Analyzing malware traffic (Must know)

In this recipe we will see how Tshark can be an excellent support tool for malware traffic analysis. Likewise we will see some useful filters that help us identify possible infected computers on our network.

Getting ready

Performing simple checks on our network periodically can help us to detect malware. For example, if your network hosts use an internal DNS to resolve names, something as simple as checking that all requests are coming from that server can help us identify infected hosts. The reason is that malware might bypass the host DNS settings. For example, using the DNS_QUERY_NO_HOSTS_FILE flag in the DnsQuery API, the malware will not query the hosts file. Even better, the malware can open a UDP socket ...

Get Instant Traffic Analysis with Tshark How-to now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Instant Traffic Analysis with Tshark How-to by Borja Merino

Analyzing malware traffic (Must know)

Getting ready

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly