Last updated on Sep 4, 2024
- All
- Malware Analysis
Powered by AI and the LinkedIn community
1
Set up the environment
2
Start Wireshark and capture traffic
3
Identify the malware traffic
4
Analyze the malware protocol
5
Extract the malware artifacts
6
Report and share the findings
7
Here’s what else to consider
Wireshark is a popular tool for capturing and analyzing network traffic, which can help you understand how malware communicates with its servers, victims, or peers. In this article, you will learn how to use Wireshark to analyze malware network traffic in six steps.
Top experts in this article
Selected by the community from 12 contributions. Learn more
Earn a Community Top Voice badge
Add to collaborative articles to get recognized for your expertise on your profile. Learn more
- Filipi Pires Global Threat Researcher and Cybersecurity Advocate at senhasegura | Snyk Ambassador | Hacking Is Not a Crime Advocate…
4
- Dario Nisi Postdoc researcher
3
- Mohamed Essam CISSP | IAM | Cyber Security Solutions
1
1 Set up the environment
Before you start analyzing malware network traffic, you need to set up a safe and isolated environment to run the malware sample. This can be done using a virtual machine, a sandbox, or a dedicated device. You also need to configure your network settings to allow Wireshark to capture the traffic from the malware host. You can use a bridged network, a NAT network, or a proxy to do this.
Help others by sharing more (125 characters min.)
- Mohamed Essam CISSP | IAM | Cyber Security Solutions
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Verifying DNS records for any signs of suspicious domains or IP addresses.Investigating HTTP traffic to identify malicious URLs or detect attempts to download malicious files. Utilizing Wireshark's raw data can facilitate the extraction of files based on file headers and signatures, such as identifying executables that start with "MZ."Investigating TCP and UDP streams may reveal unconventional connections like IRC connections.Saving the packet capture (pcap) data and employing Linux tools like ngrep can aid in extracting Indicators of Compromise (IoCs). Network analysis, in this context, proves to be an invaluable method for identifying and mitigating potential security threats
LikeLike
Celebrate
Support
Love
Insightful
Funny
1
- Filipi Pires Global Threat Researcher and Cybersecurity Advocate at senhasegura | Snyk Ambassador | Hacking Is Not a Crime Advocate | Speaker | Writer
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Creating a safe networking environment for Wireshark analysis involves setting up a virtual machine (VM) with proper network isolation to prevent any accidental exposure of captured traffic to the actual network. By configuring a VM with NAT for internet access and a Host-Only Adapter for isolated network communication, you create a safe environment for analyzing network traffic with Wireshark. This setup ensures that any captured traffic is contained within the virtual environment and doesn't affect the actual network. Analyze HTTP/HTTPS requests and responses. Analyze DNS requests to identify communication with suspicious domains. Use Wireshark's "Follow TCP Stream" feature to reconstruct and analyze complete conversations.
LikeLike
Celebrate
Support
Love
Insightful
Funny
3
2 Start Wireshark and capture traffic
Next, you need to launch Wireshark and start capturing the network traffic from the malware host. You can choose the interface that corresponds to your network configuration, or use the promiscuous mode to capture all traffic on the network. You can also apply filters to narrow down the traffic to the malware host or the protocol you are interested in.
Help others by sharing more (125 characters min.)
- Filipi Pires Global Threat Researcher and Cybersecurity Advocate at senhasegura | Snyk Ambassador | Hacking Is Not a Crime Advocate | Speaker | Writer
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Starting Wireshark with best practices involves configuring the tool and adopting a systematic approach to effectively capture and analyze network traffic. Run Wireshark using appropriated permissions, select the network interface, configure the capture filters, use the limit captured data size, colorize the packts for visual clarity, use IO graphs for trends, By incorporating these best practices when starting Wireshark, you can enhance your ability to capture, analyze, and interpret network traffic effectively. Adopting a systematic and organized approach helps in making the most of Wireshark's powerful features for network troubleshooting, security analysis, and protocol debugging.
LikeLike
Celebrate
Support
Love
Insightful
Funny
4
- Dario Nisi Postdoc researcher
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
First of all, you need to find the best place from which to run wireshark.For example, suppose you are analyzing malware in a VM. Running wireshark from within the VM guest might be suboptimal (the malware might find out the running wireshark process and decide to hide its malicious behavior). A better choice is to sniff the traffic at the host level by properly setting up a TAP interface from the hypervisor (e.g., VirtualBox, VMWare, KVM, etc.).Similarly, in more complex analysis setups involving several machines, one could run wireshark on a bastion host that serves as internet gateway for all the analysis machines.
