![]() When reviewing pcaps from malware activity, it’s very helpful to know what’s contained within post-infection traffic. But like most websites, various types of malware also use HTTPS. Why? Because most websites use the Hypertext Transfer Protocol Secure (HTTPS) protocol. When reviewing suspicious network activity, we often run across encrypted traffic. The instructions assume you are familiar with Wireshark, and it focuses on Wireshark version 3.x. But still we got something new right ☺.This tutorial is designed for security professionals who investigate suspicious network activity and review packet captures (pcaps) of the traffic. This process may not work if the connection is HTTPS or any other frame is missing. This is one working method to extract live video file from Wireshark. One observation is, we can see “ tcp.stream eq 2” filter got applied on Wireshark main window when “follow TCP stream” was clicked. Now go the live.mpeg and play it with KMPlayer or supported player. Note: You need to wait to let Wireshark process all packets into Raw data.ĭ. Note: We can do follow TCP stream on HTTP frame or TCP frame. Here is the screenshot for graphical understanding. ![]() So frame 18 is the frame we are looking for. Then we can see same ports are being used for further TCP frames in capture. Now if we select packet number 18 (HTTP GET) we can see TCP src port as 44940 and dest port as 8080. We should see many TCP data packets after HTTP GET. So this is not the HTTP packet we are looking for. Packet number 7 is HTTP get and packet number 11 is the HTTP reply. After putting “ http” filter in Wireshark we can see only 3 packets like below. We need to find out appropriate TCP stream or HTTP frame.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |