Network Forensics through Wireshark

Through the Wireshark I/O graph feature we should plot the baseline level of packets sent per second through either a normal amount or a logarithmic amount through a highlight rule for packets for traffic. You should find that neither general nor non-general packet transmission match as I started going through a site at the end of the 10-minute packet tracking.

Through the Wireshark highlighting rule you should find packets that were either removed or retransmitted. You should find this in the analysis part of the HTTP tag. You should find here that no packets were removed during the tracking.

You should program rules that track bad packets. I have programmed rules for these kinds of packets for intensive network probing:

(1) Bot traffic from DNS stations

(2) ICMP replies to Nmap probes

(3) Nmap TCP Probes

(4) Nmap OS fingerprinting probes

Through applying of the highlighting rules in the Wireshark bar, you should find matches for the small window amount SYN packet rule. You should rule out these SYN probes as nmap probes due to the Mozilla, Google Play, and native station IP destination and origin values. All of these packets match as SYN probes sent during the initial handshake between the stations.

Here through the Wireshark hierarchy feature you should find all of the packets tracked contain the IP and ethernet tags as 62% of those have the TCP tag and another 37% have the UDP tag. 20% of all of the packets with the TCP tag have the TLS tag and 0.7% of them have the HTTP tag.

Through the Wireshark rule bar feature we should rule out all packets but for those with the flags set in the 0x12 which is the flags set in the TCP tag for a SYN/ACK packet. This kind of packet is sent during the handshake and as part of the HTTP program which programs the sending of application data from HTTP stations. You should find that these packets are disproportionally HTTP packets due to the origin port values being port 80 and port 443. There is nothing bad about these SYN/ACK packets.

Establishing a Baseline Traffic

In order to track bad traffic there needs to be some kind of baseline of traffic. I tracked packets for about 10 minutes as I surfed some sites. Wireshark tracked about 8,745 packets being transmitted via my VM’s network port. These packets include:

(1) General packets

(2) NTP packets

(3) TCP handshakes

(4) HTTP requests and replies

(5) UDP packets

(6) TCP packets with application data

(7) TCP RST packets

Totaling Traffic

There are multiple methods to total traffic that is bad. In order for there to be a hack, there needs to be investigation beforehand. Bad packets are difficult to track and you should program rules to track hacks through probing programs like nmap. Nmap provides signs of a bad actor. Nmap and other programs like it code for special packets to sync with ports through a network port. Packets generated by the nmap application include:

(1) Light (no data) TCP packets with the SYN flag set

(2) Light (no data) TCP packets with the ACK flag set

(3) Standard ICMP echo requests with 8

(4) Packets with ICMP tag values 3 and code 2 as probe replies

(5) Light TCP packets with no bits set

(6) Light TCP packets with TCP FIN bit set

(7) Light TCP packets with the FIN, PSH ,and URG flags set

(8) Dropped or retransmitted TCP packets