 | 1 | initial version |
Wireshark might not be the best choice for something like this. There are some options here. Note that if your level of paranoia is at the nation-state level, nothing running on the potentially compromised host should be trusted to provide you accurate information.
In this case you could put a network capture system with Wireshark external to this potentially-compromised system under review and start with that traffic as your initial information source. Not a direct link to the application that created it, but at least you have the traffic profile. Encrypted traffic in this case is problematic for you since you won't be able to tell the content to make a final determination of normal or suspicious.
