Wireshark Project – Network Intrusion Detection

In this post, I walk through how I use Wireshark to detect and analyze network intrusions. Identifying suspicious network activity is a crucial skill for network security, and Wireshark is one of the best tools for the job.

My Lab Setup and Tools

• Wireshark – Available from wireshark.org
• Sample PCAP file containing known intrusion data

My Analysis Process

Step 1: Loading the Evidence

Open Wireshark and load the sample PCAP using File > Open. This displays all captured network packets, providing an overview of the traffic.

Step 2: Hunting for Indicators of Compromise (IOCs)

I search for red flags like:

• Unusual or known malicious IP addresses
• Connections to suspicious ports (e.g., Telnet)
• Suspicious protocols like IRC or unusual DNS activity

Common filters used:

• ip.addr == x.x.x.x
• tcp.port == 23
• dns.qry.name contains "malicious.com"

Step 3: Analyzing Suspicious Packets

I inspect unusual packets in the packet details pane, expanding protocol layers to review headers and payloads.

Step 4: Following the Conversation

Using Follow > TCP Stream, I view the full conversation between two hosts. This helps reveal command strings, data exfiltration, or encoded communications.

Step 5: Documenting My Findings

I record all relevant details — IPs, ports, timestamps, and payload data — then compile a structured report for documentation or incident response.

Conclusion

Using Wireshark for intrusion detection allows me to turn a sea of traffic into a detailed picture of a security incident. Mastering these skills is essential for threat hunting and incident response.