Network Traffic Analysis for Malware Presence Confirmation using Wireshark

Network Traffic Analysis for Malware Presence Confirmation

A structured passive network forensics report using DNS, HTTP, TCP, TLS, ARP, DHCP, and reputation-based evidence.

Primary Host

10.6.13.133

Internal system repeatedly observed in suspicious outbound communications.

Evidence Types

20 Indicators

DNS, HTTP, TLS, TCP, ARP, DHCP, SMB, and reputation checks.

Conclusion

Malware Likely

Multiple independent indicators support command-and-control activity.

Introduction

This data analysis focuses on identifying malware presence using passive network traffic analysis. The PCAP file was analyzed using Wireshark without executing any malicious code. A layered approach combining DNS, HTTP, TCP, and IP-level observations was used to detect command-and-control communication, data exfiltration, and abnormal network behavior.

Objectives

• To identify the infected host using network traffic analysis.
• To detect malware communication patterns such as C2 and beaconing.
• To analyze HTTP, DNS, and TCP behavior for malicious indicators.
• To confirm malware presence using multiple correlated evidences.

PCAP Description

The PCAP file contains captured network traffic from an infected Windows system communicating with external servers. The dataset includes DNS queries, HTTP POST requests, and TCP sessions. The traffic reveals patterns of command-and-control communication and data exfiltration using obfuscated payloads.

Dataset Link: 2025-06-13-traffic-analysis-exercise.pcap.zip

Architecture of Work

A simplified visual workflow of the malware traffic analysis process.

Procedure of Work

The PCAP file was analyzed using Wireshark to identify signs of malware activity. Initially, the traffic was explored to understand the overall communication patterns and protocols involved.

The infected host was identified using Statistics > Conversations > IPv4 by observing abnormal outbound traffic and repeated communication with external IP addresses.

Protocol-based filters such as http, dns, tls, and smb2 were applied to analyze specific types of traffic. HTTP streams were inspected to detect suspicious POST requests and encoded payloads, while DNS traffic was examined for unusual domain queries. TLS traffic was analyzed to identify encrypted communication with external servers.

Additionally, SMB traffic was analyzed to observe internal communication patterns. External IP addresses were further validated using VirusTotal to check their reputation.

Finally, multiple indicators were correlated to confirm malware presence, and relevant screenshots were captured to support the analysis.

Inference: Indicators of Malware Presence

The following indicators were used to confirm suspicious and malware-like behavior in the captured traffic.

1. High Outbound Traffic Pattern

Why it matters

Infected machines initiate connections to external servers, while attackers typically wait for incoming communication.

How it was analyzed in Wireshark

Statistics > Conversations > IPv4, sorted by packets and bytes.

Observation

A single internal IP, 10.6.13.133, was observed communicating with multiple external IPs with significantly higher packet count compared to other hosts.

Conclusion

This abnormal outbound communication pattern indicates that the host is likely infected and actively communicating with external infrastructure.

2. Internal vs External IP Analysis

Why it matters

Malware operates from inside the network and communicates with external servers.

How it was analyzed in Wireshark

Private IP ranges such as 10.x.x.x were separated from public IP addresses.

Observation

The internal IP 10.6.13.133 initiated communication with multiple public IP addresses.

Conclusion

This confirms that the internal machine is initiating suspicious external communication, a strong indicator of malware infection.

3. ARP Traffic Correlation

Why it matters: ARP helps identify the real device behind an IP using MAC address.

Wireshark filter:

arp

Observation: The same MAC address was consistently associated with the suspicious IP.

Conclusion: This confirms the identity of the infected host beyond IP-level analysis.

4. DHCP Fingerprinting

Why it matters: DHCP traffic reveals system-level details such as hostname and operating system.

bootp

Observation: DHCP packets revealed hostname information associated with the internal system, indicating a Windows-based machine.

Conclusion: This supports the presence of a Windows-based compromised machine.

5. Excessive DNS Requests

Malware frequently generates DNS queries to locate command-and-control servers or resolve malicious domains.

dns

How it was analyzed in Wireshark :

DNS traffic was filtered using: dns

The packet list was analyzed to observe the frequency and source of DNS queries.

Observation: A large number of DNS queries were observed originating from 10.6.13.133, targeting multiple domains.

