Wireshark Investigation Process:

1. See the duration of the captures first (capture file properties)
2. Check protocol Hierarchy
   1. You should understand the scenario if what protocol involved in this:
      1. Email → SMTP
      2. Command & Control → HTTP
      3. Check the TCP for any other details
3. Check conversations and IPv4 sort it by bytes to determine who is the top talker. Just choose the first 3 of your interest
   1. Perform OSINT to the top talker to investigate deeper.
   2. Take note of the IP, Country, and Characteristic (If malicious or not)
4. Check TCP and determine what is the port used in the traffic. Sort it by byte to determine the top talker
5. Check the top talker
   1. Filter the IP and check the packet details -> Follow -> HTTP stream -> Check the File header (MZ means binary downloaded) and content-Type: application/x-msdownload -> From this information you can check what happened before and after.
6. In HTTP stream you can see the plain text details of the packet.
7. Check the scenario. What are you looking for? It is: -> Data Exfiltration? -> Port scanning?
8. Notice the Request: -> GET -> POST -> UPDATE -> DELETE
9. Notice the HTTP communication (3-way handshake) -> SYN -> SYN ACK -> ACK

FILTERING

Frame contains "string" #Find the string from the entire packet
http.request.method == "POST" #POST is HTTP method for uploading in a we server

http.request.method == "POST" && http.host == "www.example.com" #If you want to see a specific upload
http.request.method == "POST" && http.request.uri contains "upload name" #If you want to see a specific URL path

Look for multipart/form-data Content-Type as this is tipically used in file upload

The file contents will usually appear after a Content-Disposition header, specifying the file's name and type

You can see in what web server was the file uploaded when you go to the packet follow → HTTP stream.

To begin investigation:

• Check the capture file properties (statistics → capture file properties) → It will show you the timeframe of the PCAP. You can ask your client if this is a correct timeframe
• Check protocol heirarchy (statistics → protocol heirarchy) → To identify what is the associated protocol.
• Check the conversations (statistics → conversations) → You can identify here the conversations and the packet bytes size, IP source and Destination.
  • In the TCP tab you can see the much detailed conversations. You can check the port, bytes etc. if there are outliers or something odd with their connections.