We will look into some of the Wireshark display filters which can be used in malware analysis. We can use this Wireshark display filter after we capture pcap during dynamic malware analysis.
Why do we need to do this?
- Help us to remove the noise from pcap
- Easy to extract IoC (e.g Domain, IP etc) from pcap
- Understanding of network behaviour during dynamic malware analysis
Wireshark display columns setup
But before proceeding, I will highly recommend you to follow these two tutorials to modify the column setting of Wireshark, it will make the analysis much easier and efficient.
- Changing the column display in Wireshark
- Adding HTTPS server names to the column display in Wireshark
Wireshark display filters
| Display filter | Comments |
|---|---|
| !(ssdp or udp) | This not filter can be used when you want to filter any noise from specific protocol |
| dns or http | It will show all the packets with protocol dns or http. It can be used as starting point in analysis for checking any suspicious dns request or http to identify any CC. |
| ip.addr == 192.168.0.1 same as ip.src == 192.168.0.1 or ip.dst == 192.168.0.1 | Matches against both the IP source and destination addresses in the IP header. It can be used to filter when you know ip address of CC/victim machine. |
| http.request | Display all types of http request e.g GET, POST etc. This can be also good starting point to check if malware is sending any http request to CC. |
| http contains "Mozilla/5.0" | Search for the string in http protocol. It is very useful if you are looking for specific strings. |
| http contains 6d:73:77:6f:72:64 | You can also search using hex instead of ascii strings. 6d:73:77:6f:72:64 == msword |
| http.file_data matches "^MZ" | Match the given case-insensitive Perl-compatible regular expression(PCRE) with file_data. It can be used to match any file type magic bytes which is present in http filedata. |
| ssl.handshake.type == 1 | Matches ssl client hello type request. Good for extracting CC for malware using SSL. |
| tcp.port == 1300 same as tcp.dstport == 1300 or tcp.srcport == 1300 | Matches source or destination port for tcp protocol. It's useful when malware uses custom port for communication to CC e.g Darkcomet. |
| tcp.port == 1300 and tcp.flags == 0x2 | Filter based on port and SYN flag in tcp packet. It useful to remove the noise and extract CC. |
Download pcap
I will highly recommend downloading the infection traffic pcap from this link and practicing different display filters. After going through the pcap, I was able to create the following display filter which shows all valid IoCs and remove the noise from pcap.
http.request or dns.qry.name matches "(hopto|ddns)" or ssl.handshake.type == 1
or (tcp.flags == 0x2 and not tcp.dstport in {443 80})
1 Comment. Leave new
[…] https://sharkfestus.wireshark.org/assets/presentations16/16.pdfhttps://www.wireshark.org/docs/wsug_html_chunked/ChWorkBuildDisplayFilterSection.htmlhttps://www.cellstream.com/reference-reading/tipsandtricks/431-finding-text-strings-in-wireshark-captureshttps://www.cellstream.com/resources/2013-09-10-11-55-21/cellstream-public-documents/wireshark-related/83-wireshark-display-filter-cheat-sheet/filehttps://www.securityinbits.com/malware-analysis/tools/wireshark-filters/https://blog.packet-foo.com/2013/05/the-notorious-wireshark-out-of-memory-problem/https://www.wireshark.org/docs/wsdg_html_chunked/lua_module_GRegex.htmlhttps://luca.ntop.org/gr2021/altre_slides/CorsoWireshark.pdfhttps://stackoverflow.com/questions/9655164/regex-ignore-case-sensitivityhttps://www.hscripts.com/tutorials/regular-expression/metacharacter-list.php […]