Monitoring for threats occurs in one of three ways:

• Proactive: Monitoring your systems and preventing threats by using a device such as an IDS
• Reactive: A system has fallen victim to an attack and the incident response team manages the attack, followed by a forensic exercise
• Active: Proactively seeking threats by conducting packet analysis and monitoring log files

Wireshark can help the security analyst take an active role in monitoring for threats. While Wireshark does not provide any alerts, it can be used in conjunction with an IDS to investigate possible malicious network activity.

For example, while using snort (an open source IDS), the sensor produced the following alert, which may be an indication of malicious activity on the protected network:

DELETED WEB-MISC text/html content-type without HTML – possible malware C&C (Detection of a non-standard protocol or event) [16460] 

This alert indicates that an infected host may be communicating with an external entity and sending information gathered on the network to a botmaster. The security analyst should take immediate action by running a capture in different segments of the network to identify and mitigate the threat.

Industries see the value in using Wireshark for threat monitoring as well. For example, in Cisco's CCNA Cyber Ops certification prep course, students learn how to observe and monitor for unusual traffic patterns using Wireshark, as they hone their skills in preparing to work alongside cybersecurity analysts within a Security Operations Center (SOC).

In order to determine what traffic is unusual, or to properly troubleshoot the network, you must be able to determine what is normal network activity. This is achieved by conducting a baseline, as outlined in the following section.