Packet Capture Forensics with WireShark

WireShark is a network protocol analyzer. This software allows you to monitor and capture and analyze network traffic. I will show you some easy simple tips and tricks for filtering through tons of data to get what your looking for. With all of this raw dump data it can be a very daunting task of filtering the data to get the best results.

Always remember to put it in order, you can do that by making sure the start time is at the top. Simply click the Time column to sort the data by time.

Another thing to do would be to filter the data by the appropriate protocol. The box at the top that says "Filter:" you can start typing the protocol you wish to filter and it may find it for you, click the Apply button on the right and your new filtered data should appear.

If you are looking for a specific string in your data you can search the bytes. In the top menu of WireShark select Edit then Find Packet. Or you can use the shortcut keys Ctfl+F. In the popup box select string from the radio buttons and type your string in the box.

Looking Up Name Servers in Windows

Looking up nameservers is simple. Open a Windows Command Prompt window, type nslookup and hit enter. When you come to a prompt that looks like a grater than sign type set querytype=ns and press enter again. Now type the name of the domain you would like to lookup.

1. Open Windows Command Prompt
2. Type nslookup, press enter
3. Type set querytype=ns, press enter
4. Type the name of the domain to lookup, for example google.