Identifying unacceptable or suspicious traffic

Wireshark can be used to identify unusual patterns or packet contents in the network traffic including network scans, malformed packets, and unusual protocols, applications, and or conversations that should not be running on your network. The following is a general list of traffic types that may not be acceptable and/or warrant investigation to validate their legitimacy in your environment:

• MAC or IP address scans: These attempt to identify active hosts on the network
• TCP or UDP port scans: These attempt to identify active applications and services

IP address and port scans can be generated from network management applications to build or maintain their list of devices and applications to monitor/manage, but that's usually the only legitimate source of these types of traffic.

• Clear text passwords: These are passwords that you can see in the Wireshark's Packet Details or Packet Bytes fields. These are typical for File Transfer Protocol (FTP) logins, but not typical or acceptable elsewhere.
• Clear text data: This is the data in packet payloads that can be read. This is typical for HTTP requests and responses and commonly seen in application server to database requests and responses, but these database exchanges should be between hosts on isolated, nonpublic network segments and otherwise physically secure environments.
• Password cracking attempts: These are repeated, systematic attempts to discover a working password, usually from a single device.
• Maliciously formed packets: These are packets with intentionally invalid or improperly formatted data in protocol fields that are intended to exploit vulnerabilities in applications.
• Phone home traffic: This is the traffic from a rogue agent that may be resident on a server or workstation that periodically checks in with a remote (usually off-network) host.
• Flooding or Denial of Service (DOS) attacks: This is the traffic that is intentionally sent at a very high packet-per-second rate to one or more hosts in an attempt to flood the host(s) or network with so much traffic that no one else can access their services.
• Subversive activities: These include a number of techniques to prepare for and facilitate the man-in-the-middle attacks where a device is tricked into sending packets to a malicious host for the purpose of intercepting data.

This is only a sampling of types of malicious traffic that you might see on your network; network security is an ever evolving exchange of increasingly sophisticated attacks and subsequent countermeasures.

As you develop your security analysis skills, you might want to build a special security profile in Wireshark that includes packet coloring rules based on display filters to help identify suspicious or malformed packets, as well as a set of Filter Expression Buttons that isolate and display various types of questionable traffic you might be looking for.

Some examples of display filters to isolate and inspect suspicious packets include: