**Wireshark: Identifying Common Protocols**
Objective: Analyze and document the identification of common network protocols in Wireshark.

**1. ICMP (Ping) Packet Analysis**
Goal: Locate and examine ICMP packets to understand how ping operates.
Wireshark Filter: icmp
Analysis Steps:
Identify ICMP Echo Request and Echo Reply packets.
Note source and destination IP addresses.
Observe the sequence number and response times.


**2. DNS Query Identification**
Goal: Locate and analyze DNS queries and responses.
Wireshark Filter: dns
Analysis Steps:
Identify query and response pairs.
Note the requested domain names.
Determine whether DNS is using UDP or TCP.

**3. TLS Traffic Detection**
Goal: Identify encrypted traffic using TLS.
Wireshark Filter: tls
Analysis Steps:
Observe the handshake process.
Identify TLS versions (e.g., TLS 1.2 vs. TLS 1.3).
Determine which applications are using TLS.

**Echo Request**

The ping 8.8.8.8 -n 4 command was executed to send ICMP Echo Request packets to Google's public DNS server (8.8.8.8), testing network connectivity and measuring response times. Each request packet contained 32 bytes of data by default and included an identifier and sequence number to track responses. Upon reaching Google's server, an ICMP Echo Reply was returned for each request, confirming successful communication. The responses included round-trip time (RTT) measurements and a Time to Live (TTL) value, indicating the number of hops taken to reach the destination and return. This initial command-line test provided a basic verification of network reachability and performance.

**ping 8.8.8.8 -n 4**

This sends 4 ICMP Echo Request packets to Google’s public DNS server (8.8.8.8).

Command Line: **C:\Users\Steve>ping 8.8.8.8 -n 4**


Command Line Output:
**Pinging 8.8.8.8 with 32 bytes of data:**
Your computer is sending ICMP Echo Request packets to 8.8.8.8 (Google’s public DNS server).
Each packet contains 32 bytes of data (default payload size for ping on Windows).
This tests connectivity and response time between your computer and 8.8.8.8.



Reply from 8.8.8.8: bytes=32 time=25ms TTL=56
Reply from 8.8.8.8: bytes=32 time=31ms TTL=56
Reply from 8.8.8.8: bytes=32 time=35ms TTL=56
Reply from 8.8.8.8: bytes=32 time=30ms TTL=56

Reply from 8.8.8.8	The destination (8.8.8.8) responded with an ICMP Echo Reply packet.
bytes=32	The reply packet contains 32 bytes of data (same as the request).
time=25ms, 31ms, 35ms, 30ms	The round-trip time (RTT) for each packet in milliseconds (ms), measuring network latency.
TTL=56	Time-to-Live value, showing how many hops (routers) the packet traveled before being received.
Your Windows ping started at TTL = 128.
It traveled 8 hops to reach Google (8.8.8.8).
Google’s reply started with TTL = 64.
That reply traveled 8 hops back to you.
By the time it arrived, the TTL had decreased to 56.
The 56 you see is from Google’s reply, not your original packet.


Ping statistics for 8.8.8.8:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 25ms, Maximum = 35ms, Average = 30ms

C:\Users\Steve>

Interpretation:

Minimum = 25ms → The fastest round-trip time (best case).
Maximum = 35ms → The slowest round-trip time (worst case).
Average = 30ms → The average round-trip time across the 4 packets.

Network Health Check:

Consistent times (e.g., 25-35ms) → Network is stable.
Large variation (e.g., 25ms to 150ms) → Possible network congestion or routing issues.
High times (>100ms) → Indicates slow response, likely due to long-distance routing.
Final Summary
✅ This  network is functioning properly:

ICMP Echo Requests & Replies were successful.
No packet loss (0%) = Strong connection.
Latency (25-35ms) = Normal response time to 8.8.8.8.
TTL (56) indicates multiple hops (routers) between your computer and Google.










After confirming successful ICMP Echo Request and Reply exchanges in the command line, we applied an ICMP filter in Wireshark to perform a more detailed analysis of individual packets. This allows us to inspect network traffic at a granular level, verifying the structure and behavior of the packets in real-time. Frame 131018, an ICMP Echo Request sent to Google's public DNS server (8.8.8.8), was selected for analysis to examine the underlying details, including source and destination IP addresses, MAC addresses, checksum validation, sequence numbers, and response mapping. This step is crucial in cybersecurity for understanding network behavior, detecting anomalies, and validating expected traffic patterns, as attackers often manipulate ICMP for reconnaissance, denial-of-service (DoS) attacks, or network probing. By studying this frame, we gain deeper insights into how ICMP operates and how legitimate vs. malicious network traffic can be distinguished.

