Through the Wireshark I/O graph feature we should plot the baseline level of packets sent per second on either a normal amount or a logarithmic amount through a highlight rule for packets for only multicast traffic. You should find that neither multicast nor non-multicast packet transmission and reception match as I started browsing a website at the end of the 10-minute packet capture.

Through the Wireshark highlighting rule you should find packets that were either dropped or retransmitted. You should find this in the analysis part of the HTTP tag. You should find here that no packets were dropped during the capture.

You should program rules that detect suspicious packets. I have programmed rules for these kinds of packets for intensive network probing:

(1) Bot traffic from DNS stations

(2) ICMP responses to Nmap probes

(3) Nmap TCP Probes

(4) Nmap OS fingerprinting probes

Through applying of the highlighting rules in the Wireshark bar, you should be able to find matches for the small window amount SYN packet rule. You should rule out these SYN probes as nmap probes due to the Mozilla, Google Play, and native station IP destination and origin addresses. All of these packets match as SYN probes sent during the initial handshake between the stations.

Here through the Wireshark hierarchy feature you should find all of the packets captured are encapsulated with the IP and ethernet tags as 62% of those have the TCP tag and another 37% have the UDP tag. 20% of all of the packets with the TCP tag have the TLS tag and 0.7% of them have the HTTP tag.

Through the Wireshark rule bar feature we should rule out all packets but for those with the flags set in the shorthand 0x12 which is the flags set in the TCP tag for a SYN/ACK TCP packet. This kind of packet is sent during the TCP handshake and as part of the HTTP program which programs the sending and receiving of application data from HTTP web stations. You should find that these packets are disproportionally HTTP packets due to the origin ports being port 80 and port 443. There is nothing malicious about these SYN/ACK packets.

Establishing a Baseline Traffic

In order to detect malicious traffic there needs to be some kind of baseline of traffic. I programmed capture for about 10 minutes as I surfed a couple of sites. Wireshark captured about 8,745 packets being transmitted and received via my VM’s network interface. These packets include:

(1) Multicast broadcast packets

(2) NTP packets

(3) TCP handshakes

(4) HTTP requests and responses

(5) UDP packets

(6) TCP packets with application data

(7) TCP RST packets