Akhil
SOC status: active
Wireshark • Network evidence • Fast triage

Wireshark: Spotting Suspicious Traffic Quickly

You don’t need to read every packet. You need patterns, filters, and sanity.

High-signal filters

# DNS queries (often reveals C2 domains)
dns

# HTTP traffic (if present)
http

# TLS handshake / SNI hints
tls.handshake.type == 1

# Suspicious: lots of SYN without ACK (scan-like)
tcp.flags.syn == 1 and tcp.flags.ack == 0

Beaconing (C2-style) pattern

  • Same destination every X seconds/minutes
  • Small payload, consistent sizes
  • Off-hours activity

If you see rhythmic connections, correlate with endpoint process tree in EDR.

DNS anomalies

  • Random-looking subdomains (DGA-like)
  • High NXDOMAIN rates
  • New domains never seen before in your environment

Practical workflow (fast)

  1. Start with DNS → note suspicious domains
  2. Check destination IPs → reputation + geo context
  3. Check time patterns → periodic beaconing?
  4. Jump to endpoint evidence → which process created it?
  5. Contain safely → block domain + isolate host if needed