Wireshark for Forensic Analysis

Wireshark remains the primary tool for detailed packet analysis:

Essential Wireshark Filters:

# HTTP traffic analysis
http.request.method == "POST"
http.response.code == 200
http contains "password"

# DNS analysis
dns.flags.response == 0
dns.qry.name contains "suspicious.com"

# TCP analysis
tcp.flags.syn == 1 and tcp.flags.ack == 0
tcp.analysis.retransmission

# Data exfiltration
tcp.len > 1000 and ip.dst == 192.168.1.100

Advanced Analysis Techniques:

Following TCP Streams:

Right-click packet → Follow → TCP Stream
Reconstructs complete conversations
Identifies transferred data

Exporting Objects:

File → Export Objects → HTTP
Extracts transferred files
Recovers malware samples

Statistical Analysis:

Statistics → Conversations
Identifies top talkers
Reveals communication patterns