Analyzing botnet traffic with Wireshark

I wanted to share a good opportunity for learning Wireshark with some real-life packet capture files. In addition to providing high-level analysis, Palo Alto’s Unit 42 often has tutorials on how to use some security-related tools.

Their latest post walks through how to analyze Emotet infection traffic. There are links within the blog to Unit 42’s github page, where the PCAP files are hosted.

I don’t use Wireshark very often as part of my day-to-day job, but I know that just about every CTF I’ve done usually features a “find the needle in the PCAP” type of challenge. While sometimes other tools are more intuitive for doing certain things, the versatility of Wireshark makes it one of those tools that you’re going to find useful at some point.

It’s also very overwhelming, especially for beginners who might not know what exactly they’re looking for. Even with a fundamental knowledge of things like the OSI model or the TCP/IP stack, it still can be a daunting tool to use.

If you’re a security professional looking to get into using Wireshark, I recommend first checking out this post on customizing the display. It will show you some basics and give you a pretty decent starting point for using Wireshark to inspect potentially malicious traffic.

Related Posts