Introduction
This guide is a follow-up to our previous article on Wireshark filters, expanding on more advanced techniques used by network security analysts, incident responders, and forensic investigators. These filters are especially useful for tracking malware infections, detecting insider threats, identifying C2 traffic, and analyzing suspicious network behavior.
Wireshark Filters: Categorized List
The table below presents advanced filters with their descriptions and practical use cases.
Malware & Threat Detection
| Filter | Description | Use Case |
|---|---|---|
tcp.flags.psh == 1 && tcp.len > 1000 | Detects large outbound data transfers | Identifying data exfiltration attempts |
dns.qry.name matches "^.*\.xyz$" | Finds DNS queries to suspicious domains | Detecting malware command-and-control (C2) traffic |
http.request.uri contains "download/malware.exe" | Identifies malware downloads | Tracking malicious file transfers |
tls.handshake.extensions_server_name contains "darkweb.site" | Detects access to malicious domains | Blocking ransomware C2 servers |
smb2.command == 0x03 && smb2.nt_status != 0x00 | Detects failed SMB file read attempts | Identifying lateral movement in ransomware attacks |
tcp.port == 4444 | Flags common reverse shell ports | Detecting unauthorized remote access |
ip contains "MZ" | Captures potential binary payloads in transit | Identifying malware being downloaded |
tcp contains "powershell.exe" | Detects PowerShell-based malware execution | Investigating fileless malware threats |
Network Security & Intrusion Detection
| Filter | Description | Use Case |
tcp.flags.syn == 1 && tcp.flags.ack == 0 | Captures SYN scans (port scans) | Detecting reconnaissance attempts |
icmp.type == 8 && ip.src == 192.168.1.100 | Detects internal network ping sweeps | Identifying unauthorized scanning |
ip.geoip.country != "US" && tcp.dstport == 22 | Flags SSH attempts from non-US countries | Blocking unauthorized remote logins |
ftp contains "USER anonymous" | Identifies anonymous FTP logins | Preventing unauthorized access |
http.request.method == "POST" && http contains "password" | Captures credential leaks in POST requests | Identifying insecure authentication |
tcp.analysis.window_update | Finds abnormal TCP window sizes | Detecting potential covert channels |
DDoS & Anomaly Detection
| Filter | Description | Use Case |
udp.srcport == 123 && udp.dstport == 123 | Detects NTP amplification attacks | Investigating volumetric DDoS attacks |
tcp.flags.syn == 1 && tcp.seq == 0 | Captures TCP SYN floods | Mitigating TCP-based DDoS attacks |
icmp.type == 3 && icmp.code == 3 | Flags excessive ICMP unreachable messages | Detecting service exhaustion attempts |
VoIP Security & Analysis
| Filter | Description | Use Case |
sip.Call-ID contains "unknown" | Detects unauthorized SIP calls | Identifying VoIP fraud |
rtp.marker == 1 && rtp.p_type == 0 | Flags potential RTP call recording | Detecting VoIP eavesdropping |
sip.Status-Code == 403 | Identifies rejected VoIP calls | Blocking unauthorized SIP attempts |
rtp.seq < 50 | Detects potential RTP tampering | Investigating VoIP traffic manipulation |
Wireless Security & Rogue AP Detection
| Filter | Description | Use Case |
wlan.fc.type_subtype == 0x08 && wlan.ssid contains "FreeWiFi" | Identifies rogue access points | Detecting fake Wi-Fi hotspots |
wlan.fc.type_subtype == 0x0c | Detects deauthentication attacks | Identifying Wi-Fi DoS attempts |
wlan.ta == XX:XX:XX:XX:XX:XX | Tracks a specific MAC address | Investigating suspicious Wi-Fi clients |
wlan.fc.retry == 1 | Flags excessive Wi-Fi retransmissions | Detecting wireless interference attacks |
Cloud Security & Encrypted Traffic Analysis
| Filter | Description | Use Case |
tls.handshake.type == 1 && frame.time_delta > 5 && tls.record.version != 0x0303 | Detects unusual TLS handshakes | Uncovering C2 communication |
dns.qry.type == 65 | Captures DNS over HTTPS (DoH) requests | Identifying encrypted DNS tunneling |
quic && quic.tag == "CRYP" | Analyzes QUIC encrypted traffic | Detecting suspicious QUIC connections |
tls.alert_message == 21 | Detects TLS encrypted session resets | Identifying MITM or session hijacking attempts |
ICS/SCADA Network Forensics
| Filter | Description | Use Case |
modbus && modbus.func_code == 0x03 | Detects unauthorized Modbus read requests | Identifying potential ICS reconnaissance |
dnp3 && dnp3.control | Flags suspicious DNP3 control commands | Monitoring industrial control system (ICS) traffic |
s7comm && s7comm.param.function == 0x05 | Captures unauthorized Siemens PLC write operations | Preventing unauthorized changes in SCADA systems |
Insider Threats & Data Exfiltration
| Filter | Description | Use Case |
http contains "confidential" | Searches for sensitive data in plaintext | Preventing internal data leaks |
tcp.stream eq X && frame.len > 1000 | Filters large packet transfers in a session | Finding unauthorized data leaks |
ftp contains "password" | Captures plaintext FTP credentials | Identifying insecure authentication |
http contains "bitcoin" | Flags ransomware payment instructions | Investigating ransomware infections |
Wireshark’s filtering capabilities allow security analysts to detect malware infections, unauthorized access, DDoS attacks, VoIP fraud, and insider threats. By leveraging these filters, you can enhance network visibility and forensic analysis.
More???