{"id":26965484,"url":"https://github.com/compcode1/wireshark-flow-analysis","last_synced_at":"2025-10-19T04:27:38.208Z","repository":{"id":284918063,"uuid":"956477303","full_name":"Compcode1/wireshark-flow-analysis","owner":"Compcode1","description":"The goal of this project was to efficiently analyze how a website (Adidas.com) was accessed from the moment of the initial request to the establishment of an encrypted HTTPS session.","archived":false,"fork":false,"pushed_at":"2025-05-10T11:00:11.000Z","size":24,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-06-13T06:08:54.881Z","etag":null,"topics":["dns","filter","https","protocol","tcp","tls","wireshark"],"latest_commit_sha":null,"homepage":"","language":"Jupyter Notebook","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Compcode1.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-03-28T10:16:58.000Z","updated_at":"2025-04-04T15:35:34.000Z","dependencies_parsed_at":"2025-05-28T12:05:37.947Z","dependency_job_id":"a99e7f64-e0ff-4a49-bcee-2a27accff0e4","html_url":"https://github.com/Compcode1/wireshark-flow-analysis","commit_stats":null,"previous_names":["compcode1/wireshark-flow-analysis"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/Compcode1/wireshark-flow-analysis","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Compcode1%2Fwireshark-flow-analysis","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Compcode1%2Fwireshark-flow-analysis/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Compcode1%2Fwireshark-flow-analysis/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Compcode1%2Fwireshark-flow-analysis/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Compcode1","download_url":"https://codeload.github.com/Compcode1/wireshark-flow-analysis/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Compcode1%2Fwireshark-flow-analysis/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":259592280,"owners_count":22881268,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dns","filter","https","protocol","tcp","tls","wireshark"],"created_at":"2025-04-03T07:28:55.342Z","updated_at":"2025-10-19T04:27:33.173Z","avatar_url":"https://github.com/Compcode1.png","language":"Jupyter Notebook","readme":"**Wireshark Network Flow Analysis Project: Full Summary \u0026 Methodology**\n\n**🔹 Project Objective**\nThe goal of this project was to efficiently analyze how a website (Adidas.com) was accessed from the moment of the initial request to the establishment of an encrypted HTTPS session.\n\nInstead of following traditional network analysis (which starts with DNS and moves forward), we optimized our workflow by:\n✅ Starting with the first actual connection attempt (IP discovery)\n✅ Working backward to find the DNS resolution that led to that IP\n✅ Moving forward through TCP, TLS, and HTTPS to confirm how the session was established\n\nThis approach eliminated unnecessary manual tracking of irrelevant DNS queries and focused directly on the IP and its related traffic.\n\n**🔹 Step-by-Step Summary of the Analysis**\n\n1️⃣ Identifying the First Connection Attempt\n📌 Filter Used:\ntcp.flags.syn == 1 or udp.port == 443\n🔹 This filter was applied to find the first actual network connection attempt (either via TCP SYN for HTTPS or UDP for QUIC).\n🔹 The first result (Packet 1374) showed an IPv6 connection to www.adidas.com.\n\n**📌 Key Takeaways:**\n✅ The website was contacted over IPv6, meaning an AAAA record must have been returned.\n✅ The connection used TCP over port 443, meaning Adidas was not using QUIC (HTTP/3).\n\n2️⃣ Finding the Exact DNS Resolution\n📌 Filter Used:\n\ndns.aaaa == 2600:1406:2e00:28::17cb:a617\n🔹 This filter jumped directly to the DNS response that provided the IPv6 address used in the connection.\n🔹 Instead of manually searching for Adidas DNS queries, we worked backward from the IP itself.\n\n**📌 Key Takeaways:**\n✅ www.adidas.com did not resolve directly to an IP—it first went through a CNAME chain via Akamai’s CDN.\n✅ The final resolved address was 2600:1406:2e00:28::17cb:a617, which matched the IP used in the TCP handshake.\n\n**3️⃣ Moving Forward to Analyze the TLS \u0026 HTTPS Session**\n\n📌 Filter Used:\nip.addr == 2600:1406:2e00:28::17cb:a617\n🔹 This displayed all traffic between the system and Adidas.com, including:\n\nThe TCP handshake (confirming the three-way handshake).\n\nThe TLS handshake (Server Hello, Certificate Exchange, etc.).\n\nThe encrypted HTTPS data exchange.\n\n📌 Key Takeaways:\n✅ Adidas.com uses TLS over TCP, not QUIC.\n✅ The full session was encrypted, confirming HTTPS was successfully established.\n✅ No additional unexpected hosts were involved—everything was routed through Akamai’s CDN servers.\n\n**🔹 Final Strategy for All Future Network Flow Analysis**\nThis method should be the standard for all future Wireshark-based network analysis:\n\n🚀 The Optimized Three-Step Process\n1️⃣ Start With the First Connection (Find the IP)\n\n📌 Use this filter to find the first real connection attempt:\n\ntcp.flags.syn == 1 or udp.port == 443\n\n✅ This immediately tells us:\nWhether the connection used IPv4 (A record) or IPv6 (AAAA record)\nWhether it was TCP (TLS) or UDP (QUIC)\n\n**2️⃣ Work Backward to Find the DNS Resolution**\n📌 Once the IP is known, apply one of these filters to find its DNS response:\ndns.aaaa == [IPv6 Address]\ndns.a == [IPv4 Address]\n✅ This instantly reveals the exact DNS resolution instead of manually tracking all queries.\n\n**3️⃣ Move Forward Through TCP, TLS, and HTTPS**\n\n📌 Use this filter to isolate all activity related to that IP:\nip.addr == [Resolved IP]\n\n✅ This displays:\nThe TCP handshake (SYN, SYN-ACK, ACK)\nThe TLS handshake (Client Hello, Server Hello, Encryption Setup)\nThe actual encrypted HTTPS session\n\n**🔹 Why This Approach Is Better Than Traditional Methods**\n✅ Eliminates unnecessary manual tracking of multiple DNS queries.\n✅ Directly finds the actual IP used in the connection instead of guessing.\n✅ Works backward efficiently to find the exact DNS response.\n✅ Moves forward through all network layers (TCP, TLS, HTTPS) without confusion.\n✅ Drastically reduces time spent searching for packets in large captures.\n\n**🔹 Final Confirmation: We Met All Project Objectives**\n✅ We successfully identified how Adidas.com was accessed.\n✅ We confirmed that IPv6 was used.\n✅ We confirmed DNS resolution via Akamai’s CDN.\n✅ We confirmed TCP was used (not QUIC).\n✅ We identified the TLS handshake and encrypted session.\n✅ We established a clear, repeatable methodology for future network flow analysis.\n\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcompcode1%2Fwireshark-flow-analysis","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcompcode1%2Fwireshark-flow-analysis","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcompcode1%2Fwireshark-flow-analysis/lists"}