Although our initial ping 8.8.8.8 -n 4 command only sent four ICMP Echo Requests, the network traffic captured in Wireshark includes significantly more data because Wireshark records all activity on the selected network interface, not just the specific packets we initiated. This includes background network processes, additional ICMP messages, router responses, and potentially other devices on the same network generating traffic. Additionally, multiple ICMP-related frames can appear due to packet fragmentation, retries, and responses from intermediate routers. For example, if a router along the path drops a packet due to a TTL limit, it may generate an ICMP Time Exceeded message, which also appears in Wireshark. This high volume of related data is expected in live network captures and highlights why cybersecurity professionals must use filters and careful analysis to isolate relevant packets when investigating network behavior.

icmp
Apply an ICMP Filter in Wireshark
icmp and ip.dst == 8.8.8.8
This will only show ICMP packets sent to Google.

**Frame 131018: 106 bytes on wire (848 bits), 106 bytes captured (848 bits) on interface \Device\NPF_{EAF66F3F-8F00-47F0-827E-72FB128923A3}, id 0**
Frame Number	131018	This is the packet's position in the capture.
Captured Bytes	106 bytes	Total size of the packet on the wire.
Interface: \Device\NPF_{EAF66F3F-8F00-47F0-827E-72FB128923A3} → The specific network adapter that recorded the packet (Wi-Fi or Ethernet).
ID 0: This packet was recorded on the first detected network interface in Wireshark.


**Ethernet II, Src: e0:ad:47:20:d9:0a (e0:ad:47:20:d9:0a), Dst: Commscope_49:ac:e0 (10:93:97:49:ac:e0)**
"Ethernet II" (the protocol layer) → Refers to the Ethernet v2 (DIX) frame format, which is the standard used in modern networking.
Source MAC Address	e0:ad:47:20:d9:0a	Your computer's MAC address.
Destination MAC Address	10:93:97:49:ac:e0	The MAC address of your router (Commscope device).

**Internet Protocol Version 4, Src: 192.168.1.185, Dst: 8.8.8.8**
 Internet Protocol Version 4 (IPv4) in this packet indicates that the communication between my computer and Google's public DNS server (8.8.8.8) is using the older, widely adopted 32-bit addressing system instead of the newer IPv6 protocol.
Source IP Address	192.168.1.185	This is your computer’s private IP address.
Destination IP Address	8.8.8.8	This is Google’s public DNS server.

**Internet Control Message Protocol**
    **Type: 8 (Echo (ping) request)**
    **Code: 0**
    ICMP Type	8 (Echo Request)	This means it's a ping request (outbound).
    ICMP Code	0	Standard code for Echo Request.
    Type 8 means "This is a ping request," and Code 0 is just the expected value for a normal Echo Request. 🚀

      
**Checksum: 0xf7e3 [correct]**
**[Checksum Status: Good]**
Checksum	0xf7e3 [correct]	Confirms no corruption in transmission.

         
**Identifier (BE): 1 (0x0001)**
**Identifier (LE): 256 (0x0100)**
Identifier (BE/LE)	1 (0x0001) / 256 (0x0100)	Used to match request/reply pairs.

         
**Sequence Number (BE): 27 (0x001b)**
**Sequence Number (LE): 6912 (0x1b00)**
Sequence Number	27 (0x001b)	Tracks request numbers in the ping sequence.

         
**[Response frame: 131019]**
Response Frame	131019	This points to the matching reply packet.

           
**Data (64 bytes)**
**Data: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000**
**[Length: 64]**
Data (Payload)	64 bytes	Standard ICMP data section (all zeros in this case).The 64-byte data payload in ICMP packets is primarily included for diagnostic purposes. It allows the sender to compare sent and received packets to detect issues like packet loss, corruption, or delays. While often filled with zeros by default, some systems use this space to send custom data for network troubleshooting.
 
















### **ICMP Echo Reply Packet Analysis (Frame 131019)**  

After confirming successful **ICMP Echo Request and Reply** exchanges in the command line, we applied an **ICMP filter** in Wireshark to examine the reply behavior. This step is critical in network diagnostics as it verifies that the ping request was received and responded to correctly. Analyzing the reply helps confirm connectivity, response times, and potential network delays.  