Conclusion: The high volume of DNS queries from a single host indicates automated lookup activity commonly associated with malware behavior.

6. Algorithmically Generated Domains (DGA)

Malware uses algorithmically generated or attacker-controlled domains to evade detection and maintain communication with C2 servers.

Domain Name System > Queries > Name

Observation: Suspicious domain names with unusual or non-human-readable structures were observed in DNS queries.

Conclusion: Suspicious or artificially structured domains suggest attacker-controlled or dynamically generated domains.

7. Fake Cloudflare / CDN Domains

Attackers often use legitimate-looking infrastructure such as Cloudflare to hide malicious communication and bypass detection.

Hypertext Transfer Protocol > Host

How it was analyzed in Wireshark

HTTP and DNS traffic were inspected to identify domain names by examining:

Hypertext Transfer Protocol → Host

and DNS query names.

Observation: Domains resembling legitimate services, such as Cloudflare-based domains like trycloudflare.com, were observed.

Conclusion: CDN-like domains indicate an attempt to disguise malicious communication as legitimate traffic.

8. Suspicious TLD Usage

Why it matters

Malware often uses unusual or less-regulated top-level domains (TLDs) to host malicious infrastructure.

How it was analyzed in Wireshark

Domain names were examined in DNS queries and HTTP requests by inspecting:

Domain Name System → Queries → Name

and HTTP Host fields.

Observation

Some domains showed unusual naming patterns or non-standard structures, which differ from typical user browsing behavior. In this dataset, domains were observed that appear artificially structured rather than user-generated.

Domain Name System > Queries > Name

Conclusion: Suspicious domain structures indicate attacker-controlled infrastructure commonly associated with malware communication.

9. Repeated Beaconing Pattern

Why it matters

Malware periodically communicates with command-and-control servers to receive instructions, known as beaconing.

How it was analyzed in Wireshark

TCP streams and conversations were analyzed by inspecting repeated communication between the same internal and external IPs, along with timing patterns.

Observation: The infected host repeatedly communicated with the same external IP addresses with consistent packet sizes and recurring communication patterns over time.

• High packet count
• High bytes transferred
• Long or repeated duration

Conclusion: Regular repeated communication indicates beaconing behavior, a strong indicator of malware C2 activity.

10. Small Periodic HTTP Requests

Why it matters

Malware communicates with command-and-control servers using small, repeated HTTP requests instead of normal web browsing.

How it was analyzed in Wireshark

http
Follow > HTTP Stream

Observation: Multiple HTTP requests from the infected host used small request structures and minimal response content, lacking normal webpage elements.

Conclusion: These small and repetitive HTTP communications indicate automated C2 interaction rather than normal browsing.

11. Suspicious / Missing User-Agent Strings

 Why it matters

Legitimate browsers always include a User-Agent string, whereas malware often omits or uses abnormal identifiers.

How it was analyzed in Wireshark

HTTP request headers were inspected by expanding:

Hypertext Transfer Protocol

Observation: Certain HTTP POST requests did not contain a User-Agent header, which is unusual for legitimate browser traffic.

Conclusion: The absence of User-Agent indicates traffic generated by a non-browser client, strongly suggesting automated malware communication.

12. Encrypted Traffic to Unknown IPs

Why it matters

Malware often uses encrypted communication (TLS/HTTPS) to hide command-and-control activity.

How it was analyzed in Wireshark

tls

Observation: Encrypted TLS traffic was observed between the infected host and external IP addresses without clear identification of legitimate services.

Conclusion: Encrypted communication with unknown external servers suggests concealed C2 activity.

13. Unusual POST Requests

Why it matters

Malware often uses HTTP POST requests to send stolen data to external servers.

How it was analyzed in Wireshark

HTTP POST requests were filtered using:

http.request.method == "POST"

• Source: 10.6.13.133
• Method: POST
• Destination: external domain, including domains such as .live

Conclusion: These POST requests indicate potential data transmission from the infected host to attacker-controlled infrastructure.

14. Encoded Payload or Data Exfiltration Behavior

HTTP streams and POST payloads were inspected for encoded content and abnormal data movement. Encoded or compact payloads in repeated requests can indicate data exfiltration or C2 tasking.

Conclusion: Suspicious HTTP request patterns support the possibility of data transmission to attacker-controlled infrastructure.

15. File Path Leakage

Why it matters

Malware sometimes leaks system paths, revealing user details and OS information.

How it was analyzed in Wireshark

HTTP streams were manually inspected for system-related strings.

Implementation

Ctrl + F / Cmd + F
C:\
Users
C:\Users\username\AppData\

Observation (2 cases)

✅ IF FOUND:

You’ll see something like:

C:\Users\username\AppData\

❌ IF NOT FOUND (VERY IMPORTANT)

Observation: No explicit file path leakage was observed in the analyzed traffic.

Conclusion: Although no file path leakage was observed, such indicators are commonly checked during victim system identification.

16. SMB / NTLM Authentication Traffic

 Why it matters

Malware may attempt lateral movement by authenticating to other machines using SMB/NTLM protocols.

How it was analyzed in Wireshark

Traffic was filtered using:

smb2 || ntlmssp

Observation 

First CHECK:

Apply filter:

smb2 || ntlmssp

Case 1: If packets are visible, check authentication messages and NTLMSSP fields.

Case 2: If no packets are visible, record that no SMB or NTLM authentication traffic was observed.

Conclusion: Although not always observed, SMB/NTLM traffic is commonly associated with malware propagation across systems.

17. Port Scanning Behavior

Why it matters

Malware scans networks to discover vulnerable systems.

How it was analyzed in Wireshark

TCP SYN packets were filtered using:

tcp.flags.syn == 1 && tcp.flags.ack == 0

IMPLEMENT

1. Apply filter above
2. Observe packet list

What to check: Same source IP, many destination IPs or ports, and no completed connections.

Observation (depends on dataset)

🔍 CASE 1: If scanning visible

Multiple SYN packets were observed from a single host targeting multiple destinations without completing full TCP handshakes.

🔍 CASE 2: If NOT clearly visible (likely)

No clear evidence of port scanning behavior was observed in the captured traffic.

A host was sending many SYN packets, but connections were not clearly completing.

Observation: SYN packets were observed; however, no clear pattern of large-scale port scanning activity was identified.

Conclusion: Port scanning is a common reconnaissance technique used by malware to identify targets.

18. Known Malicious IP Reputation

Why it matters

Even if traffic looks suspicious, we confirm malicious activity by checking whether the involved IPs/domains are flagged by threat intelligence platforms.

Implementation Steps

1. Pick a suspicious IP from Wireshark Conversations, HTTP, or TLS traffic.
2. Open VirusTotal.
3. Search the IP address.
4. Check detection count, malicious labels, suspicious tags, C2 labels, or malware-hosting reports.

WHAT TO CHECK (VERY IMPORTANT)

On VirusTotal page, look for:

✔ Detection count

Example:

• “5/90 vendors flagged this IP”
• OR “Suspicious / Malicious”

✔ Labels

• Malicious
• Suspicious
• C2 server
• Malware hosting

Conclusion: Reputation validation helps confirm whether observed network communication is associated with potentially malicious infrastructure.

19. TCP Retransmissions / Network Anomalies

Why it matters

Malware communication often results in unstable or unusual network behavior such as retransmissions due to failed or suspicious connections.

How it was analyzed in Wireshark

TCP anomalies were identified using:

tcp.analysis.retransmission

What to check: same IP repeatedly, retransmissions to the same destination, and failed or repeated attempts.

Observation: TCP retransmissions were observed in the traffic, indicating repeated attempts to send data between hosts.

Conclusion: Frequent retransmissions suggest unstable or abnormal communication patterns, which can be associated with malware activity.

20. DNS Response Analysis: NXDOMAIN / Failed Lookups

Why it matters

Malware often queries domains that do not exist (DGA behavior), resulting in failed DNS responses.

How it was analyzed in Wireshark

DNS failures were analyzed using:

dns.flags.rcode != 0

How to IMPLEMENT (DO THIS)

 Steps:

1. Apply filter:

dns.flags.rcode != 0

2. Press Enter

🔍 What to check

Look for:

• NXDOMAIN responses
• Failed DNS queries

Observation: Some DNS queries resulted in failed responses, indicating attempts to resolve non-existent or suspicious domains.

Conclusion: Failed DNS lookups suggest automated domain generation or probing behavior commonly associated with malware.

