Analysis of Packet Rate in Malware Network Traffic using Wireshark

INTRODUCTION

In modern computer networks, malware plays a significant role in compromising system security through abnormal communication patterns. Malware-infected systems often generate unusual network traffic characterized by sudden spikes and irregular packet transmission. Analyzing such traffic helps in identifying potential threats and understanding attacker behavior.

Wireshark, a widely used network protocol analyzer, enables deep inspection of packet-level data. In this experiment, packet rate analysis is performed on a malware-infected traffic dataset to detect anomalies and confirm the presence of malicious activity.

OBJECTIVES

• To analyze packet rate variation in malware network traffic
• To identify abnormal spikes indicating malicious communication
• To study traffic patterns of an infected host system
• To detect command-and-control communication behavior
• To correlate packet bursts with malware activity

 PCAP DOWNLOAD LINK    

https://www.malware-traffic-analysis.net/2020/04/24/index.html

PCAP FILE SOURCE

https://www.malware-traffic-analysis.net/

GITHUB REPOSITORY

https://github.com/ieee74045/Network-Analysis-DA

PCAP DESCRIPTION

The PCAP dataset represents real-world network traffic generated from a Qakbot-infected host system. It primarily consists of HTTP-based communication along with TCP, UDP, and DNS protocols, exhibiting characteristics such as irregular packet bursts, repeated connections, and non-uniform traffic patterns. These features indicate automated command-and-control (C2) activity, potential data exfiltration, and stealth communication behavior. The dataset provides a realistic environment for analyzing malware-driven network anomalies and understanding adversarial communication strategies.

ARCHITECTURE OF WORK

 PROCEDURE

1. The PCAP file was imported into Wireshark for detailed network analysis.
2. The appropriate network interface and captured dataset were selected.
3. Initial packet capture overview was examined to understand traffic flow.
4. Protocol filters such as HTTP and TCP were applied to isolate relevant packets.
5. Suspicious packets and streams were identified using filtering techniques.
6. The I/O Graph feature was used to analyze packet rate over time.
7. Traffic patterns such as spikes, bursts, and fluctuations were observed.
8. Detailed packet inspection was performed to analyze headers and payload data.
9. Multiple screenshots were captured to document different traffic behaviors.
10. Observations were recorded and analyzed to confirm the presence of malware activity. 

  

   INFERENCES

Graph 1: Wireshark I/O Graph

Inference:
The graph shows multiple spikes in packet rate over time, indicating abnormal traffic behavior which strongly suggests malware activity. These spikes occur abruptly and do not follow a consistent pattern, which is uncommon in normal user-generated traffic. This behavior indicates automated communication, likely initiated by malicious processes.

Graph 2: Packet Rate Graph

Inference:
The packet rate fluctuates irregularly with sudden peaks, indicating burst traffic behavior typical of malware communication. Such fluctuations suggest that the system is periodically sending or receiving large amounts of data. This pattern is often associated with command-and-control (C2) communication or data exfiltration attempts..

Graph 3: Throughput Analysis

Inference:
The throughput shows unstable data transmission with sharp rises and drops, indicating suspicious network activity. This inconsistency reflects non-uniform data flow, which deviates from normal steady communication patterns. It suggests that the system may be intermittently transmitting malicious payloads or receiving instructions.

 

Graph 4: HTTP Traffic Analysis

Inference:
Multiple HTTP POST requests are observed, indicating communication between the infected system and external servers. These requests may contain encoded or encrypted data, suggesting possible data exfiltration. The use of HTTP helps malware blend with normal traffic and avoid detection.

    

Graph 5: TCP Communication

Inference:
Continuous TCP connections between the same source and destination indicate persistent communication typical of command-and-control activity. This ongoing interaction suggests that the infected system maintains a stable link with a remote server. Such persistence is a strong indicator of malware maintaining control over the system

  

Graph 6: Packet Details Inspection

Inference:
Detailed packet analysis reveals encoded and structured data, indicating possible malicious payload transmission. The presence of unusual patterns or non-readable content suggests obfuscation techniques. This is commonly used by malware to hide its communication from detection systems.

