Содержание

1. Filters
2. Top 100 Wireshark Filters for Investigating Attacks or Hacker Activity
   1. 1. Basic Traffic Monitoring
   2. 2. Suspicious TCP/UDP Traffic
   3. 3. DNS-Related Activity
   4. 4. HTTP/HTTPS Traffic
   5. 5. FTP/SMB/Other Protocols
   6. 6. Email Traffic (SMTP/POP3/IMAP)
   7. 7. ARP/ICMP/DHCP
   8. 8. VPN/Encrypted Traffic
   9. 9. Indicators of Compromise
   10. 10. File Transfer Protocols
   11. 11. Malformed/Bogus Packets
   12. 12. High Traffic Volume
   13. 13. Others
   14. General Wireshark Filters

Filters

Search http request wiht string “UNION”

http.request && http contains "UNION"

Search SQLi attempt

http.request.uri contains "1=1" or http.request.uri matches "(?i)and%20" or http.request.uri matches "(?i)--"

Database-specific commands ‘UNION SELECT’ or ‘INFORMATION_SCHEMA’

http.request.uri contains "INFORMATION_SCHEMA"

Top 100 Wireshark Filters for Investigating Attacks or Hacker Activity

1. Basic Traffic Monitoring

• Traffic to/from a specific IP address:

  ip.addr == x.x.x.x
  

• HTTP traffic on port 80:

  tcp.port == 80
  

• DNS traffic:

  udp.port == 53
  

• ICMP (ping) traffic:

  icmp
  

• TCP traffic:

  ip.proto == 6
  

• UDP traffic:

  ip.proto == 17
  

• HTTP requests:

  http.request
  

• HTTP responses:

  http.response
  

2. Suspicious TCP/UDP Traffic

• SYN packets (potential scanning activity):

  tcp.flags.syn == 1 and tcp.flags.ack == 0
  

• FIN scans:

  tcp.flags.fin == 1 and tcp.flags.ack == 0
  

• Push flag set (might indicate data exfiltration):

  tcp.flags.psh == 1
  

• TCP retransmissions (could indicate DoS or network issues):

  tcp.analysis.retransmission
  

• Traffic on port 4444 (common for Metasploit):

  tcp.port == 4444
  

• TFTP traffic (can be used for file transfers in attacks):

  udp.port == 69
  

• IKE (potential VPN activity):

  udp.port == 500
  

• NAT-T (VPN traffic):

  udp.port == 4500
  

3. DNS-Related Activity

• DNS query for a specific domain:

  dns.qry.name == "malicious.com"
  

• A record DNS queries:

  dns.qry.type == 1
  

• Queries containing suspicious strings:

  dns.qry.name.contains == "suspicious"
  

• Responses with TTL set to 0 (can indicate fast-flux DNS):

  dns.resp.ttl == 0
  

• Queries for a bad domain:

  dns.flags.response == 0 and dns.qry.name == "bad.domain.com"
  

• Truncated DNS packets (could indicate large payloads):

  dns.flags.truncated == 1
  

4. HTTP/HTTPS Traffic

• HTTP traffic to/from a specific domain:

  http.host == "malicious.com"
  

• POST requests (used in data exfiltration):

  http.request.method == "POST"
  

• Suspicious user agents:

  http.user_agent contains "SuspiciousUserAgent"
  

• Session cookies:

  http.cookie contains "sessionID"
  

• TLS client hello (can be useful to identify SSL/TLS versions):

  tls.handshake.type == 1
  

• Encrypted application data (can indicate hidden data):

  tls.record.content_type == 23
  

• Possible command injection via URI:

  http.request.uri contains "cmd.exe"
  

5. FTP/SMB/Other Protocols

• FTP login attempts:

  ftp.request.command == "USER"
  

• FTP file uploads:

  ftp.request.command == "STOR"
  

• All SMB traffic (useful for identifying lateral movement):

  smb
  

• SMB2 session setup (potential lateral movement):

  smb2.cmd == 5
  

• Access to specific SMB shares:

  smb2.tree == "\\malicious\share"
  

• NTLM authentication attempts with specific usernames:

  ntlmssp.auth.username == "admin"
  

• Kerberos traffic for administrator accounts:

  kerberos.CNameString == "administrator"
  

6. Email Traffic (SMTP/POP3/IMAP)

• SMTP parameters containing suspicious strings:

  smtp.req.parameter contains "malicious"
  

• Capturing the data part of an email:

  smtp.req.command == "DATA"
  

• Email recipient addresses:

  smtp.req.parameter == "RCPT TO"
  

• POP3 login attempts:

  pop.request.command == "USER"
  

• Specific usernames in POP3:

  pop.request.parameter contains "admin"
  

• IMAP login attempts:

  imap.request.command == "LOGIN"
  

• Emails from specific addresses:

  smtp.mailfrom == "attacker@example.com"
  

7. ARP/ICMP/DHCP

• Duplicate ARP addresses (potential MITM):

  arp.duplicate-address-frame
  

• ARP requests from a specific IP:

  arp.src.proto_ipv4 == x.x.x.x
  

• ICMP Echo Requests (pings):

  icmp.type == 8 and icmp.code == 0
  

• Destination unreachable (could indicate scanning):

  icmp.type == 3
  

• DHCP requests for specific IPs:

  dhcp.option.requested_ip_address == x.x.x.x
  

• All DHCP traffic:

  dhcp
  

8. VPN/Encrypted Traffic

• IPsec ESP traffic:

  ip.addr == x.x.x.x and ip.proto == 50
  

• OpenVPN traffic:

  udp.port == 1194
  

• GRE traffic (potential VPN):

  gre
  

• SSL/TLS Client Hello:

  ssl.handshake.type == 1
  

• SSL/TLS SNI field:

  ssl.handshake.extensions_server_name == "vpn.example.com"
  

