Loopus Labs
LOOPUSLABS
Loopus

Pro Content

This lesson requires Loopus Pro access. Upgrade to unlock all courses, labs, and challenges.

← Back to course
Incident Response & ForensicsNetwork Forensics

Wireshark Deep Dive

40 min
lab
+70 XP

Learning Objectives

  • Analyze captured traffic using Wireshark
  • Reconstruct conversations and extract files
  • Identify malicious patterns in network data

Traffic Analysis with Wireshark

Wireshark provides powerful tools for packet analysis. Understanding Wireshark enables detailed examination of network captures, reconstructing what happened and identifying malicious activity.

Interface Overview

Packet list shows captured packets chronologically. Columns display time, addresses, protocol, and summary.

Packet details expands protocol layers. Click to examine Ethernet headers, IP headers, TCP/UDP, and application data.

Packet bytes shows raw hexadecimal and ASCII content.

Filtering

Display filters show only matching packets:

ip.addr == 192.168.1.100
tcp.port == 443
http.request.method == "POST"
dns.qry.name contains "evil"

Combine with operators: and, or, not

Capture filters limit what is captured initially. Useful for high-volume environments.

Following Streams

"Follow TCP Stream" reconstructs conversations. Right-click a packet and select Follow > TCP Stream. The entire conversation displays in readable form.

Color coding distinguishes client and server traffic. Useful for HTTP requests/responses, command sessions, and protocol analysis.

Protocol Analysis

HTTP - Examine requests, responses, headers, and content. Extract downloaded files through File > Export Objects > HTTP.

DNS - Query names and responses reveal command and control, data exfiltration, or reconnaissance. Filter: dns

SMB - File sharing and remote execution. Filter: smb or smb2

TLS - Encrypted traffic shows handshakes but not content. Certificate information reveals servers and potentially domains.

Detecting Malicious Activity

Unusual protocols - Unexpected DNS over TLS, HTTP on non-standard ports, or unknown protocols warrant investigation.

Beaconing - Regular, periodic connections to the same destination suggest C2 communication. Examine timing patterns.

Large transfers - Significant outbound data volume might indicate exfiltration.

Suspicious domains - DNS queries to newly registered domains, high-entropy names, or known-bad indicators.

Evidence Extraction

Export packets - Save filtered results for focused analysis or evidence preservation.

Extract files - Export Objects menu extracts transferred files.

Expert Information - Wireshark flags anomalies: connection resets, retransmissions, malformed packets.

Document findings with screenshots showing relevant packets and analysis.

Answer the Questions0 / 4 completed

📚 KnowledgeQuestion 1

How do you analyze pcaps in Wireshark?

Format: **********(10 chars)
Exact match required
⌨️ Hands-OnQuestion 2

What menu exports files?

Format: *******(7 chars)
Exact match required
📚 KnowledgeQuestion 3

What indicates malicious traffic?

Format: *********(9 chars)
Exact match required
⌨️ Hands-OnQuestion 4

What term describes regular C2 pings?

Format: *********(9 chars)
Exact match required
Answer all questions correctly to unlock the next lesson

Interactive Sandbox

Loading sandbox...

Submit Flag

Found the flag? Submit it below to complete this lesson.
Format: LOOPUS{...}

Previous
Answer all questions to continue