Frame **131019**, the **ICMP Echo Reply** from Google's public DNS server (**8.8.8.8**) to our system (**192.168.1.185**), was selected for analysis. We previously analyzed Frame 131018, an ICMP Echo Request sent to 8.8.8.8, which contained metadata indicating that Frame 131019 would be the corresponding Echo Reply. This direct mapping allowed us to locate and verify the response in Wireshark. This allows us to inspect how ICMP responses are structured and how they match with their corresponding Echo Requests. Understanding ICMP replies is crucial in cybersecurity since attackers often exploit ICMP for **spoofing, denial-of-service (DoS) attacks, or covert data exfiltration techniques like ICMP tunneling**.  

By studying this reply, we verify:
- **Correct response mapping** (matching request sequence numbers).  
- **Expected source/destination reversal** (reply comes from 8.8.8.8).  
- **Checksum validation** to confirm data integrity.  
- **Response time measurement** for latency analysis.  


### **Wireshark ICMP Filter Command**
**icmp and ip.src == 8.8.8.8**

**Frame 131019: 106 bytes on wire (848 bits), 106 bytes captured (848 bits) on interface \Device\NPF_{EAF66F3F-8F00-47F0-827E-72FB128923A3}, id 0**
Frame Number: 131019 → This is the packet's position in the capture.
Captured Bytes: 106 bytes → Total size of the packet on the wire.
Interface: \Device\NPF_{EAF66F3F-8F00-47F0-827E-72FB128923A3} → The network adapter that recorded the packet.
ID: 0 → This packet was recorded on the first detected network interface in Wireshark.


**Ethernet II, Src: Commscope_49:ac:e0 (10:93:97:49:ac:e0), Dst: e0:ad:47:20:d9:0a (e0:ad:47:20:d9:0a)**
Ethernet II → The Ethernet v2 (DIX) frame format, the standard used in modern networking.
Source MAC Address: 10:93:97:49:ac:e0 → The MAC address of the router (Commscope device).
Destination MAC Address: e0:ad:47:20:d9:0a → Your computer's MAC address.

**Internet Protocol Version 4, Src: 8.8.8.8, Dst: 192.168.1.185**
Internet Protocol Version 4 (IPv4) → Confirms communication using the 32-bit addressing system.
Source IP Address: 8.8.8.8 → The IP address of Google's DNS server.
Destination IP Address: 192.168.1.185 → Your computer’s private IP address.

**Internet Control Message Protocol (ICMP)**
**Type: 0 (Echo (ping) reply)** → Confirms this is an ICMP reply.
**Code: 0** → Standard code for Echo Reply.
**Checksum: 0xffe3 [correct]** → Confirms that the packet integrity is valid.
**Checksum Status: Good** → No corruption detected.

**Request/Response Matching**
**Identifier (BE): 1 (0x0001)**
**Identifier (LE): 256 (0x0100)**
Identifiers used to match request/reply pairs.

**Sequence Number (BE): 27 (0x001b**)
**Sequence Number (LE): 6912 (0x1b00)**
Tracks request numbers in the ping sequence.

**Request Frame: 131018** → This reply corresponds to the Echo Request in Frame 131018.

**Response Time: 25.819 ms** → The round-trip time for the ICMP request and reply.

**Data (64 bytes)***
**Data: 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000**
**Length: 64 bytes** → Standard ICMP data section (all zeros in this case).

🔹 Why is the ICMP Echo Reply Payload Important?
The 64-byte data payload is used for diagnostic purposes. It allows the sender to verify if the data in the request was received unchanged. Some systems customize this data for network performance testing, but by default, it is filled with zeros.

**Summary & Key Takeaways**
The ICMP Echo Reply (Frame 131019) confirms the response from Google’s 8.8.8.8 to the Echo Request (Frame 131018).
The source and destination IPs are reversed, as expected in a valid reply.
Checksum validation confirms that the packet was received without corruption.
The sequence number matches, ensuring the reply corresponds to the correct request.
The round-trip time (25.819 ms) provides a measure of network latency.
The 64-byte payload is included for integrity verification and diagnostic purposes.
**This analysis provides a foundational understanding of how ICMP functions at a packet level, how responses are validated, and how network engineers and security professionals can detect abnormalities in ICMP traffic.**




 **DNS Query Identification and Analysis**

 **Overview**
In this section, we captured and analyzed **Domain Name System (DNS) queries and responses** using Wireshark. DNS is a critical protocol in networking and cybersecurity, allowing domain names (e.g., `google.com`) to be resolved into IP addresses. Understanding DNS traffic is essential for detecting network anomalies, identifying malicious domain lookups, and ensuring proper network functionality.