9. Indicators of Compromise

• Traffic to/from known bad IPs:

  ip.addr == bad_ip
  

• HTTP traffic to known malicious domains:

  http.host == "knownmalicious.com"
  

• Attempts to access WordPress login pages:

  http.request.uri contains "/wp-login.php"
  

• Accessing potential web shells:

  http.request.uri contains "/shell"
  

• DNS queries for C2 servers:

  dns.qry.name == "command-and-control.com"
  

• Suspicious traffic on non-standard ports:

  tcp.port == 1337
  

• Traffic to/from specific countries:

  ip.geoip.country == "CN"
  

• Traffic with low TTL values (potential indication of IP spoofing):

  ip.ttl == 1
  

10. File Transfer Protocols

• TFTP traffic (often used for transferring files):

  tftp
  

• FTP data transfer:

  ftp-data
  

• NFS traffic:

  nfs
  

• TFTP file transfers with suspicious filenames:

  tftp.request.filename contains "malware"
  

11. Malformed/Bogus Packets

• Malformed IP packets:

  ip.len < 20
  

• Malformed TCP headers:

  tcp.hdr_len < 20
  

• **Broadcast traffic (often

used in network scanning):**

  eth.dst == ff:ff:ff:ff:ff:ff

• TCP flags analysis (captures potential anomalies):

  tcp.analysis.flags
  

• Redirect (could be part of a routing attack):

  icmp.type == 5
  

• Non-standard DNS response codes:

  dns.flags.rcode != 0
  

12. High Traffic Volume

• Large packets:

  frame.len > 1000
  

• Zero window size (potential signs of DoS):

  tcp.window_size == 0
  

• Traffic to/from specific IPs with large time gaps:

  ip.addr == x.x.x.x and frame.time_delta > 1
  

• Long TCP streams:

  tcp.stream eq 0 and frame.time_relative > 60
  

13. Others

• Captures MSS options in TCP (can identify unusual setups):

  tcp.options.mss
  

• TCP SACK options (can identify specific attack vectors):

  tcp.options.sack_perm == 1
  

• Fragmented IP traffic (often used in evasion techniques):

  ip.frag_offset > 0
  

• Traffic from specific MAC addresses:

  eth.src == xx:xx:xx:xx:xx:xx
  

• Traffic to specific MAC addresses:

  eth.dst == xx:xx:xx:xx:xx:xx
  

• Source country (can be filtered based on geographic info):

  ip.geoip.src_country == "RU"
  

• Destination country (same as above):

  ip.geoip.dst_country == "RU"
  

• TLSv1.2 traffic:

  ssl.record.version == 0x0303
  

• TLSv1.0 traffic:

  ssl.record.version == 0x0301
  

• Specific cipher suites:

  ssl.handshake.ciphersuite == 0xcca9
  

• TCP SYN/ACK packets:

  tcp.flags.syn == 1 and tcp.flags.ack == 1
  

General Wireshark Filters

1. Filter by IP Address (Source)

   ip.src == 192.168.1.1
   

2. Filter by IP Address (Destination)

   ip.dst == 192.168.1.1
   

3. Filter by Protocol

   tcp
   

4. Filter by Port (TCP)

   tcp.port == 80
   

5. Filter by Port (UDP)

   udp.port == 53
   

6. Filter by Subnet

   ip.addr == 192.168.1.0/24
   

7. Filter by HTTP Requests

   http.request
   

8. Filter by DNS Traffic

   dns
   

9. Filter by ARP Traffic

   arp
   

10. Filter by ICMP (Ping) Traffic

    icmp
    

11. Filter by SSL/TLS Traffic

    ssl or tls
    

12. Filter by DHCP Traffic

    bootp
    

13. Filter by TCP SYN Packets

    tcp.flags.syn == 1
    

14. Filter by TCP SYN-ACK Packets

    tcp.flags == 0x12
    

15. Filter by TCP FIN Packets

    tcp.flags.fin == 1
    

16. Filter by Packet Size

    frame.len > 1000
    

17. Filter by MAC Address (Source)

    eth.src == 00:11:22:33:44:55
    

18. Filter by MAC Address (Destination)

    eth.dst == 00:11:22:33:44:55
    

19. Filter by TCP RST Packets

    tcp.flags.rst == 1
    

20. Filter by TCP Window Size

    tcp.window_size == 0
    

21. Filter by Packet Containing a String

    frame contains "example"
    

22. Filter by VLAN ID

    vlan.id == 10
    

23. Filter by Specific Hostname in DNS

    dns.qry.name == "example.com"
    

24. Filter by HTTP Response Code

    http.response.code == 200
    

25. Filter by IP Address Range

    ip.addr >= 192.168.1.1 and ip.addr <= 192.168.1.10
    

26. Filter by TCP Sequence Number

    tcp.seq == 1000
    

27. Filter by User-Agent in HTTP

    http.user_agent contains "Mozilla"
    

28. Filter by TCP Retransmissions

    tcp.analysis.retransmission
    

29. Filter by TCP Duplicate ACKs

    tcp.analysis.duplicate_ack
    

30. Filter by ICMP Echo Request

    icmp.type == 8
    

31. Filter upload file

    mime_multipart.type == "multipart/form-data" && http.request.method == POST