Identifying suspicious network traffic packets
Some indicators of malicious stuff
1. Failed connection/login attempts (first TCP packet via TLS session)
2. RST = Reset , indicates an error when trying to connect (not always nefarious, usually very common)
3. Low TTL's
The first TCP packet is the handshake (SYN) from Client > Server
Server SYN+ACK: after client SYN, server sends SYN+ACK to client.
o Server SYN to initiate server side of TCP stream
o Server ACK to acknowledge client’s SYN packet.
Client ACK: finally, client acknowledges server SYN.
List all TCP streams with tcp.stream eq 0
Analyze the "Client Hello" from the TLS sessions to look for any inconsistencies
Consider any differences in:
TLS Version
Cipher Suites
Extensions
Selecting one packet in the target TLS/SSL stream.
Then: Analyze->Follow->SSL Stream.
This should display the content of that stream in a pop-up dialog box. It will also automatically set a display filter such that only packets from that TLS/SSL stream will appear in Wireshark’s packet list window.
Some indicators of malicious stuff
1. Failed connection/login attempts (first TCP packet via TLS session)
2. RST = Reset , indicates an error when trying to connect (not always nefarious, usually very common)
3. Low TTL's
The first TCP packet is the handshake (SYN) from Client > Server
Server SYN+ACK: after client SYN, server sends SYN+ACK to client.
o Server SYN to initiate server side of TCP stream
o Server ACK to acknowledge client’s SYN packet.
Client ACK: finally, client acknowledges server SYN.
List all TCP streams with tcp.stream eq 0
Analyze the "Client Hello" from the TLS sessions to look for any inconsistencies
Consider any differences in:
TLS Version
Cipher Suites
Extensions
Selecting one packet in the target TLS/SSL stream.
Then: Analyze->Follow->SSL Stream.
This should display the content of that stream in a pop-up dialog box. It will also automatically set a display filter such that only packets from that TLS/SSL stream will appear in Wireshark’s packet list window.
