← Back to Blog
Tutorial📅 February 1, 2024⏱️ 10 min

Wireshark PCAP Analysis: Detecting Network Anomalies

Practical guide to using Wireshark display filters for network forensics and threat hunting. Learn essential techniques for analyzing packet captures.

# Wireshark# Network Forensics# PCAP Analysis

title: "Wireshark PCAP Analysis: Detecting Network Anomalies" description: "Practical guide to using Wireshark display filters for network forensics and threat hunting" date: "2024-02-01" category: "Tutorial" tags: ["Wireshark", "Network Forensics", "PCAP Analysis", "Security"] author: "Stephen Nnamani" readingTime: "10 min" image: "/images/blog/wireshark-tutorial.png"

Wireshark PCAP Analysis: Detecting Network Anomalies

Introduction

Network traffic analysis is a critical skill for cybersecurity professionals, enabling detection of threats, troubleshooting performance issues, and conducting forensic investigations. This guide demonstrates practical Wireshark techniques for identifying common attack patterns and anomalies in packet captures.

Background

During a recent security audit of my homelab network, I captured 6 hours of traffic using tcpdump. This tutorial walks through the analysis process using Wireshark display filters to identify suspicious activities and gain visibility into network behavior.

Capturing Traffic with tcpdump

Before analyzing with Wireshark, we need to capture network traffic:

# Capture on interface em0, exclude SSH traffic
sudo tcpdump -i em0 -w capture.pcap -G 21600 -W 1 'not port 22'

Parameters explained:

  • -i em0: Capture on network interface em0
  • -w capture.pcap: Write to file
  • -G 21600: Rotate file every 6 hours (21600 seconds)
  • -W 1: Keep only 1 file (overwrite on rotation)
  • 'not port 22': Exclude SSH traffic to reduce noise

Essential Wireshark Display Filters

1. Isolate Specific Host

ip.addr == 192.168.1.100

Shows all traffic to/from a specific IP address. Use this to focus on a single host's communications.

Variants:

ip.src == 192.168.1.100    # Only traffic FROM this IP
ip.dst == 192.168.1.100    # Only traffic TO this IP

2. Detect SYN Scans (Port Scanning)

tcp.flags.syn == 1 && tcp.flags.ack == 0

Identifies TCP SYN packets without corresponding ACK flags—typical signature of port scanners like Nmap.

Attack Pattern Recognition:

  • Multiple SYN packets to different ports
  • No corresponding SYN-ACK responses
  • Short time interval between connection attempts
  • May indicate reconnaissance phase of attack

3. HTTP Request Analysis

http.request

Displays all HTTP requests. Critical for:

  • Identifying unencrypted traffic (should be HTTPS)
  • Detecting command & control (C2) communication
  • Finding potential data exfiltration
  • Analyzing web application attacks

Enhanced filter:

http.request.method == "POST" && http.request.uri contains "admin"

4. DNS Anomaly Detection

dns.flags.rcode != 0

Shows DNS errors (NXDOMAIN, SERVFAIL, REFUSED). High volume may indicate:

  • Malware beaconing to blocked/non-existent domains
  • DGA (Domain Generation Algorithm) activity
  • DNS tunneling attempts
  • Misconfigured applications

Normal baseline: Less than 5% error rate in typical networks.

5. TCP Retransmission Analysis

tcp.analysis.retransmission

Identifies network performance problems or potential DoS attack indicators.

Troubleshooting uses:

  • Network congestion
  • Hardware issues
  • MTU mismatches
  • Potential packet injection attacks

6. TLS/SSL Certificate Analysis

ssl.handshake.type == 11

Shows SSL certificate exchanges. Use to:

  • Verify certificate validity
  • Detect man-in-the-middle attacks
  • Identify self-signed certificates
  • Audit encryption usage

Real-World Analysis Example

Scenario: Unexplained Traffic Spike

During routine monitoring, I noticed unusual bandwidth consumption. Here's how I investigated:

Step 1: Identify Top Talkers

Statistics → Conversations → IPv4 tab
Sort by "Bytes" column (descending)

Finding: Unusual traffic from 192.168.1.155 (IoT security camera) consuming 2GB in 6 hours.