 **Captured DNS Query and Response**
 
 **📌 Frame 71: DNS Query**
- **Transaction ID:** `0x0005`  
- **Query Name:** `google.com`  
- **Query Type:** `AAAA` (IPv6 address request)  
- **Protocol Used:** **UDP** (Port `53`)  
- **Recursion Desired:** **Yes** (DNS server asked to fully resolve request)  
- **Source IP (Our System - IPv6):** `2600:1700:a3a0:d90:2134:655a:4aca:8139`  
- **Destination IP (DNS Server - IPv6):** `2600:1700:a3a0:d90::1`  

 **📌 Frame 72: DNS Response**
- **Transaction ID:** `0x0005` (Matches Query)  
- **Reply Code:** `No Error (0)` (Successful resolution)  
- **Number of Answers:** **4** (DNS returned four IPv6 addresses for `google.com`)  
- **Recursion Available:** **Yes** (DNS server resolved request fully)  
- **Source IP (DNS Server - IPv6):** `2600:1700:a3a0:d90::1`  
- **Destination IP (Our System - IPv6):** `2600:1700:a3a0:d90:2134:655a:4aca:8139`  

---

 **🔹 Analysis of the DNS Query and Response Pair**
 **1️⃣ What Happened in This Exchange?**
- Our system sent a **DNS query** requesting the **IPv6 (AAAA) record for `google.com`**.
- The DNS server **received the request, processed it, and returned four valid IPv6 addresses**.
- The total response time for this exchange was **26.13 milliseconds (ms)**, indicating a fast resolution.

 **2️⃣ How We Verified the Query-Response Relationship**
- We matched the **Transaction ID (`0x0005`)** between the query and response.
- The **response contained an "Answer Section"** with four valid IP addresses.
- The **source and destination IPs were reversed in the response**, confirming correct communication.

 **3️⃣ Why This Analysis Is Important in Cybersecurity**
- **DNS traffic is a prime target for attackers.** Malicious actors often manipulate DNS to redirect users to phishing sites or command-and-control servers.
- **Threat actors use DNS tunneling** to exfiltrate data covertly. Analyzing DNS queries can help detect **suspicious activity**.
- **DNS hijacking and spoofing attacks** can compromise entire networks. Monitoring DNS traffic helps ensure domain resolutions are legitimate and secure.
- **Incident response teams rely on DNS analysis** to trace unauthorized lookups, identify compromised devices, and block malicious domains.

 **4️⃣ Key Cybersecurity Takeaways**
✅ **DNS resolution is fundamental to network communication.**  
✅ **Analyzing DNS queries helps detect anomalies and cyber threats.**  
✅ **Matching query-response pairs allows verification of normal vs. suspicious traffic.**  
✅ **DNS monitoring is essential for security operations, penetration testing, and forensic investigations.**  

---

## **📌 Conclusion**
This section demonstrated how to **capture, filter, and analyze DNS queries and responses** in Wireshark. By successfully tracing a **real DNS resolution event**, we gained practical experience in monitoring network traffic and understanding how DNS plays a critical role in cybersecurity. This process is vital for identifying **malicious domain lookups, unauthorized DNS traffic, and potential cyber threats**. 

By mastering DNS analysis, cybersecurity professionals can **detect and prevent attacks that leverage DNS infrastructure**, making this an essential skill in both offensive and defensive security operations.

---



 **🔹 TLS Handshake Analysis in Wireshark**

 **Overview**
This section documents the **TLS 1.3 handshake** captured in Wireshark, analyzing the **Client Hello** and **Server Hello** packets. The TLS handshake establishes a secure connection between the client (**our computer**) and the server (**CNN’s web server, lightning.cnn.com**).

---

 **1️⃣ Client Hello (Frame 560)**
The **Client Hello** is the first step in the handshake, where the client (our computer) proposes security parameters.

