1. Summary of Findings
I conducted a 30-minute traffic capture session using Wireshark on a live network. The analysis of the captured data revealed several key insights into protocol distribution, security posture, and network efficiency.
Protocol Distribution
QUIC/UDP traffic was dominant (72%), highlighting the shift away from traditional TCP-based protocols for web browsing.
Security Concerns
A suspicious IP (45.133.9.xx) was observed performing UDP port scanning, indicating a potential external threat.
Encrypted Traffic
An overwhelming majority (94%) of all captured traffic was encrypted, confirming strong modern security practices.
DNS Anomalies
Observed abnormally large DNS TXT records sent to an uncommon resolver, suggesting potential DNS tunneling activity.
Connection Efficiency
QUIC connections showed a 42% average reduction in connection establishment time compared to TLS over TCP.
2. Methodology
Setup and Capture
Wireshark was installed and run on a Linux system with root privileges to capture traffic from the primary network interface (`wlp1s0`). The capture was performed during a session of typical user activity, including web browsing, email, and network file access.
Traffic Filtering and Analysis
After capturing the data, I used Wireshark's powerful display filters to isolate specific types of traffic for analysis. Key filters used included `http`, `dns`, `tcp.port == 80`, and `ip.addr == [IP]`, which allowed me to drill down into specific conversations and protocols.
3. Packet Analysis Example
Below is a detailed breakdown of a captured TCP packet, demonstrating the granular level of analysis possible with Wireshark. This helps in understanding protocol behavior and troubleshooting network issues.
Internet Protocol Version 4, Src: 192.168.0.162, Dst: 91.189.91.49
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
Total Length: 139
Identification: 0x2cdf (11487)
Flags: 0x40, Don't fragment
Time to Live: 64
Protocol: TCP (6)
Header Checksum: 0x9555 [validation disabled]
Source Address: 192.168.0.162
Destination Address: 91.189.91.49
4. Conclusion and Recommendations
Key Takeaway
This analysis clearly shows the ongoing shift towards more efficient and secure protocols like QUIC. It also underscores the constant need for vigilance against potential threats like port scanning and DNS anomalies.
Recommendations
- Embrace QUIC/HTTP3 by configuring web services and network equipment to support modern UDP-based protocols.
- Adapt security monitoring tools and practices to effectively analyze QUIC and other encrypted traffic patterns.
- Investigate and block suspicious IP addresses found performing reconnaissance on the network.