https://github.com/compcode1/wireshark-flow-analysis
The goal of this project was to efficiently analyze how a website (Adidas.com) was accessed from the moment of the initial request to the establishment of an encrypted HTTPS session.
https://github.com/compcode1/wireshark-flow-analysis
dns filter https protocol tcp tls wireshark
Last synced: 3 months ago
JSON representation
The goal of this project was to efficiently analyze how a website (Adidas.com) was accessed from the moment of the initial request to the establishment of an encrypted HTTPS session.
- Host: GitHub
- URL: https://github.com/compcode1/wireshark-flow-analysis
- Owner: Compcode1
- License: gpl-3.0
- Created: 2025-03-28T10:16:58.000Z (10 months ago)
- Default Branch: master
- Last Pushed: 2025-05-10T11:00:11.000Z (8 months ago)
- Last Synced: 2025-06-13T06:08:54.881Z (7 months ago)
- Topics: dns, filter, https, protocol, tcp, tls, wireshark
- Language: Jupyter Notebook
- Homepage:
- Size: 23.4 KB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
**Wireshark Network Flow Analysis Project: Full Summary & Methodology**
**πΉ Project Objective**
The goal of this project was to efficiently analyze how a website (Adidas.com) was accessed from the moment of the initial request to the establishment of an encrypted HTTPS session.
Instead of following traditional network analysis (which starts with DNS and moves forward), we optimized our workflow by:
β
Starting with the first actual connection attempt (IP discovery)
β
Working backward to find the DNS resolution that led to that IP
β
Moving forward through TCP, TLS, and HTTPS to confirm how the session was established
This approach eliminated unnecessary manual tracking of irrelevant DNS queries and focused directly on the IP and its related traffic.
**πΉ Step-by-Step Summary of the Analysis**
1οΈβ£ Identifying the First Connection Attempt
π Filter Used:
tcp.flags.syn == 1 or udp.port == 443
πΉ This filter was applied to find the first actual network connection attempt (either via TCP SYN for HTTPS or UDP for QUIC).
πΉ The first result (Packet 1374) showed an IPv6 connection to www.adidas.com.
**π Key Takeaways:**
β
The website was contacted over IPv6, meaning an AAAA record must have been returned.
β
The connection used TCP over port 443, meaning Adidas was not using QUIC (HTTP/3).
2οΈβ£ Finding the Exact DNS Resolution
π Filter Used:
dns.aaaa == 2600:1406:2e00:28::17cb:a617
πΉ This filter jumped directly to the DNS response that provided the IPv6 address used in the connection.
πΉ Instead of manually searching for Adidas DNS queries, we worked backward from the IP itself.
**π Key Takeaways:**
β
www.adidas.com did not resolve directly to an IPβit first went through a CNAME chain via Akamaiβs CDN.
β
The final resolved address was 2600:1406:2e00:28::17cb:a617, which matched the IP used in the TCP handshake.
**3οΈβ£ Moving Forward to Analyze the TLS & HTTPS Session**
π Filter Used:
ip.addr == 2600:1406:2e00:28::17cb:a617
πΉ This displayed all traffic between the system and Adidas.com, including:
The TCP handshake (confirming the three-way handshake).
The TLS handshake (Server Hello, Certificate Exchange, etc.).
The encrypted HTTPS data exchange.
π Key Takeaways:
β
Adidas.com uses TLS over TCP, not QUIC.
β
The full session was encrypted, confirming HTTPS was successfully established.
β
No additional unexpected hosts were involvedβeverything was routed through Akamaiβs CDN servers.
**πΉ Final Strategy for All Future Network Flow Analysis**
This method should be the standard for all future Wireshark-based network analysis:
π The Optimized Three-Step Process
1οΈβ£ Start With the First Connection (Find the IP)
π Use this filter to find the first real connection attempt:
tcp.flags.syn == 1 or udp.port == 443
β
This immediately tells us:
Whether the connection used IPv4 (A record) or IPv6 (AAAA record)
Whether it was TCP (TLS) or UDP (QUIC)
**2οΈβ£ Work Backward to Find the DNS Resolution**
π Once the IP is known, apply one of these filters to find its DNS response:
dns.aaaa == [IPv6 Address]
dns.a == [IPv4 Address]
β
This instantly reveals the exact DNS resolution instead of manually tracking all queries.
**3οΈβ£ Move Forward Through TCP, TLS, and HTTPS**
π Use this filter to isolate all activity related to that IP:
ip.addr == [Resolved IP]
β
This displays:
The TCP handshake (SYN, SYN-ACK, ACK)
The TLS handshake (Client Hello, Server Hello, Encryption Setup)
The actual encrypted HTTPS session
**πΉ Why This Approach Is Better Than Traditional Methods**
β
Eliminates unnecessary manual tracking of multiple DNS queries.
β
Directly finds the actual IP used in the connection instead of guessing.
β
Works backward efficiently to find the exact DNS response.
β
Moves forward through all network layers (TCP, TLS, HTTPS) without confusion.
β
Drastically reduces time spent searching for packets in large captures.
**πΉ Final Confirmation: We Met All Project Objectives**
β
We successfully identified how Adidas.com was accessed.
β
We confirmed that IPv6 was used.
β
We confirmed DNS resolution via Akamaiβs CDN.
β
We confirmed TCP was used (not QUIC).
β
We identified the TLS handshake and encrypted session.
β
We established a clear, repeatable methodology for future network flow analysis.