# Network Forensics with wireshark

### IP Filters

```
ip.addr == 192.168.1.1 : Specific IP To filter packets from or to a specific IP 
ip.src == 192.168.1.1   : Source or Destination IP Specify if you're interested in packets from a source or to a destination.
ip.dst == 192.168.1.1
```

### Port-Based Filters

```
tcp.port == 80 : HTTP Traffic (Port 80) Often used to identify cleartext web traffic 
tcp.port == 443 : HTTPS Traffic (Port 443) Useful for tracking encrypted web traffic. 
udp.port == 53  : DNS Traffic (Port 53) DNS queries and responses, often targeted in DNS tunneling attacks 
tcp.dstport == 3333
```

### Protocol-Specific Filters

```
dns : DNS Traffic &Track domain name resolutions 

dns.qry.name contains ".onion" || dns.qry.name contains "suspiciousdomain"  :  Suspicious Domain Lookups & Look for uncommon or long domain names, which can indicate DNS tunneling.

http || tls : HTTP and HTTPS Monitor both HTTP and HTTPS traffic 

ftp : FTP Traffic Often used by attackers for data exfiltration. 
ftp.request.command == "STOR" || ftp.request.command == "RETR"  : FTP File Transfers & Detect uploads and downloads

icmp : ICMP Traffic Useful for identifying ping sweeps or DoS attacks 
icmp.type == 8

smb || smb2  : Often used by attackers for lateral movement and Capture all SMB communications
smb.cmd == 0x2e : SMB File Access & Track file access events on SMB shares

kerberos : Kerberos Traffic Filter for all Kerberos authentication traffic

ldap : LDAP Traffic: Capture LDAP protocol traffic 
```

### Malicious Traffic Indicators

```
http.request.method == "POST" || http.request.method == "PUT" : Suspicious HTTP Requests

http.host contains "malicious-domain.com" || ip.addr == <ip>  : Known Malicious Domains or IPs Check against known threat indicators

ssl.handshake && !ssl.data : TLS Handshake with No Data Transfer & Possible indicator of C2 communication. 

tcp contains " " : to grep or search for somthing like as file or pattern 

tcp.payload contains " "  
tcp.analysis.retransmission || tcp.analysis.out_of_order : Detect Suspicious Packet Modifications


```

### Filters for ARP Poisoning

```
arp
arp.opcode == 1 : ARP Requests
arp.opcode == 2 : ARP Replies
arp.src.proto_ipv4 == arp.dst.proto_ipv4 : Gratuitous ARP 
arp.src.proto_ipv4 == 192.168.1.1 && arp.hw.src == 00:11:22:33:44:55 : Filter for Specific MAC and IP Mappings
arp.duplicate-address-frame : arp.duplicate-address-frame
eth.dst == ff:ff:ff:ff:ff:ff && arp : Detect ARP Broadcast Storms
```

### Buffer Overflow in Network Traffic

```
tcp.len > 1000 : Buffer overflow exploits often involve large payloads
http.request.uri.length > 200 
ftp.request.command : Malformed FTP commands may be used
ftp.request.command contains "RETR"
ftp.request.command matches ".{200,}"
icmp && frame.len > 1500 : Malicious payloads in oversized ICMP packets
tcp contains "\x90\x90\x90\x90" : Search for shellcode # NOP sleds in payloads
```

### Analyzing Payloads and Content

```
http contains "password" : Search for Specific Content in HTTP & Look for keywords in HTTP payloads (e.g., keywords like "password"). 

frame contains "Basic " : Look for Base64 Encoded Content & Commonly used in data exfiltration. 

http.content_type contains "application/x-msdownload"  : Track Suspicious Downloads & Monitor file downloads, particularly executable files.

http.request.uri contains "../" || http.request.uri contains "UNION" : SQL Injection or Directory Traversal & Look for special characters in HTTP requests

http.user_agent contains "MaliciousAgent" : Check for Suspicious User-Agent Strings & Custom User-Agents may indicate malware; filter 

http.body contains "powershell" 

http.body contains ".bat" 

http.request.uri != "/example1"

mime_type == "application/zip"
```

### searching for specific file

```
http.content_disposition contains "attachment;filename=" 
http.request.uri contains ".exe" || http.request.uri contains ".zip" 
tcp contains "filename" 
frame contains "*.exe"
```

### Detecting Anomalous Connections

```
tcp.analysis.flags && tcp.flags.ack==1 && tcp.stream eq 0 : Identify Long-Lived Connections & Identify persistent connections.
tcp.port > 1024  : Unusual Ports: Filter for non-standard ports
```

### Kerberos Traffic

```
kerberos.msg_type == 10  : Kerberos TGT (Ticket Granting Ticket) Requests: Useful to spot initial authentication 
kerberos.msg_type == 12  : Kerberos TGS (Ticket Granting Service) Requests: Commonly exploited in Kerberoasting

kerberos.error_code   : Suspicious Kerberos Errors: Errors may indicate failed attempts or misconfigurations that attackers exploi

kerberos.Ticket.expiry_date < kerberos.Ticket.issue_date : Filter for Golden Ticket Attack Indicators: Look for unusual ticket lifetimes or patterns in TGT requests.

```

### LDAP Traffic (Active Directory)

```
ldap :  LDAP Traffic Capture LDAP protocol traffic 
ldap.filter contains "(objectclass=user)"  : Filter for Specific LDAP Queries & Check for abnormal queries that might indicate reconnaissance
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://mahmoud-shaker.gitbook.io/dfir-notes/network-forensics/network-forensics-with-wireshark.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.