Traffic Analysis

This section assumes the use of Wireshark.

DNS

The DNS query type can be found in the dns.qry.type field, or under Domain Name System > Queries > Select Query > Type.

The DNS response type can be found in the dns.resp.type field, or under Domain Name System > Answers > Select Answer > Type.

To investigate data being exfiltrated via DNS, see Trick Or Breach.

FTP

The FTP command can be found in the ftp.request.command field, or under File Transfer Protocol > Request > Command. This also shows usernames and passwords being sent to authenticate, can be filtered on with ftp.request.command == USER and ftp.request.command == PASS.

The first command that a user executes on a system is NOT PORT, that's automatic. Will likely usually be LIST.

To look for successful authentication, filter on ftp.response.code == 230.

Deleting files can be found with ftp.request.command == DELE.

Uploading files can be found with ftp.request.command == STOR. The uploaded file size can be calculated by making note of the packet numbers of ftp-data packets.

Downloading files can be found with ftp.request.command == RETR.

HTTP

To get the downloaded files from a PCAP, use File > Export Objects > HTTP. This can be combined with md5sum to get the MD5 hash of the file.

NOTE: This does not work when a file is being smuggled via DNS.

Telnet

To find the username and password used to log in, simply click on a Telnet packet and Follow > TCP Stream. The username and password will be in the first two lines.