Technical Skills

The Analyst's Toolkit: Mastering Wireshark with 3 Filters You'll Use Every Day

February 5, 2024
9 min read
Enerik Sina
Wireshark
Network Analysis
Packet Capture
Tools

Master essential Wireshark filters that every SOC analyst should know for efficient network traffic analysis and incident investigation.

Wireshark is an indispensable tool for SOC analysts, but it can be overwhelming with its vast array of features and filters. After years of daily use, I've identified the 3 filters that will transform your network analysis capabilities and make you more efficient in threat hunting and incident investigation.

🎯 Why These 3 Filters?

These filters cover 80% of the network analysis scenarios you'll encounter as a SOC analyst. Master these, and you'll be able to quickly identify threats, analyze attack patterns, and investigate incidents with confidence.

Filter #1: HTTP/HTTPS Traffic Analysis

Basic Filter

Essential
http or tls

This filter captures all web traffic, both encrypted (HTTPS/TLS) and unencrypted (HTTP). It's your go-to filter for analyzing web-based attacks and communications.

Why it's essential:

Web-based Attacks

Identifies SQL injection, XSS, and other web application attacks

C2 Communications

Reveals command and control traffic hidden in web protocols

Data Exfiltration

Detects unauthorized data transfers via HTTP/HTTPS

Advanced Usage:

http.request.method == "POST" and http.request.uri contains "login"

This advanced filter specifically looks for POST requests to login pages, helping you identify brute force attacks or credential stuffing attempts.

Filter #2: Suspicious Network Connections

SYN Flag Filter

Threat Hunting
tcp.flags.syn == 1 and tcp.flags.ack == 0

This filter shows TCP connection initiation attempts (SYN packets without ACK), perfect for identifying scanning activity and connection patterns.

Why it matters:

Connection Attempts

Identifies all outbound and inbound connection attempts

Port Scanning

Reveals reconnaissance and port scanning activities

Lateral Movement

Detects attackers moving between systems

Pro Tip - Subnet Focus:

tcp.flags.syn == 1 and tcp.flags.ack == 0 and ip.dst == 192.168.1.0/24

Combine with IP filters to focus on specific subnets, making it easier to spot internal lateral movement or external scanning of your network ranges.

Filter #3: DNS Analysis for Threat Hunting

DNS Query Filter

Advanced
dns and not dns.flags.response == 1

This filter shows only DNS queries (not responses), helping you identify suspicious domain lookups and potential C2 communications.

Critical for detecting:

DNS Tunneling

Identifies data exfiltration through DNS queries

DGA Detection

Spots Domain Generation Algorithm patterns

C2 Infrastructure

Reveals command and control domain lookups

Advanced DNS Hunting:

dns.qry.name contains ".tk" or dns.qry.name contains ".ml"

This filter targets suspicious top-level domains commonly used by malware. Expand this concept to include other suspicious TLDs or domain patterns.

Real-World Application: Case Study

🔍 Detecting Lateral Movement

Using these filters, I identified an attacker who had gained initial access through a phishing email and was attempting to move laterally through our network.

Step 1: Initial Discovery

Used the SYN flag filter to identify unusual connection patterns from a compromised workstation.

tcp.flags.syn == 1 and tcp.flags.ack == 0 and ip.src == 192.168.1.45

Step 2: C2 Communication

HTTP filter revealed suspicious POST requests to an external domain.

http.request.method == "POST" and ip.src == 192.168.1.45

Step 3: DNS Analysis

DNS queries showed lookups to a suspicious .tk domain, confirming C2 activity.

dns.qry.name contains ".tk" and ip.src == 192.168.1.45

✅ Result: Successfully identified and contained the threat before significant damage occurred.

Performance Tips & Best Practices

Optimization Tips

  • • Use display filters, not capture filters for analysis
  • • Save frequently used filters as buttons
  • • Combine filters with logical operators (and, or, not)
  • • Use time ranges to focus on specific incidents
  • • Export filtered results for further analysis

Common Mistakes

  • • Don't capture everything - be selective
  • • Avoid overly complex filters initially
  • • Remember to clear filters between analyses
  • • Don't ignore encrypted traffic patterns
  • • Always validate findings with multiple filters

Practice Exercises

Exercise 1: Malware Traffic Analysis

Download a malware PCAP file and use the HTTP/HTTPS filter to identify:

  • • Initial infection vector
  • • C2 communication patterns
  • • Data exfiltration attempts

Exercise 2: Network Reconnaissance

Use the SYN flag filter to analyze a network scan and identify:

  • • Scanning patterns and techniques
  • • Target systems and ports
  • • Timing and frequency of scans

Exercise 3: DNS Threat Hunting

Apply DNS filters to identify suspicious domain activity:

  • • Unusual domain patterns
  • • High-frequency DNS queries
  • • Suspicious TLD usage

Key Takeaways

  • Master these 3 filters to handle 80% of network analysis scenarios
  • Combine basic filters with advanced techniques for deeper analysis
  • Practice with real-world scenarios to build muscle memory
  • Use logical operators to create powerful, targeted filters
  • Always validate findings with multiple analytical approaches

Share this article

Help other analysts master Wireshark

Built with v0