LikeLike
Celebrate
Support
Love
Insightful
Funny
3
3 Identify the malware traffic
Once you have captured some traffic, you need to identify the packets that belong to the malware communication. This can be challenging, as malware often uses encryption, obfuscation, or spoofing to evade detection. However, you can look for some clues, such as unusual ports, domains, or patterns, that can indicate malicious activity. You can also compare the traffic with a baseline of normal traffic from the same host or network.
Help others by sharing more (125 characters min.)
- Filipi Pires Global Threat Researcher and Cybersecurity Advocate at senhasegura | Snyk Ambassador | Hacking Is Not a Crime Advocate | Speaker | Writer
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Identifying malware traffic using Wireshark involves analyzing the captured network packets to identify patterns, behaviors, and indicators of compromise (IoCs). Examine DNS traffic for suspicious domain names. Look for traffic using non-standard or uncommon protocols. Analyze HTTP and HTTPS traffic for anomalies. Identify and analyze encrypted traffic using the "ssl" filter. Use Wireshark's "Follow TCP Stream" feature to reconstruct and analyze complete conversations. Identify beaconing behavior, where malware sends periodic signals to a command and control (C2) server.
LikeLike
Celebrate
Support
Love
Insightful
Funny
3
- Sean Khan Director, A.SA
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Note that wireshark itself can't identify which program is creating which traffic. Therefore, you need to query the OS for details of which process used which port at what time, etc...
LikeLike
Celebrate
Support
Love
Insightful
Funny
1
4 Analyze the malware protocol
After you have identified the malware traffic, you can analyze the malware protocol to understand how the malware communicates with its servers, victims, or peers. You can use Wireshark's built-in tools, such as dissectors, decoders, or statistics, to examine the structure, content, and behavior of the protocol. You can also use external tools, such as hex editors, encryption tools, or scripting languages, to decode, decrypt, or manipulate the protocol.
Help others by sharing more (125 characters min.)
- Filipi Pires Global Threat Researcher and Cybersecurity Advocate at senhasegura | Snyk Ambassador | Hacking Is Not a Crime Advocate | Speaker | Writer
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Analyzing malware protocols using Wireshark involves examining the characteristics and behaviors of network traffic associated with potential malware infections. Determine the protocol associated with the suspected malware. Use the "Follow TCP Stream" or "Follow UDP Stream" feature to reconstruct the entire communication between hosts. Analyze the payload of packets associated with the protocol. Some malware protocols may have specific plugins or dissectors in Wireshark. Review metadata such as IP addresses, port numbers, and timestamps. Cross-reference identified IP addresses, domains, or patterns with threat intelligence feeds. If the malware uses non-standard ports, investigate the traffic on those ports.
LikeLike
Celebrate
Support
Love
Insightful
Funny
2
- Dario Nisi Postdoc researcher
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Wireshark is great at figuring out what protocols each network packet uses, providing tons of information.However, malware loves to encrypt its traffic, often using HTTPs or plain TLS.Since encrypted traffic is almost useless for any qualitative analysis, you will have to find a way to recover encryption keys.In general, there are two ways of doing that.One idea could be to use a TLS-aware proxy (e.g., mitmproxy or Polarproxy), that breaks end-to-end encryption and provide unencrypted traffic you can then analyze with Wireshark.While this work in most cases, proxies fall short against certificate pinning.A more resilient approach consists in recovering keys from the malware process, but this is tedious and more complex.
LikeLike
Celebrate
Support
Love
Insightful
Funny
2
5 Extract the malware artifacts
Another useful step in analyzing malware network traffic is to extract the malware artifacts from the captured packets. These can include files, commands, credentials, or indicators of compromise, that can provide more information about the malware's functionality, purpose, or origin. You can use Wireshark's export function, or other tools, such as NetworkMiner, to extract the artifacts from the traffic.
Help others by sharing more (125 characters min.)