 **🔹 Key Details:**
- **Client:** Dell OptiPlex 7070 (our computer)
- **Destination Server:** `lightning.cnn.com`
- **TLS Version Requested:** **TLS 1.3**
- **Session ID:** `6202c60b290ad863460d6eb325f7b8d301e6692a50bc6dc105491010c971255d`
- **Cipher Suites Offered:**  
  - `TLS_AES_128_GCM_SHA256`
  - `TLS_AES_256_GCM_SHA384`
  - `TLS_CHACHA20_POLY1305_SHA256`
  - Additional RSA and CBC cipher suites (less secure options)
- **Extensions Present:**
  - **SNI (Server Name Indication):** Specifies `lightning.cnn.com` so the server knows which subdomain is requested.
  - **ALPN (Application-Layer Protocol Negotiation):** Supports `h2` (HTTP/2) and `http/1.1`.
  - **Key Share:** Includes **Elliptic Curve Diffie-Hellman (ECDH) key exchange using x25519**.

  TLS extensions provide extra functionality beyond basic encryption.

SNI ensures traffic is sent to the correct server.
ALPN negotiates whether to use HTTP/2 (h2) or HTTP/1.1 for improved performance.
Key Share (ECDH x25519) ensures a secure encryption key exchange without exposing secrets.


---

 **2️⃣ Server Hello (Frame 674)**
The **Server Hello** is the response from CNN’s web server confirming security parameters.

 **🔹 Key Details:**
- **Server:** CNN Web Server (`lightning.cnn.com`)
- **TLS Version Selected:** **TLS 1.3**
- **Session ID:** `09c7974d64ff8b89f1a2ec52c1a4e288b800a9d8a1c2f86d07af02849e2e06e9`
In TLS 1.3, the session ID is not a critical field for session resumption. Instead, session resumption relies on the pre_shared_key extension and session tickets. That’s why the session IDs in Client Hello and Server Hello do not have to match.
- **Cipher Suite Selected:** **TLS_AES_128_GCM_SHA256**
  - **AES-128 GCM** provides **encryption**.
  - **SHA-256** ensures **message integrity**.
- **Key Extensions Found:**
  - **Pre-Shared Key Extension (PSK):** Used for **session resumption** to reconnect securely without a full handshake.
  - **Key Share Extension:** Server provides **its public key** to complete key exchange.
  - **Supported Versions:** Confirms `TLS 1.3` is being used.

---

 **3️⃣ Transition to Encrypted Communication**
- **The Change Cipher Spec message signals the transition from plaintext to encrypted communication.**
- From this point onward, all TLS messages are **encrypted** (e.g., Certificate, Finished, Application Data).

**Key Takeaways**

1️⃣ TLS 1.3 Handshake: Efficient and Secure
Faster: Fewer round trips improve connection speed. The client sends key share values immediately in the Client Hello, allowing key exchange in one round trip instead of two.
More Secure: Enforces forward secrecy, meaning past communications cannot be decrypted even if future encryption keys are compromised. Removes insecure cryptographic functions (e.g., static RSA key exchange, SHA-1).

2️⃣ Session Resumption with PSK (Pre-Shared Key):
Purpose: If the client previously connected, it can skip the full handshake and resume securely using a pre-shared key (PSK).
Benefit: Reduces overhead, improving performance and latency (especially useful for mobile or frequently reconnected devices).
How It Works: The server issues a session ticket after the first connection, which the client presents when reconnecting.

3️⃣ Elliptic Curve Cryptography (X25519) for Key Exchange:
What It Does: Securely establishes a shared secret between client and server via Diffie-Hellman key exchange without exposing the key in transit.
Why X25519? It’s a widely adopted elliptic curve that provides strong security with excellent performance (faster than older Diffie-Hellman methods).
Key Share Extension: Used in TLS 1.3 for securely sharing public keys as part of the handshake.

4️⃣ TLS 1.3 Eliminates Weak Encryption:
Legacy methods removed:
❌ RSA key exchange (lacked forward secrecy).
❌ SHA-1 hashing algorithm (prone to collisions).
Only secure cipher suites allowed:
Example: AES-GCM and ChaCha20 (authenticated encryption with integrity protection).
Why It Matters: Mitigates downgrade attacks and prevents attackers from exploiting older, weaker algorithms.

