Wireshark filters
https://www.comparitech.com/net-admin/wireshark-cheat-sheet/ https://www.hackers-arise.com/post/2018/09/27/network-forensics-part-2-detecting-and-analyzing-a-scada-dos-attack
Export file / object
File > Export Object
How many machines involve in the transactions
(Menu) Statistics > Contains
(Menu) Statistics > Ip v4 > Source & Destination
Source of DDOS
# Look for the machine with most packets / Bytes sent
(Menu) Statistics > Contains
(Menu) Statistics > Ip v4 > Source & Destination
How many packets exchanged
(Menu) Statistics > Conversations
Find DOS attack (SYN and ACK)
tcp.flags.syn == 1
tcp.flags.syn == 1 and tcp.flags.ack == 0
During FTP brute force, search for the successful attempt
# First list the ftp requests
tcp.port == 21
# Follow the stream
# and if overwhelming info
# Only list the successful one
ftp.response.code == 230
Filter by IP address
ip.addr == x.x.x.x
Filter by IP address range
ip.addr >= IP_START_RANGE and ip.addr <= IP_END_RANGE
Display packets captured on the eth0 interface
interface == eth0
Filter by port
tcp.port == 80 or udp.port == 53
Display packets larger than 100 bytes
frame.len > 100
Filter by source or destination MAC address
eth.src == xx or eth.dst == yy
Display packets with a status code of 200
http.response.status_code == 200
Display packets with a GET method (POST, PUT, DELETE)
http.request.method == GET
Display DNS packets that have a domain name containing “example.com”
dns.qry.name contains 'example.com'
Display packets that have a URI containing “example.com”
http.request.uri contains 'example.com'
Display packets with a 404 response code
http.response.code == 404
Display packets that contain a cookie with the name “sessionid”
http.cookie contains 'sessionid'
Display packets with the SYN (ACK, RST, FIN, URG, or PSH) flag set
tcp.flags.syn == 1
Display packets with a TLS handshake type
tls.handshake.type == 1