Skip to content
  • After opening wireshark and opening a PCAP file

TCP/UDP

  • open Statistics/Protocol Hierarchy
    • for viewing overall usage of the ports and services
  • open Statistics/Conversations/IPV4 section
    • for viewing a list of IP conversations

Checks to do

  • Packet statistics
  • Service identification
  • IP reputation check

Questions to answer

  • Which IP addresses are in use?
  • Has a suspicious IP address been detected?
  • Has suspicious port usage been detected?
  • Which port numbers and services are in use?
  • Is there an abnormal level of traffic on any port or service?

DNS

  • filter by typing DNS in the search bar
  • Checks to do
    • DNS queries
    • DNS answers
  • Questions to answer
    • Which domain addresses are communicated?
    • Do the communicated domain addresses contain unusual or suspicious destinations? 
    • Do the DNS queries look unusual, suspicious or malformed?

HTTP

  • Checks to do
    • DNS queries
    • DNS answers
  • Questions to answer
    • Which domain addresses are communicated?
    • Do the communicated domain addresses contain unusual or suspicious destinations? 
    • Do the DNS queries look unusual, suspicious or malformed?