Note: Before beginning analysis with tshark, it is advised to reorder packets using Wireshark’s reordercap. Tshark is the command-line utility that ships with Wireshark and can provide easy and flexible command-line access to the PCAP analysis data that can then be piped directly to grep, awk etc. For instance, here I am adding user-agent strings under a column: If you find interesting information while examining the details, you can use the ‘Apply as column’ feature to add that as a column in your analysis. Personally, I frequently use the following display filters during my investigations: Operators: There are vast amounts of details available online on Wireshark display filters which I won’t attempt to replicate. Therefore, zeroing in on relevant information by specifying display filters is a good practice. Without unlimited time and patience, it is infeasible to scroll through the millions of packets that could be contained within the PCAP. Next, Wireshark provides the ability to quickly identify all endpoints involved in conversations:ĭisplay filters make it easy to make sense of the vast amounts of information contained within large PCAPs. Preferences -> Name resolution -> Use an external network name resolver Enable name resolutions in the Wireshark options first: I usually check ‘Name resolution’ which makes it easy to identify domain names. First, identify what conversations took place and then check to see if they are relevant to the investigation: Identify conversations between endpointsĭuring the capture, several entities could be talking to each other and not all of those conversations are of interest during the investigation. You can display all packets OR just the protocols that you are interested in. I usually select Time of day within the IO graph to see the accurate date and timestamps on the X-axis.Ĭolor the different protocols (or combinations of protocols set with display filters) to improve the visualization. Next, it is good to build a timeline of traffic activity and fortunately Wireshark has I/O graphs for this purpose. Within TCP, we have mostly TLS and HTTP traffic. We see that we mostly have TCP traffic in this PCAP (96.1%) with a little bit of UDP (3.5%). One of the first things I like to do after loading a PCAP in Wireshark is to look at the protocol hierarchy to understand the kind of traffic that the PCAP contains. View -> Time display format -> UTC date and time of day Protocol Hierarchy I usually change them to UTC for my investigations. Unless you can read and interpret these, it’s best to change these timestamps to human-readable dates and times. Adjusting timezoneīy default, Wireshark will display timestamps in absolute time since the start of the capture. It is powerful, flexible and a great tool to have in your DFIR arsenal. Wireshark has become the industry-standard network capture analysis tool, and for good reason. Data byte rate suggests that the network was not under heavy load during the time. We therefore immediately see that this packet capture ran for a few minutes, with the first and last packet seen 5 minutes apart. Applications/Wireshark.app/Contents/MacOS/capinfos In my case (MacOS), capinfos was found here: It resides in the Wireshark directory, same as tshark and reordercap – the other CLI tools that ship with Wireshark. Grab a sample PCAP fileĬapinfos is a CLI tool that ships with Wireshark and can be useful to derive quick insights about the PCAP. We will be using sample pcaps in this post. How do we then swiftly perform a PCAP analysis that covers maximum ground? This post provides a quick summary of analysis that can be done by Wireshark and its accompanying CLI tool, tshark. However, PCAPs contain massive amounts of data that is difficult to parse and time is valuable, especially during live investigations. PCAPs can greatly aid an investigation after an incident has occurred.