Wireshark for Cybersecurity SOC Analysts

Introduction

Wireshark is a powerful GUI network traffic analyzer. It is used by a variety of security professionals which includes Security Operations Center (SOC) analysts to monitor, analyze, and detect suspicious network activity. Given its ability to capture and inspect packets in real time, Wireshark serves as an essential tool for investigating security incidents and understanding network behavior.

If you are a security analyst, this article will help you understand how Wireshark can be used for your role.

What really is Wireshark?

This is a free open source network tool used to capture or analyze network packets in real time, giving granular level insights into protocols used, communication patterns and potential malicious activities going on in a network.

As a SOC analyst, your work will involve actively monitoring networks for security threats, and Wireshark can assist analysts with this.

How Wireshark Works

Wireshark operates by capturing live packets from different network interfaces or by analyzing previously captured PCAP/PCAPNG files to dissect packet structures using different filters.

As SOC Analysts, your role will rarely allow you to capture live networks as that is often reserved for Network admins, but quite often, the network team will share PCAP files with you if there is a need for that.

To use Wireshark, the professional capturing the network must be on the same network that is being investigated and configure Wireshark to listen for packets on suspected interfaces.

Key Features for SOC Analysts

• Packet capture and filtering: This allows SOC analysts to capture data from network interfaces that are actively connected on a network.

• Protocol analysis: Wireshark can also be used to analyze the protocols involved

• Deep packet inspection: Advanced users can use it to uncover malicious payloads by observing communication lengths.

• Flow tracking: To analyze sessions and connections.

Setting Up Wireshark for SOC Analysis

Installation on Windows and Linux

SOC analysts can download Wireshark from its official website and install it on Windows or Linux systems. If you use Linux, on your terminal, type in:

sudo apt update sudo apt install Wireshark -y

Note: Using the -y parameter lets your package run in unsupervised mode

Once your package is installed, type in Wireshark to launch it, or find it from the list of installed apps, then open.

The Wireshark interface is the same on all devices. The only thing that may differ is the presence of capture interfaces and that depends on what capture interface is available for your device.

Configuring Network Interfaces

Take a look at this image. The blue arrow is pointing towards something. These are the available network interfaces. Since my computer is connected to Wi-Fi, the network interface for WiFi is active along with the second one. This means that if I click on the capture button at the top of the image, Wireshark will start capturing network traffic on every device on my Wi-Fi network, including the host computer.

The green arrow isn’t needed that much here. It just shows the histories of PCAP files I have analyzed using Wireshark.

If I click on the capture button, it will display a pop-up with a list of all interfaces I can choose from. As a SOC analyst, this will be useful if you are going to capture a particular interface, i.e. Bluetooth communications.

It helps keep you focused on what is necessary. It is often necessary to check the ‘turn on promiscuous mode’ box as it helps to capture packets from ALL interfaces. Unless you know exactly what you are looking for, check that box.

Filters

Filters are the core of Wireshark as they help SOC analysts further get more focused information about what they are looking for. Using the right filters will supercharge your work productivity, and using the wrong filters will not only slow you down, it can cause inaccurate deductions which can be very damaging to the security of the organization you are defending.

There are two main filters in Wireshark. You may have spotted them from the first image I sent. They are: Display and Capture Filters.

To be frank, the names already give insights into what they are, but let’s explore them in detail and see how they can help in SOC analysis.

Capture Filters:

These are filters that are applied just before capturing in Wireshark. With these kinds of filters, you are further restricting the capturing to only scan for packets matching that criteria, and no other. In other words, when these filters are used, Wireshark turns blind to any packet that are in the interface, but not matching the filter.

If for instance, I am scanning my organization’s Wi-Fi network and I need to see only communications going on on insecure sites, I can simply use this filter:

port 80.

The image below shows a visual guide of how this is done:

Once I click on start, it should start capturing all port 80 traffic on WiFi.

This image shows a blank capture page because there is no HTTP traffic. You can experiment with different Capture Filters to see how it works. Here is a list of most capture filters wireshark users would most likely find interesting.

Let me switch to port 443 and see what we find

Okay, we now have over 500 packets under port 443.

Display Filters:

Unlike Wireshark capture filters, display filters are only applied after a capture has been initiated. It is used by analysts when they want to check for a particular protocol in a PCAP file. This is often used when there isn’t any capture filter applied during capturing.

Let’s capture and then apply a display filter afterwards.

Here is the totality of our live capture. When I add a display filter, the number of packets will drop considerably.

Look at the blue and red arrows. What did you see? When I applied this display filter: tcp port == 443 || udp port == 80 the number of packets on the screen changed, and as at the moment of taking that screenshot, we had 25.9% of our total packets to be either running through tcp port 443 or udp port 80. Though in this case, I am sure that most of the shown packets are from the first part of my filter: tcp port ==443.

Note: The pipe symbol in Wireshark here indicates the ‘OR’ operator.

You can check here for a list of Wireshark Display Filters and here to understand display filters better.

Detecting Malware and Intrusion Attempts

SOC analysts can use a combination of technical skills (filters) and soft skills (great observation) to help detect malware and intrusion attempts.

Here are a few examples of such ways:

• Filters:

https contains <keywords>. This can be used to find specific keywords in packet loads which can help narrow down an analyst's attention to specific traffic flow. i.e. http contains exfiltration. This filter can help detect any packet related to exfil attacks. Consult the resource I sent to become familiar with common filters.

• Observation:

Paying attention to the volume of network traffic can be a sign that something is wrong. For instance, if outside office hours, or when a foreign IP address is communicating constantly with an organization's IP, it could indicate an issue that requires more attention.

• Analyzing DNS Traffic for Phishing Indicators:

You can look for unusual domain requests (Get familiar with destination and source sides in the interface.), Utilize DNS resolution to spot patterns for suspicious activity.

• Investigating Suspicious IPs and Domains:

Cross reference IP addresses with Threat Intel Sources like VirusTotal. Check for repeated connections to known malicious sites, or sites that employees should ideally not be visiting.

Best Practices for SOC Analysts Using Wireshark

• Develop efficient filtering techniques to reduce analysis time: Time efficiency is non negotiable for SOC analysts. You have to be prompt as a single second wasted can give an attacker the leverage they need to break in. This is why sound knowledge of the right filtering techniques is important.

• Cross-reference network activity with security logs: Typically, as a SOC analyst, you should have access to the organization’s SIEM, and to have a better overview of your investigation, you may have to sometimes cross reference Network activities with logs.

• Integrate with other tools: Tools like SIEM need to be ingested with Wireshark PCAP files. To do this, you need to end the live capture, then save as a PCAP or PCAPNG file. This can then be ingested into a SIEM tool like Splunk.

Summary

Wireshark’s role in the security landscape is indispensable, and for SOC analysts who are often considered the first line of defense, they are more than necessary, either they are capturing live traffic packets or they are saving for offline analysis.

Mastering Wireshark requires continuous effort. The tool is so vast that one single article can’t cover all its concepts. With just a solid knowledge of Networking, especially the OSI model, SOC analysts can find themselves working with this simple, yet sophisticated tool.