Using Wireshark to Identify Malicious Network Activity

30 minutes
  • 3 Learning Objectives

About this Hands-on Lab

In this lab, we will learn how to use Wireshark to identify malicious network traffic. We will download two packet captures and analyze them, checking for signs of beaconing and exfiltration via DNS tunneling.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Install Wireshark.
  1. Use your preferred VNC client to connect to the host using the provided public IP on port 5901.
  2. Run the commands sudo apt-get update and sudo apt-get install -y wireshark.
  3. When asked if you want to allow non-superusers to capture packets, select Yes.
Download and analyze packet captures.

Download the following PCAP files to the Downloads directory:

Create the firewall rules.
  1. Use Gedit to create a file named firewall-rules.txt and save it on the Desktop.
  2. Review the two packet captures and identify the source and destination involved in beaconing and DNS tunneling, and create a rule for each of the two activities.
  3. The firewall-rules.txt file should contain two access lists which following the format outlined in the Guide. Remember Linux is case sensitive.
  4. The firewall rule to block beaconing is:
    access-list BLOCK deny TCP eq 80
  5. The firewall rule to block DNS tunneling is:
    access-list BLOCK deny UDP eq 53

Additional Resources

Your supervisor has asked you to review two packet captures from the network team and see if you can identify any DNS tunneling activity or beaconing activity, which are both indicators of a compromise.

Once you connect to the server with VNC, you'll need to install Wireshark so you can analyze the two packet captures.

The packet capture files can be downloaded from the following locations:


After you analyze the packet captures, you'll need to create a firewall rule for each of them. The firewall uses the following format:

access-list BLOCK deny [TCP/UDP] [source IP/subnet mask] [destination IP/subnet mask] eq [port#]


access-list BLOCK deny TCP eq 80

Your supervisor wants these firewall rules saved to a file named firewall-rules.txt on the desktop of the server. Nano is installed on the server and can be used to create this file. Remember, Linux is case-sensitive, so make sure to follow the case shown in the example.

Note: Because the desktop environment is XFCE, you will need to launch wireshark-gtk, not standard wireshark.

Connecting to the lab:

  1. VNC connections will be different for each operating system. If you need a VNC client program, you can use the VNC viewer available at: Make sure to specify the port 5901 via: when creating a connection. (On some occasions, the lab needs a bit more time before you can connect via teh VNC viewer).
    • Log in with the username and password generated by the lab.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?