active Directory Protocols

SMB2 Command Codes
smb2.cmd == 0x0000NEGOTIATE
smb2.cmd == 0x0001SESSION_SETUP
smb2.cmd == 0x0003TREE_CONNECT
smb2.cmd == 0x0005CREATE (file open/create)
smb2.cmd == 0x0009WRITE
smb2.cmd == 0x000eIOCTL
Kerberoasting / AS-REP Roasting T1558.003
kerberos && kerberos.msg_type == 10TGS-REQ (request for service ticket)
kerberos && kerberos.msg_type == 11 && kerberos.encrypted_PA_DATAAS-REP without pre-auth
kerberos && kerberos.error_code == 25KDC_ERR_PREAUTH_REQUIRED
DCSync / LDAP Recon T1003.006
ldap && ldap.filter contains “objectClass=*”LDAP dump all objects
ldap && ldap.filter contains “servicePrincipalName”SPN enumeration (Kerberoast)
drsuapiDCSync replication traffic
ldap && ldap.filter contains “adminCount=1”Admin account enumeration
Malware Traffic Patterns
MAL

Dropper / Loader Traffic

http.request.uri contains “.exe”EXE download over HTTP
http.request.uri contains “.ps1”PowerShell script download
http.request.uri matches “.*\.(bin|dat|vbs|hta)$”Payload file extensions
http.content_type contains “application/octet-stream”Binary payload delivery
http.response && http.content_type contains “text/plain” && http.content_length > 10000Large “text” (encoded payload)
smb2.filename matches “.*\.(exe|dll|ps1|bat)”Exec file over SMB share
RECON

Reconnaissance & Discovery T1046

tcp.flags.syn == 1 && tcp.flags.ack == 0 && ip.src == <scanner>Port scan source
icmp && icmp.type == 8Ping sweep
arp && arp.opcode == 1ARP scan (host discovery)
nbnsNetBIOS name queries
mdnsmDNS device discovery
udp.dstport == 161SNMP enumeration
dns && dns.qry.type == 12PTR queries (reverse DNS recon)
RANSOM

Ransomware Indicators T1486

Ransomware often shows elevated SMB2 WRITE activity across many hosts immediately before encryption.
smb2 && smb2.cmd == 0x0009 && smb2.write.length > 50000Large SMB writes
smb2.filename matches “.*\.(encrypted|locky|ryuk|cerber)”Encrypted file extensions
smb2.filename contains “README”Ransom note drop
smb2.filename contains “HOW_TO_DECRYPT”Ransom note variant
http.host matches “(tor2web|onion\.link|onion\.ws)”Tor gateway contact
TShark CLI Reference
CLI

TShark Essential Commands

Capture & Read
tshark -r capture.pcap -Y “display.filter” # Apply display filter
tshark -i eth0 -w output.pcap # Live capture to file
tshark -r file.pcap -c 100 # First 100 packets only
Field Extraction
tshark -r file.pcap -T fields -e ip.src -e ip.dst -e dns.qry.name -E header=y -E separator=, > out.csv
tshark -r file.pcap -Y “http.request” -T fields -e http.host -e http.request.uri -e http.user_agent
tshark -r file.pcap -Y “dns” -T fields -e dns.qry.name -e dns.qry.type | sort | uniq -c | sort -rn | head -20 # Top DNS queries
tshark -r file.pcap -Y “tls.handshake.type==1” -T fields -e ip.dst -e tls.handshake.extensions_server_name # Extract SNI
Statistics
tshark -r file.pcap -z io,stat,1 # 1-second I/O intervals
tshark -r file.pcap -z conv,tcp # TCP conversations
tshark -r file.pcap -z endpoints,ip # IP endpoints
tshark -r file.pcap -z http,tree # HTTP protocol tree
tshark -r file.pcap -z dns,tree # DNS query tree
Stream Follow / Export
tshark -r file.pcap -q -z follow,tcp,ascii,0 # Follow stream 0
tshark -r file.pcap –export-objects http,/tmp/http_objects/ # Export HTTP objects
tshark -r file.pcap -Y “smb2.cmd==5” –export-objects smb,/tmp/smb_files/ # Export SMB files
STAT

Wireshark GUI Statistics & Analysis

Protocol Hierarchy
Statistics > Protocol Hierarchy
Spot unexpected protocols. Compare % share vs baseline.
Conversations
Statistics > Conversations
Identify top talkers, beaconing hosts, pivot targets.
Endpoints
Statistics > Endpoints
Map internal vs external IPs. Filter by bytes transferred.
I/O Graph
Statistics > I/O Graph
Visualise beaconing intervals, data bursts, DoS.
Flow Graph
Statistics > Flow Graph
Sequence diagram for connection reconstruction.
Expert Info
Analyze > Expert Info
Automatic anomaly flagging. Errors, warnings, notes.
HTTP Objects
File > Export Objects > HTTP
Extract all HTTP-transferred files for malware analysis.
SMB Objects
File > Export Objects > SMB
Extract files transferred over SMB shares.
Stream Analysis
tcp.stream == 0First TCP stream
tcp.stream eq 5TCP stream 5 (use right-click > Follow > TCP Stream)
udp.stream eq 2UDP stream 2
After following a TCP stream, Wireshark auto-applies tcp.stream eq N. Use the stream number to anchor an investigation and export payload bytes via Save As.
Coloring Rules & Keyboard Shortcuts
CLR

Coloring Rules for DFIR

Access via View > Coloring Rules. Rules are evaluated top-to-bottom; first match wins. Export/import via .wscolors file.
RED tcp.flags.syn==1 && tcp.flags.ack==0 SYN scan / new connections
AMBER http && http.request.method==”POST” POST requests — review
GREEN dns.qry.name.len > 50 Long DNS queries — tunneling
BLUE kerberos || ntlmssp Auth traffic — credential focus
PURPLE smb2 && smb2.cmd == 0x0009 SMB writes — exfil/ransomware
ORANGE tcp.analysis.retransmission Network issues / interference
PINK icmp && data.len > 64 Oversized ICMP (tunneling)
CYAN tls && tls.record.version == 0x0302 Deprecated TLS — flag for review
KEY

Keyboard Shortcuts

Ctrl + FFind packets
Ctrl + GGo to packet number
Ctrl + EOpen display filter
Ctrl + RReload live capture
Ctrl + KStart new capture
Ctrl + EStop capture
Ctrl + ICapture interfaces
Ctrl + WClose capture file
Ctrl + SSave as PCAP
Ctrl + ZUndo display filter
Ctrl + TTime reference packet
Ctrl + Shift+DDecode As…
Ctrl + Alt+PPreferences
Alt + →Next conversation packet
F5Refresh / re-filter
SpaceScroll packet list
TabNext pane focus
Ctrl + LColorize conversation
Context Menu (Right-Click)
Apply as Filter > SelectedQuick filter from field
Follow > TCP StreamReconstruct session
Copy > ValueCopy field value
Mark/Unmark PacketFlag for review
DFIR Triage Workflow
WF

Initial Triage Checklist

1
Protocol Hierarchy Baseline
Statistics > Protocol Hierarchy — flag unexpected protocols (BitTorrent, IRC, TOR)
2
Top Talkers & External Connections
Statistics > Conversations — sort by bytes, identify non-RFC1918 destinations
3
DNS Anomaly Review
Filter: dns && dns.qry.name.len > 50 — look for base32/hex encoded subdomains
4
HTTP User-Agent Review
tshark: extract all unique user-agents, cross-check against baseline
5
Authentication Traffic
Filter kerberos || ntlmssp || ldap — look for failed auth bursts, spray indicators
6
Lateral Movement Indicators
Filter smb2 || tcp.port in {3389 5985} — check for ADMIN$, PSEXECSVC, IPC$
7
Expert Info Review
Analyze > Expert Info — review all Errors and Warnings before dismissing
8
Object Extraction
File > Export Objects (HTTP, SMB) — submit suspicious files to sandbox/VirusTotal
IOC

IOC Extraction & Hunting Commands

Extract Unique DNS Domains
tshark -r cap.pcap -Y “dns.flags.response == 0” -T fields -e dns.qry.name | sort -u
Extract All Unique Dest IPs (External Only)
tshark -r cap.pcap -T fields -e ip.dst | grep -vE “^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.)” | sort | uniq -c | sort -rn
Extract HTTP POST Destinations
tshark -r cap.pcap -Y “http.request.method==POST” -T fields -e ip.dst -e http.host -e http.request.uri
Beaconing Detection (Regularity Check)
tshark -r cap.pcap -Y “ip.dst==<C2-IP>” -T fields -e frame.time_relative | awk ‘NR>1{print $1 – prev} {prev=$1}’
Extract TLS SNI Names
tshark -r cap.pcap -Y “tls.handshake.type==1” -T fields -e ip.dst -e tls.handshake.extensions_server_name | sort -u
Long DNS Queries (Tunneling)
tshark -r cap.pcap -Y “dns && dns.qry.name.len > 50” -T fields -e ip.src -e dns.qry.name -e dns.qry.type
Credentials in HTTP
tshark -r cap.pcap -Y “http.request.method==POST” -T fields -e ip.src -e http.host -e http.file_data | grep -i “pass\|user\|login”
NTLM Usernames
tshark -r cap.pcap -Y “ntlmssp.auth.username” -T fields -e ip.src -e ntlmssp.auth.domain -e ntlmssp.auth.username
Wireshark DFIR Cheat Sheet — Covers Wireshark 4.x & TShark CLI — MITRE ATT&CK v14 Mapped — TekGenX Consulting BV

Digital Forensics and Incident Response

Hunting the hunters: DFIR with Velociraptor (PART-II) Wireshark Threat Hunting – From Packets to Indicators [SMB: DEEP-DIVE]
Tags: