Wireshark: drilling down to relevant conversations

Wireshark offers several powerful tools for identifying important traffic patterns and conversations.

Conversations dialog

The Conversations dialog is a key tool for identifying communication patterns between network endpoints.

1. Access the dialog: Statistics > Conversations
2. View conversations sorted by various criteria (bytes, packets, duration)
3. Right-click on a conversation to apply it as a display filter

Using the Conversations dialog with display filters

Combining the Conversations dialog with display filters allows for precise traffic isolation:

1. Apply an initial display filter (e.g., http)
2. Open the Conversations dialog to see HTTP-specific conversations
3. Right-click on a conversation of interest and select "Apply as Filter"
4. The display filter will now show only traffic for that specific HTTP conversation

This technique allows for progressive refinement of your view, helping to zero in on relevant traffic.

Endpoints dialog

The Endpoints dialog summarizes all endpoints in the capture:

1. Access via Statistics > Endpoints
2. Identify top talkers or suspicious endpoints
3. Use in conjunction with the Conversations dialog to track an endpoint's communications

Protocol Hierarchy

The Protocol Hierarchy window offers a breakdown of protocols present in the capture:

1. Access via Statistics > Protocol Hierarchy
2. Quickly identify dominant protocols
3. Spot unusual or unexpected protocols that might indicate issues

Use the Protocol Hierarchy to:

• Confirm expected application behavior
• Identify potential security issues (e.g., unexpected protocols)
• Guide further filtering and analysis

IOTA: real-time identification and filtering

Profitap's IOTA offers real-time dashboards that quickly highlight areas of interest in network traffic. The ability to switch between dashboards and filter on data allows you to quickly pivot from bird's eye view to packet-level detail. 

Application Overview dashboard

The Application Overview dashboard provides an immediate overview of application usage on the network.

Key features:

1. Real-time view of active applications
2. Bandwidth usage per application
3. Quick filtering capabilities

To use effectively:

1. Monitor for unexpected application traffic
2. When an issue with a specific application is reported, use the dashboard to quickly filter and focus on that application's traffic

TCP Analysis dashboard

The TCP Analysis dashboard in IOTA is comparable to Wireshark's Conversations dialog, but offers real-time insights.

How to use:

1. Identify top talkers and busiest conversations
2. Click on specific flows to drill down into detailed packet data
3. Use filtering options to focus on specific IP addresses, ports, or protocols

The TCP Analysis dashboard allows for quick identification of unusual traffic patterns or potential bottlenecks in real-time.

Conclusion

Mastering the identification phase in packet analysis involves effectively using tools like Wireshark's Conversations dialog, Endpoints dialog, and Protocol Hierarchy, as well as IOTA's Application and Flow dashboards. By leveraging these tools, analysts can quickly pinpoint relevant data, identify unusual patterns, and focus their investigation on the most pertinent information.

OIDA identification checklist

To ensure a thorough approach to the Identify phase, consider the following checklist:

1.  Have you used Wireshark's Protocol Hierarchy to get an overview of the protocols in your capture?
2.  Have you identified the main conversations using Wireshark's Conversations dialog or IOTA's TCP Analysis dashboard?
3.  Have you applied appropriate display filters in Wireshark to focus on relevant traffic?
4.  If using IOTA, have you utilized the Application dashboard to identify and filter for specific application traffic?
5.  Have you cross-referenced endpoints of interest using Wireshark's Endpoints dialog or IOTA's TCP Analysis dashboard?
6.  Have you identified any unexpected protocols or applications that warrant further investigation?
7.  Have you used filtering techniques to isolate specific conversations or data streams for deeper analysis?
8.  Have you checked for any anomalies in traffic patterns or unexpected high-volume conversations?
9.  If investigating a reported issue, have you successfully isolated traffic related to the affected application or service?
10.  Are you prepared to iterate on your identification process as new information emerges from your initial findings?

By following this checklist and effectively using the tools discussed, analysts can ensure a comprehensive approach to the Identify phase, setting a solid foundation for the subsequent stages of packet analysis.

 

This article is part of a series. Each article covers one of the four phases of OIDA: Observe, Identify, Dissect, Analyze.