 




 **Conclusion: Identifying Common Protocols in Wireshark**  

This project served as an **introductory deep dive into Wireshark**, focusing on analyzing three fundamental network protocols: **ICMP (ping), DNS, and TLS traffic.** Each section provided insight into how these protocols function, how they appear in Wireshark, and their significance in **cybersecurity investigations**.  

---

 **1️⃣ ICMP Ping Packet Analysis**  
 
 **Purpose in Cybersecurity:**  
- ICMP (Internet Control Message Protocol) is commonly used for **network diagnostics** (e.g., ping tests) but is also leveraged in **reconnaissance attacks** (e.g., scanning for active hosts).  

 **Key Takeaways from Wireshark Analysis:**  

- **ICMP Echo Requests and Replies** are identified by **Type 8 (request)** and **Type 0 (reply)** fields.  
- Each ping exchange includes **sequence numbers and response times**, useful for **latency analysis** or **detecting anomalies**.  
- Attackers often manipulate ICMP for **covert communications or DoS attacks**.  

 📌 **Real-World Relevance:**  
- **Defensive security:** Monitoring ICMP traffic helps **detect unauthorized scanning** or network mapping attempts.  
- **Network troubleshooting:** ICMP is essential for verifying network **reachability and response times**.  

---

 **2️⃣ DNS Query Identification**  
 
 **Purpose in Cybersecurity:**  
- DNS (Domain Name System) translates domain names (e.g., `google.com`) into IP addresses.  
- Attackers often exploit DNS for **tunneling, exfiltration, or command-and-control (C2) operations**.  

 **Key Takeaways from Wireshark Analysis:**  
- **DNS queries** (standard or reverse lookups) and **responses** are identified by **transaction IDs** for tracking request-response pairs.  
- DNS primarily uses **UDP (port 53)** but falls back to **TCP** for large responses.  
- **DNS hijacking, spoofing, and tunneling** can be detected by **analyzing suspicious queries** or **unusual query rates**.  

 📌 **Real-World Relevance:**  
- **Incident response:** DNS monitoring is crucial for **detecting malware using DNS for communication** (e.g., DNS tunneling).  
- **Network forensics:** Identifying anomalous DNS traffic can **uncover phishing attempts** or **malware infections**.  

---

 **3️⃣ TLS Traffic Detection**  
 
 **Purpose in Cybersecurity:**  
- TLS (Transport Layer Security) **encrypts communication**, securing protocols like **HTTPS, SMTP, and VPNs**.  
- Analyzing TLS handshakes helps verify **secure connections, detect weak encryption, and prevent interception**.  

 **Key Takeaways from Wireshark Analysis:**  
- 
**Client Hello and Server Hello** contain **supported encryption methods, session IDs, and key exchange parameters.**  
- **TLS 1.3 is more secure and efficient**, enforcing **forward secrecy** and eliminating weak cryptographic algorithms.  
- **Session resumption (PSK)** allows faster re-establishment of secure sessions without a full handshake.  
- **TLS traffic inspection is crucial for detecting:**  
  - **Man-in-the-Middle (MitM) attacks**  
  - **Untrusted certificates**  
  - **Deprecated encryption protocols** (e.g., TLS 1.0, 1.1)  

 📌 **Real-World Relevance:**  
- **Defensive security:** Organizations use TLS analysis to **detect suspicious SSL/TLS traffic** and **prevent eavesdropping**.  
- **Penetration testing:** Red teams examine **weak cipher suites or outdated TLS versions** for potential **exploitation**.  

---

 **Final Thoughts: The Role of Wireshark in Cybersecurity**  
This project **introduced fundamental network protocols and how they are analyzed in Wireshark**, highlighting their significance in **cybersecurity monitoring and incident response**.  

🔹 **ICMP analysis** helps detect **network scanning, availability issues, and potential DoS attacks**.  
🔹 **DNS inspection** is critical for identifying **malware activity, exfiltration attempts, and domain hijacking**.  
🔹 **TLS analysis** ensures **secure encrypted communications and helps identify weak encryption practices**.  

✅ **Wireshark is an invaluable tool in cybersecurity, used for traffic analysis, forensic investigations, and security assessments.** This introductory project laid the groundwork for deeper exploration into **packet analysis, encrypted traffic inspection, and intrusion detection**.  

#### 📌 **Next Steps:** Future projects may explore advanced topics such as **malware traffic analysis, intrusion detection system (IDS) integration, and encrypted payload decryption techniques.**  

---

