I recently watched a series of really good videos from Brad Duncan, the man behind malware-traffic-analysis.net, and my initial takeaway was that setting up Wireshark properly will lead to a much better experience and greater success when hunting for malware traffic. In this post I will cover some of the most useful settings I discovered and how I setup Wireshark. A lot of these settings can be found on his website as well.
Create a custom profile
Since we are going to be making several customizations to the packet list window, we can create a new profile to save these so the default view remains intact. This is a completely optional step since most people work with a single profile and editing the default is perfectly fine. If you want to setup different profiles, then these are the steps to accomplish that. If you choose not to do this, you can skip ahead to the Column Settings section.
To get started, click on View > Configuration Profiles
We want to make a copy of the default profile and name it something meaningful. Highlight Default and then click the right button that shows two small squares. This is the copy button. Click OK when done.
You will notice in the bottom right corner of the window, it has changed the profile name to the new one you just created. If you click on this you can change profiles easily, but for now, leave it set to the new one you just created.
Column Settings
The default columns in Wireshark are great to get you started, but you will find they are lacking useful information rather quickly. To solve this I removed several columns and added some that I needed. Here is what we are starting from:
I remove No., Protocol, and Length columns and hide the Source column. I hide the source column because I am typically analyzing traffic from a single computer so I already know the source. If it is ever needed I can always unhide the column. To achieve this, right click on the column heading and either select Remove Column or uncheck the column to hide it.
Now we need to fix the Time column because the number of seconds since capture is not really helpful. In forensics everything is set to UTC so I use that as my default. Go to View > Time Display Format > and select UTC Date and Time of Day. One more thing you need to do while you are here is to change automatic to seconds, otherwise it will show you the second accuracy to about 8 decimal places. Again, not really useful and takes up space we will need later.
Next, let’s add our Destination Port number. I don’t need Wireshark to tell me the protocol, I would rather see the port number being used. To do that, right click on any column heading and select Column Preferences. Next, click the + symbol at the bottom left to add a column. Double click on the Title field and enter Dest Port, then double click on the Type field and click the drop down. Select Dest Port (unresolved) so we see the port number and not the resolved protocol. Now to put these in the correct order, click and drag our new Port column and drop it under the Destination column. Click OK.
It looks better, but the port number is right justified and everything else is left. Let’s fix that. Right click the column heading again and select Align Left at the top. Your column layout should look like this now.
Now for the most challenging part. I want to add the HTTP host name and the HTTPS Server name. But I will only ever see one or the other so I want to put them both in the same column. One great thing about Wireshark is that you can right click any field in the Packet Details pane and add it as a column which is what we are going to do. First, let’s add a filter for http.request. Find an http packed and in the packet details window, expand Hypertext Transfer Protocol and find the Host line. Right click on that and select Apply as Column.
Next, change your filter to tls.handshake.type==1 and select any packet with a destination port of 443, which should be all of them. Next, expand Transport Layer Security > Handshake Protocol > Extension: server_name > Server Name Indication extension and right click on Server Name and select Add as Column again.
Now let’s combine those two into a single column. To do that, again right click a column heading and select Column Preferences. You can now see the two new columns we added and they have a type of custom with our filter in the Fields column. We want to combine those two filters, using OR, into one field and then deselect the other so it is no longer visible. Double click on the Server Name fields section and copy that text. Now double click on the fields section of Host and change it to http.request || tls.handshake.extensions_server_name. Finally, uncheck the box next to Server Name.
Update: I have recently changed this to also include the DNS name. I know it appears in the Info column, but I like seeing all of my host names in one place so I have changed this to: http.request || tls.handshake.extensions_server_name || dns.qry.name
Almost done. One final field I like to add and save as hidden since it is not always used, is the kerberos.cnamestring field. Using the above steps, go ahead and add that as a hidden column. If you run into problems, feel free to reach out and I can help. You can also add the Src Port (unresolved) as another hidden column if you might find that useful.
Exporting a Profile
Now that we have customized our profile, let’s export it so we can use it elsewhere and so we have a backup of it. This is a quick and easy process. Go to Edit > Configuration Profiles to open up our window. At the bottom, select Export > all personal profiles. This will save the configuration into a zip file. To import it, do the same steps, just select Import > from zip file.
Saving filters
Our last section is going to show how to create some custom filters and save them so they are quickly accessible. You can do this with any filters that you find yourself applying repeatedly or that you use frequently.
The first filter we will save is a basic http and https filter, but we also want to ignore the SSDP (Simple Service Discovery Protocol) traffic. Since SSDP is considered HTTP traffic, we need to exclude it. A couple of things before we get started. We need to include OR, AND, and NOT in these and they can be written different ways. How you do this is a personal preference. I’ll show my way, but feel free to do it any way you wish.
- AND = and or &&
- OR = or or ||
- NOT = !(xxx)
- Don’t forget to include parenthesis to group filters together
The filter looks like this (http.request OR tls.handshake.type==1) AND !(ssdp). Once that is entered, click the plus symbol at the end of the filter bar and enter Basic as the label name and click OK. It should now appear on the far right of your filter bar.
Now let’s build upon this basic filter and include SYN packets. Those have a TCP:Flags setting of 0x0002, so let’s add that as an OR to our previous filter. It should now look like this: (http.request OR tls.handshake.type == 1 OR tcp.flags eq 0x0002) AND !(ssdp). Save that as Basic+.
Building upon this further, let’s add in DNS traffic. That filter looks like this: (http.request OR tls.handshake.type == 1 OR tcp.flags eq 0x0002 OR dns) AND !(ssdp). Save this one as Basic+DNS.
A couple more I use are:
- TLS Cert – tls.handshake.type == 11
- FTP – ftp.request.command OR ftp-data
- SMTP – smtp
You can see these are now quickly accessible and can easily be customized to how you use Wireshark.
Conclusion
Setting up Wireshark this way has been a game changer for me and has really sped up my processes. I couldn’t have done this without Brad’s help and I have liberally applied his ideas throughout this post. I hope this helps you as much as it has helped me. Reach out to me on Twitter and let me know if you have any customizations that you have added.