Wireshark Forensics Toolkit: cross-platform Wireshark plugin to speed up network forensic analysis

Wireshark Forensics Toolkit

Wireshark-forensics-plugin

Wireshark is the most widely used network traffic analyzer. It is an important tool for both live traffic analysis & forensic analysis for forensic/malware analysts. Even though Wireshark provides incredibly powerful functionalities for protocol parsing & filtering, it does not provide any contextual information about network endpoints. For a typical analyst, who has to comb through GBs of PCAP files to identify malicious activity, it’s like finding a needle in a haystack.

Wireshark Forensics Toolkit is a cross-platform Wireshark plugin that correlates network traffic data with threat intelligence, asset categorization & vulnerability data to speed up network forensic analysis. It does it by extending Wireshark native search filter functionality to allow filtering based on these additional contextual attributes. It works with both PCAP files and real-time traffic captures.

Wireshark Forensics Toolkit

This toolkit provides the following functionality

  • Loads malicious Indicators CSV exported from Threat Intelligence Platforms like MISP and associates it with each source/destination IP from network traffic
  • Loads asset classification information based on IP-Range to Asset Type mapping which enables filtering incoming/outgoing traffic from a specific type of assets (e.g. filter for ‘Database Server’, ‘Employee Laptop’ etc)
  • Loads exported vulnerability scan information exported from Qualys/Nessus map IP to CVEs.
  • Extends native Wireshark filter functionality to allow filtering based severity, source, asset type & CVE information for each source or destination IP address in network logs

List of filters available

Note all these options also available for destination, just replace ‘wft.src’ with ‘wft.dst’

  • wft.src.domain (Source Domain Resolution using previous DNS traffic)
  • wft.src.detection (Source IP/Domain detection using IOC data)
  • wft.src.severity (Source IP/Domain detection severity using IOC data)
  • wft.src.threat_type (Source IP/Domain threat type severity using IOC data)
  • wft.src.tags (Source IP/Domain asset tags)
  • wft.src.os (Source IP/Domain operating system specified in vulnerability report)
  • wft.src.cve_ids (Comma separated list of CVE IDS for source IP/Domain)
  • wft.src.top_cvss_score (Top CVSS score among all CVE IDs for a given host)

Download & Use