Packet Analysis with Wireshark

DDOS

  • tcp.flags.syn == 1 and tcp.flags.ack = 0 - filters all SYN packets without ACK pkts

  • tcp.flags.syn == 1 - filters all SYN packets

  • tcp.flags.syn == 1 and tcp.flags.ack == 1 - filters all SYN packets with ACK pkts

  • Statistics → Conversations - If there are a number of packets target on one IP from different source addresses and no reply pack, it indicates DDOS

  • Statistics → I/O graph


Password Sniffing

HTTP

  • http.request.method==POST

FTP

  • ftp

Detect IoT Traffic

  • mqtt

Last updated