There is no doubt that Wireshark is the most widely used network traffic analysis tool. Whether it is real-time network traffic analysis, information security forensics analysis, or malware analysis, Wireshark is an indispensable tool. Although Wireshark provides extremely powerful capabilities for protocol parsing and filtering, it does not yet provide any contextual information about the target network node. For a security analyst, TA has to comb through a large number of PCAP files to identify malicious activity, which is a bit like looking for a needle in a haystack.
wireshark-forensics-plugin is a cross-platform Wireshark plugin that correlates network traffic data with threat intelligence, asset classification, and vulnerability data to accelerate network forensic analysis activities. The tool implements its own functionality by extending Wireshark’s native search filters, allowing us to filter data based on these additional contextual properties. In addition to this, the tool can process PCAP files and perform real-time traffic capture.
1. Load the malicious identity CSV exported from a threat intelligence platform such as MISP and associate it with each source/destination IP in the network traffic.
Loads asset classification information based on an IP range to asset type mapping that is capable of filtering incoming/outgoing traffic to specific types of assets (e.g., filtering “database servers”, “employee laptops”, etc.).
2. Load the vulnerability scan information exported from Quallys/Nessus into CVE.
3. Extend the function of the native Wireshark filter to allow filtering based on the severity, source, asset type, and CVE information of each source or destination IP address in the weblog.
How to use
First, we need to clone the project source to local using the following command:
git clone https://github.com/rjbhide/wireshark-forensics-plugin.git
The data/formatted_reports directory in the project contains three files:
asset_tags.csv: Information on asset IP/domain/CIDR and related tags, and provides reference examples for intranet IP and DNS servers;
asset_vulnerabilities.csv: Detailed information about the CVE ID and highest CVSS score for each asset;
indicators.csv: IoC data for intrusion threat indicators, including attribute type, value, severity, and threat type;
All three of the above files can be edited manually, or vulnerability and metrics files can be generated using the exported MISP and Tenable Nessus scan reports. At this point, you need to place the exported file under the following folder with the exact name specified:
data/raw_reports/misp .csv: The file can be exported from MISP via the following path: “Export->CSV_Sig->Generate then Download”;
data/raw_reports/nessus .csv: the file can be exported via the Tenable Nessus interface;
Next, select Options->Export as CSV->Select All->Submit, rename the downloaded file to nessus.csv, and copy it to raw_reports/nessus .csv.
If you plan to get data from ThirdStream instead of MISP, you’ll need to provide the username, API key, and filter information in the config.json file. Every time you run a Python script, the tool tries to fetch the latest IoC from ThirdStream and stores it in a data/formatted_reports/indicators .csv file.
If you’re using Windows, you can run wft directly.exe, or “python wtf.py” to install and update report files if you’re macOS or Ubuntu. The script will automatically look for the installation path of Wireshark.
After the installation is complete, open Wireshark, click “Edit->Configuration Profiles”, select “wireshark_forensics_toolkit”:
Now, launch Wireshark, open a PCAP file or turn on real-time data capture:
A list of available filters
wft.src.domain (source/domain resolution using previous DNS traffic)
wft.src.detection (source IP/domain detection using IOC data)
wft.src.severity (detect vulnerability severity using the source IP/domain of IOC data)
wft.src.threat_type (Detect the severity of the threat type using the source IP/domain of the IOC data)
wft.src.tags (source IP/domain asset tag)
wft.src.os (source IP/domain operating system specified in the vulnerability report)
wft.src.cve_ids (CVE ID list of source IP/domain, comma-separated)
wft.src.top_cvss_score (CVSS score in all CVE IDs for a given host)