The 5 Effects of Malware

1. Unauthorized Data Exfiltration

Malware can steal sensitive data and transmit it to external attacker-controlled servers.

2. Persistent C2 Communication

The infected system continuously communicates with external servers to receive instructions.

3. System Resource Misuse

Malware consumes bandwidth and system resources, creating abnormal traffic patterns.

4. Evasion with Trusted Infrastructure

Malware may use trusted-looking services to disguise malicious communication.

5. Potential Lateral Movement

Malware can attempt to spread using protocols like SMB and internal authentication.

New Findings from My Work

• Identified infected host based on abnormal outbound traffic patterns.
• Detected repeated communication with external IP addresses, indicating beaconing behavior.
• Observed suspicious HTTP POST requests carrying encoded payloads.
• Found absence of User-Agent in HTTP headers, indicating automated communication.
• Detected encrypted TLS communication masking data exchange.
• Identified use of deceptive domain names resembling legitimate services.
• Observed SMB communication indicating internal network interaction.
• Verified external IP reputation using VirusTotal.
• Detected abnormal DNS query patterns.
• Identified possible data exfiltration through HTTP streams.

The Use of AI

Artificial Intelligence tools were used to enhance the analysis and understanding of malware behavior in network traffic. AI-assisted guidance helped in identifying key patterns such as beaconing, encoded payloads, and protocol anomalies. It also assisted in structuring the analysis, refining observations, and generating meaningful conclusions from packet-level data. Additionally, AI enabled efficient interpretation of complex network behavior, improving both accuracy and depth of the investigation.

AI played a significant role in accelerating the analysis process while ensuring a structured and comprehensive approach to malware detection.

Conclusion

The network traffic analysis of the provided PCAP file clearly indicates the presence of malware activity within the system. Using Wireshark, multiple indicators were identified, including abnormal outbound communication, repeated connections to external IP addresses, suspicious HTTP POST requests, and the transmission of encoded payloads. The absence of standard HTTP headers such as the User-Agent further confirmed that the communication was generated by automated processes rather than legitimate user activity.

In addition, encrypted TLS communication and the use of legitimate-looking domains highlight the malware's attempt to evade detection by blending with normal network traffic. Although some external IPs were not flagged by threat intelligence platforms, their behavior within the traffic strongly suggests suspicious activity, emphasizing the importance of behavioral analysis over signature-based detection.

Overall, the correlation of multiple independent indicators, such as beaconing patterns, data exfiltration, and protocol anomalies, provides strong evidence of command-and-control communication. This analysis demonstrates how passive network traffic inspection can effectively detect and understand malware behavior without executing malicious code.

Links and References

YouTube Channel: https://www.youtube.com/@Tech_Shu-mitra

YouTube Video: https://www.youtube.com/watch?v=7gML6JDnTbA

GitHub Repository: https://github.com/mitra9917/Malware-detection

1. Malware downloaded link: PCAP ZIP
2. Original malware blog link: Malware Traffic Analysis Exercise

Acknowledgement

I would like to express my sincere gratitude to the School of Computer Science and Engineering (SCOPE), Vellore Institute of Technology Chennai, for offering the theory and laboratory courses in Computer Networks during the Winter Semester 2025-2026 with an industry-standard curriculum.

I am especially thankful to my faculty, Dr. T. Subbulakshmi, for providing the opportunity to work on this data analysis assignment and for her valuable guidance throughout the course. This project has significantly enhanced my practical understanding of network protocols, cybersecurity concepts, and real-world malware behavior.

I would also like to acknowledge Gerald Combs, recipient of the ACM Software System Award (2018), for developing Wireshark, an exceptional tool for network traffic analysis. I extend my appreciation to Bradley Duncan for his insightful blogs on malware analysis, which provided meaningful guidance and learning resources for this project.

I am grateful to my peers for their valuable suggestions and discussions, and to my friends who supported me during the completion of this assignment. I also extend my heartfelt thanks to my family for their constant encouragement and support.

Finally, I acknowledge the use of AI-assisted tools, which helped in structuring the analysis and improving clarity while interpreting complex network data.

Author

Mr. Shubham, II year B.Tech. CSE student, School of Computer Science and Engineering, VIT Chennai

Date published: 09/04/2026

© 2026 Tech Shu-mitra | All Rights Reserved