Step 2: Filter Camera Traffic

ip.addr == 192.168.1.155

Step 3: Protocol Analysis

Statistics → Protocol Hierarchy

Discovery: 95% HTTP POST requests (unencrypted!)

Step 4: Inspect HTTP Content

http.request.method == "POST" && ip.src == 192.168.1.155

Right-click packet → Follow → HTTP Stream

Finding: Camera was uploading thumbnail images to cloud service cloudservice.cn without user consent.

Remediation:

  1. Blocked camera's internet access via OPNsense firewall
  2. Maintained local network access for viewing
  3. Reported to manufacturer
  4. Created network segment for untrusted IoT devices

Advanced Filtering Techniques

Combine Multiple Conditions (AND)

ip.src == 192.168.1.0/24 && tcp.port == 443 && tcp.analysis.retransmission

Shows retransmitted HTTPS traffic originating from internal network—potential connectivity issues.

Exclude Known Good Traffic (NOT)

!(ip.addr == 192.168.1.1) && !(tcp.port == 443)

Filters out gateway traffic and HTTPS for focused analysis on unusual protocols.

Time-Based Filtering

frame.time >= "2024-02-01 14:00:00" && frame.time <= "2024-02-01 15:00:00"

Analyze specific time window during reported incident.

Protocol-Specific Filters

Find large file transfers:

tcp.len > 1400

Identify cleartext passwords:

http.request.method == "POST" && http contains "password"

Detect SMB anomalies:

smb2.cmd == 3 && smb2.nt_status != 0

Practical Workflow for Threat Hunting

Phase 1: Reconnaissance

  1. Get overview: Statistics → Protocol Hierarchy
  2. Identify outliers: Statistics → Conversations
  3. Check DNS: dns.flags.rcode != 0

Phase 2: Deep Dive

  1. Isolate suspicious hosts: ip.addr == X.X.X.X
  2. Analyze connections: tcp.stream eq N (right-click → Follow TCP Stream)
  3. Extract files: File → Export Objects → HTTP

Phase 3: Documentation

  1. Screenshot key findings: Edit → Copy → As Image
  2. Export relevant packets: File → Export Specified Packets
  3. Document timeline: Note timestamps and sequences

Common Attack Signatures

Port Scan Detection

tcp.flags.syn == 1 && tcp.flags.ack == 0 && tcp.window_size <= 1024

ARP Spoofing

arp.duplicate-address-detected || arp.duplicate-address-frame

DNS Tunneling

dns.qry.name.len > 50

Long DNS queries may indicate data exfiltration via DNS.

Beaconing (C2 Communication)

Look for regular intervals in connection timestamps:

Statistics → I/O Graph

Set filter for specific IP and observe pattern regularity.

Performance Tips

Large PCAP Files

For files >1GB:

# Split PCAP into smaller chunks
tcpdump -r large.pcap -w split.pcap -C 100

Speed Up Analysis

  1. Use capture filters (tcpdump): Filter during capture, not after
  2. Disable unnecessary columns: Right-click columns → Hide
  3. Use command-line tshark: Faster for simple queries
# Count HTTP requests
tshark -r capture.pcap -Y "http.request" | wc -l

Key Takeaways

  1. Establish Baseline: Understand normal traffic before hunting anomalies
  2. Layer Your Analysis: Start broad (protocol hierarchy) → narrow (specific flows)
  3. Context Matters: High traffic volume isn't always malicious
  4. Document Everything: Screenshot and export packets for reporting
  5. Automate When Possible: Use tshark scripts for repetitive analysis
  6. Practice Regularly: Analyze your own network traffic weekly

Useful Resources

Related Posts

About the Author: Stephen Nnamani is a cybersecurity professional specializing in network security monitoring and penetration testing. He builds enterprise-grade homelabs to develop practical security skills.

Questions or feedback? Connect on LinkedIn or GitHub.