Wireshark for Malware Analysis: Capturing and Analyzing Malicious Network Traffic

Table of Contents

Every piece of malware that communicates with the internet leaves traces in network traffic. Whether it's a callback to a C2 server, credential exfiltration to a remote host, or download of a secondary payload, the network layer records what the malware is doing. Wireshark is the industry-standard tool for capturing and analyzing this traffic — and it's free. This guide explains how to use it in a malware analysis context.

Setting Up a Safe Malware Analysis Environment

Critical: Never analyze malware on your primary work machine or a machine connected to your production network. Always use a dedicated, isolated environment:

  • A virtual machine (VMware Workstation, VirtualBox, or similar) with a snapshot taken before malware execution
  • Network set to host-only or a dedicated isolated network that does not connect to your real network or the internet
  • For internet-connected analysis: use a dedicated analysis machine on a segmented VLAN with outbound traffic logging

For internet-required analysis, consider services like INetSim (simulates internet services) or FakeNet-NG (intercepts and responds to malware's network requests) to provide responses without actual internet exposure.

Installing and Setting Up Wireshark

Download Wireshark from wireshark.org (official site only). Install on your analysis VM. On Windows, install with the npcap driver (captures live traffic). On Linux, Wireshark is available via package manager:

sudo apt install wireshark

Starting a Capture

  1. Open Wireshark
  2. Select your network interface (typically the main LAN interface in your VM)
  3. Click the blue shark fin icon to start capturing
  4. Execute the malware sample
  5. Observe traffic in real time
  6. Click the red square to stop capturing when you have sufficient data

Saving Captures

File > Save As > Save as .pcap or .pcapng for later analysis or sharing.

Essential Wireshark Display Filters for Malware Analysis

Display filters narrow down the traffic to what matters. These are the most useful for malware analysis:

HTTP/HTTPS Traffic

http
tls
http.request
http.response

Filter for specific HTTP methods:

http.request.method == "POST"

POST requests from malware often indicate data exfiltration — the malware is sending stolen data to the attacker.

DNS Analysis

dns
dns.qry.name contains "suspicious-domain"

DNS queries reveal every domain the malware attempts to resolve — including C2 server names, update check domains, and exfiltration endpoints.

Look for:
- High-frequency DNS queries to the same domain (C2 beaconing)
- DGA (Domain Generation Algorithm) names — random-looking domain names like xkqjflmz.com or a3f7h2k9.net
- Unusually long DNS queries (DNS tunneling — malware encoding data in DNS queries)

Filtering by IP

ip.addr == 192.168.1.100        # traffic to/from a specific IP
ip.dst == 10.0.0.1              # traffic TO a specific destination
not ip.addr == 192.168.1.1      # exclude your gateway

TCP Connection Analysis

tcp.flags.syn == 1 && tcp.flags.ack == 0   # new TCP connection attempts

Shows every server the malware tries to connect to.

Excluding Noise

not arp and not icmp and not broadcast

Removes non-essential traffic to focus on application-layer communication.

Identifying C2 Communication Patterns

Beaconing

Malware checking in with its C2 server typically produces a regular, repeating pattern of connections. In Wireshark, look for:
- Connections to the same IP or domain at regular intervals (every 30 seconds, every 5 minutes)
- Short, small packets going to the same destination repeatedly
- Responses that are similarly sized each time (heartbeat/keep-alive pattern)

Statistics > IO Graphs can visualize traffic patterns over time, making beaconing visually obvious.

Data Exfiltration

Exfiltration appears as large outbound transfers — especially:
- Large HTTP POST requests to unexpected endpoints
- Large HTTPS transfers to cloud services (S3, OneDrive, Dropbox) or unknown hosts
- FTP transfers
- Email (SMTP) sending without user action

Statistics > Protocol Hierarchy shows the relative volume of each protocol — unexpected large HTTPS percentages warrant investigation.

Payload Download

Droppers downloading secondary payloads appear as HTTP GET requests followed by large responses containing executables:
- Look for Content-Type headers in responses: application/octet-stream, application/x-msdownload, application/exe
- Filter: http.content_type contains "octet" or http.content_type contains "exe"

Extracting Files from PCAP

Wireshark can extract files transmitted over unencrypted protocols:
- File > Export Objects > HTTP: Extracts files transferred over HTTP
- This works for unencrypted downloads — HTTPS traffic requires the TLS session keys to decrypt

For HTTPS decryption: configure the malware's process to log TLS session keys (using SSLKEYLOGFILE environment variable if the malware uses standard SSL libraries), then load the key log in Wireshark: Edit > Preferences > Protocols > TLS > (Pre)-Master-Secret log filename.

Practical Analysis Workflow

  1. Start capture in Wireshark before executing the sample
  2. Execute malware in your isolated environment
  3. Let it run for 5–15 minutes to capture full behavior
  4. Stop capture and save the PCAP
  5. Apply DNS filter — document all domains queried
  6. Apply HTTP filter — review all HTTP requests/responses
  7. Check Statistics > Conversations — list all unique IP communications
  8. Look up external IPs in threat intel (VirusTotal, Shodan, AbuseIPDB)
  9. Extract any downloadable files via Export Objects
  10. Document IOCs: domains, IPs, URL paths, User-Agent strings, unique headers

Tools That Complement Wireshark

NetworkMiner: Parses PCAP files and presents artifacts (hosts, sessions, files, credentials) in an organized GUI — useful for quick analysis of saved captures.

Zeek (formerly Bro): Generates structured logs from PCAP files, making programmatic analysis easier than reading raw Wireshark displays.

Suricata: Run a PCAP through Suricata with updated rules to automatically flag known malicious patterns.

JA3/JA3S: Fingerprinting TLS clients and servers based on the TLS handshake — useful for identifying malware even when the content is encrypted.

FAQ

Can Wireshark decrypt HTTPS/TLS traffic from malware?
Only if you have the TLS session keys. Some malware analysis environments are configured to intercept TLS (man-in-the-middle with a trusted root certificate) or use techniques to extract session keys.

Do I need to run malware live to analyze its network traffic?
You can analyze pre-captured PCAP files from sandboxes. Many online sandboxes (Any.run, Triage) provide downloadable PCAP files of malware execution — useful for practice and analysis without running malware yourself.

What's a DGA and how do I recognize it in Wireshark?
Domain Generation Algorithms produce random-looking domain names as C2 addresses. Signs: many DNS queries to unregistered or nonsensical domains, often with NX (non-existent) responses. Tools like DGArchive help identify known DGA families.

Is Wireshark legal to use?
Capturing traffic on networks you own or have explicit permission to monitor is legal. Capturing traffic on networks without authorization is illegal in most jurisdictions.


This article is published by ScamSandbox to help users understand and avoid malware threats and online scams.

Sc

ScamSandbox Team

Cybersecurity Expert at ScamSandbox

Share: