I am new to wireshark, and am trying to learn as much as possible, and wasn't sure where to start. I heard somewhere from doing research online that the books can't teach/show you everything, so a good place to get started is to look around, use it, and to get familiar with it. I noticed on the wireshark site that they have some captures. i thought it would be interesting to see what a virus/trojan looked like. I downloaded the slammer.pcap, and am trying to figure out the main things that would pop out warning the administrator that it is a malicious packet?
asked 27 Nov '12, 15:34
Wireshark is a network analyzer, so it helps to detect problems within the network and/or with networked applications. Wireshark is unable to detect "malicious" content in a packet as it has no functionality for that. You can however do that manually, if you know what to look for.
There is an extension for Wireshark, called WireShnork, which combines the functionality of Wireshark with the detection capabilities of Snort. With that plugin, you will be able to detect malicious "actions/content" in a packet (or data stream), if there is a pattern for that specific attack. However, that's more a snort question than a Wireshark question.