- Filipi Pires Global Threat Researcher and Cybersecurity Advocate at senhasegura | Snyk Ambassador | Hacking Is Not a Crime Advocate | Speaker | Writer
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
You can export functionality provides flexibility in saving different types of data, including packet dissections, extracted files, and DNS/HTTP objects. Use these export features to facilitate further analysis and sharing of information with security teams. You can use tools that can be used for capturing and analyzing data about hosts on the network. It provides insights into the hosts, services, files, and other artifacts present in the captured traffic such as:- Xplico- CapLoader- Moloch- Suricata- MISP ( Focused in Malware's IOCs) used for capturing and analyzing data about hosts on the network. It provides insights into the hosts, services, files, and other artifacts present in the captured traffic.
LikeLike
Celebrate
Support
Love
Insightful
Funny
3
- Ricardo Miranda Information Security Management | Cyber Security | CISSP | CCISO | CISM | DPO | CASP | ECSA | CEH | CHFI | ECIH | ISO 27001 Lead Implementer | 27701 Lead Implementer
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
When traffic is encrypted, this extraction is not simple.It is challenging to identify C2 traffic and artifacts.Using tools such as rita or zeek helps a lot.
LikeLike
Celebrate
Support
Love
Insightful
Funny
1
6 Report and share the findings
The final step in analyzing malware network traffic is to report and share your findings with other analysts, researchers, or stakeholders. You can use Wireshark's save function, or other tools, such as Snort, to create a report that summarizes your analysis, highlights the key findings, and provides recommendations or mitigation strategies. You can also share your findings with the security community, or report them to the relevant authorities or organizations.
Help others by sharing more (125 characters min.)
- Filipi Pires Global Threat Researcher and Cybersecurity Advocate at senhasegura | Snyk Ambassador | Hacking Is Not a Crime Advocate | Speaker | Writer
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Creating a summary report for malware traffic analysis involves presenting key findings, details about the identified malware, and potential impacts on the network. You should create a Executive Summary, Introduction, Malicious Indicators, Payload analysis (some keys findings), impact of this possible attack and recommendations.Adjust the idea based on the specifics of your analysis, the types of malware identified, and the organization's context. Include any additional details that are relevant to the analysis and its implications.
LikeLike
Celebrate
Support
Love
Insightful
Funny
2
7 Here’s what else to consider
This is a space to share examples, stories, or insights that don’t fit into any of the previous sections. What else would you like to add?
Help others by sharing more (125 characters min.)
- Filipi Pires Global Threat Researcher and Cybersecurity Advocate at senhasegura | Snyk Ambassador | Hacking Is Not a Crime Advocate | Speaker | Writer
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Extracting malware from network traffic requires a cautious approach to prevent accidental execution and ensure the safety of the analyst and the network. Always follow best practices for handling and analyzing potential malware files. Wireshark's export functionality provides flexibility in saving different types of data, including packet dissections, extracted files, and DNS/HTTP objects. Use these export features to facilitate further analysis and sharing of information with security teams.
LikeLike
Celebrate
Support
Love
Insightful
Funny
2
Malware Analysis
Malware Analysis
+ Follow
Rate this article
We created this article with the help of AI. What do you think of it?
It’s great It’s not so great
Thanks for your feedback
Your feedback is private. Like or react to bring the conversation to your network.
Tell us more
Tell us why you didn’t like this article.
If you think something in this article goes against our Professional Community Policies, please let us know.
We appreciate you letting us know. Though we’re unable to respond directly, your feedback helps us improve this experience for everyone.
If you think this goes against our Professional Community Policies, please let us know.
More articles on Malware Analysis
No more previous content
- How do you handle packed, polymorphic, and metamorphic malware in static analysis? 15 contributions
- How do you determine the origin and intent of a malware campaign? 10 contributions
- What are the benefits and challenges of malware clustering and phylogeny? 11 contributions
- How do you prepare for malware analysis job interviews? 4 contributions
- How do you deal with incomplete or inaccurate decompilation results? 5 contributions
- How do you apply malware analysis to incident response and threat hunting? 10 contributions
- What are the advantages and disadvantages of static and dynamic disassembly? 3 contributions
- How do you compare memory snapshots to detect malware persistence and stealth? 1 contribution
- What are the main differences between malware forensics and malware analysis? 7 contributions
No more next content
More relevant reading
- Network Security What is the best way to analyze malware traffic without network performance issues?
- Cybersecurity What are the best encryption algorithms for malware analysis?
- Cybersecurity What are the challenges of classifying malware for cybersecurity?
- Computer Engineering What is the best way to identify and analyze malware on a network?