Filter Encrypted Web Traffic

Introduction

In this challenge, you will step into the role of a junior cybersecurity analyst investigating a potential data breach at Cybertech Industries. The security team has detected unusual network activity during off-hours and provided you with a packet capture file containing the suspicious network traffic.

Your task is to use Wireshark to analyze the provided packet capture file by creating a display filter that isolates only the encrypted HTTPS traffic (TCP port 443). This filtering technique will help you focus on potentially sensitive communications that may be related to the suspected breach. Once you've created the appropriate filter, you'll save it to a text file for documentation purposes.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL wireshark(("Wireshark")) -.-> wireshark/WiresharkGroup(["Wireshark"]) wireshark/WiresharkGroup -.-> wireshark/display_filters("Display Filters") subgraph Lab Skills wireshark/display_filters -.-> lab-548806{{"Filter Encrypted Web Traffic"}} end

Hunt Suspicious HTTPS Traffic

As a junior cybersecurity analyst, you're investigating a potential data breach at Cybertech Industries. The security team discovered unusual network activity during off-hours and needs your help. They've provided a packet capture file containing network traffic from when the suspicious activity occurred.

Tasks

Use Wireshark's display filter to show only encrypted HTTPS traffic by filtering for TCP port 443

Requirements

Open the suspicious_traffic.pcapng file located in the ~/project directory using Wireshark
Create a display filter to isolate only the HTTPS traffic (TCP port 443)
Save your filter as https_filter.txt in the ~/project directory, containing only the filter expression (one line only)

Examples

When you successfully apply the correct filter, you should see something like this:

The displayed packets should only include those using TCP port 443, which is the standard port for HTTPS traffic.

Your saved filter file should contain only the filter expression, for example:

ip.addr == 8.8.8.8

(Note: This is just an example of a filter format, not the solution)

Hints

In Wireshark, display filters are entered in the filter bar at the top of the main window
The filter expression should focus on the TCP port number that is standardly used for HTTPS traffic
Remember that port numbers can be referenced using tcp.port in filter expressions
Review the section on "Using Display Filters" from the lab for more guidance
Make sure you save only the filter expression text in your filter file, without any additional text or explanations

✨ Check Solution and Practice

Summary

In this challenge, I worked as a junior cybersecurity analyst investigating a potential data breach at Cybertech Industries by analyzing suspicious network traffic. Using Wireshark, I learned how to create and apply display filters to isolate encrypted HTTPS traffic by focusing specifically on TCP port 443 communications.

The exercise required opening a provided packet capture file, applying the appropriate filter syntax in Wireshark's display filter bar, and saving the filter expression to a text file. This practical skill is essential for security analysts who need to quickly identify and examine encrypted web traffic during security investigations, allowing them to focus on relevant packets while filtering out unrelated network communications.