Packets, Clues, and Coffee: A Wireshark Investigation Story
Sometimes the best way to learn is to get your hands dirty. That’s exactly what I did when I tackled a Malware Traffic Analysis exercise. It wasn’t just another packet capture, it was a crime scene, and my job was to figure out who did what, when, and how. Setting the Scene The packet capture (PCAP) was buzzing with background noise from routers, smart devices, and other chatter. My mission? Find the infected Windows machine, figure out who used it, identify any fake websites it reached out to, and uncover the command-and-control (C2) servers that kept the infection alive. Step 1: Finding the Infected IP My first move was to clean up the view in Wireshark. I didn’t want to see every little broadcast or IoT heartbeat. I only cared about web traffic, both HTTP and HTTPS. So I used this filter: (http.request or tls.handshake.type eq 1) and !(ssdp) This simple line told Wireshark, “Show me only the good stuff.” And just like that, the infected client revealed itself:...