       

                                         
  

Graph 7: Protocol-wise Traffic Comparison

Inference:

HTTP traffic dominates over TCP and UDP, indicating malware primarily uses HTTP for stealth communication. Since HTTP is widely used, this helps malicious traffic remain unnoticed. This dominance also suggests that most of the data exchange is happening through web-based communication.

  
  

Graph 8: TCP Traffic Variation

Inference:

TCP traffic shows noticeable fluctuations with intermittent spikes, indicating unstable data transmission. These variations suggest burst communication patterns. This behavior is typical in malware-controlled data exchanges.

   

Graph 9: Initial UDP Traffic Pattern 

Inference:

UDP traffic starts at a low level, suggesting minimal background communication in the initial stage. This indicates limited activity before the malware becomes active. It may represent a dormant or initialization phase.

Graph 10: Moderate UDP Traffic Activity 

Inference:

UDP packet rate increases moderately, indicating active background processes such as DNS queries or lightweight communication. This suggests gradual activation of network activity by the system. Such behavior may support auxiliary malware functions like domain resolution or beaconing. The increase in UDP traffic also indicates that the system is transitioning from idle to active communication state.

Graph 11: Fluctuating UDP Traffic

Inference:
Irregular spikes and drops are observed, reflecting inconsistent and non-uniform network behavior. Such patterns deviate from normal application traffic, which is usually stable. This fluctuation indicates automated or scripted communication triggered by malware processes. It also suggests that the system is responding dynamically to external instructions or triggers.

Graph 12: High Variation in UDP Traffic

 Inference:

Sharp peaks and sudden drops indicate burst transmission, which may represent abnormal or suspicious network activity. These bursts suggest rapid and short-lived communication sessions. This type of behavior is often linked to malware sending or receiving data in chunks. It may also indicate attempts to avoid detection by minimizing continuous transmission.

Graph 13: Final UDP Traffic Behavior 

Inference:

UDP traffic stabilizes and decreases, indicating reduced communication or the end of active transmission. This suggests that the malware activity may have completed a specific task. The stabilization reflects a temporary halt in network operations. It could represent a dormant phase before the next cycle of malicious activity.

Graph 14: DNS Traffic Initial Pattern 

Inference:

DNS traffic shows initial query activity, indicating domain resolution attempts. These queries may be linked to malware contacting external servers. This marks the beginning of communication setup between the infected host and remote infrastructure. It also suggests preparation for further data exchange or connection establishment.

Graph 15: DNS Increasing Activity 

Inference:

An increase in DNS packets suggests repeated domain lookups. This indicates attempts to locate active command-and-control servers. Frequent DNS queries may also reflect domain generation algorithms (DGA) used by malware. This behavior strengthens the evidence of persistent external communication.

Graph 16: DNS Traffic Peak 

Inference:
A noticeable spike in DNS traffic indicates high query activity. This may be due to multiple rapid connection attempts by the malware. Such peaks reflect aggressive communication behavior. It may also indicate attempts to maintain connectivity with multiple external servers.

    

Graph 17: DNS Irregular Pattern 

Inference:
Irregular DNS traffic patterns suggest automated and non-human behavior. These patterns are inconsistent with normal browsing activity. This indicates scripted or malware-driven processes. The randomness further suggests attempts to evade detection by avoiding predictable patterns.

Graph 18: HTTP Traffic Burst 

Inference:
HTTP traffic shows sudden high spikes, indicating burst communication. This suggests rapid data transfer between the infected system and external servers. Such bursts are often used for data exfiltration or payload delivery. The behavior also indicates that HTTP is being used as a covert communication channel.

Graph 19: Multi-Protocol Traffic Behavior

Inference:
The variation across multiple protocols indicates abnormal network activity with no consistent pattern. This lack of uniformity suggests coordinated malicious behavior. It reflects that the malware is utilizing multiple communication channels simultaneously. This complexity increases the difficulty of detection and analysis.

  

Graph 20: UDP Traffic Burst Behavior

Inference:
Sudden spikes followed by drops indicate burst transmission behavior. This pattern is commonly associated with abnormal network processes. It suggests intermittent communication rather than continuous data flow. Such behavior is typical of malware attempting to reduce visibility while maintaining communication.

  

Effects of Malware:

1. Causes abnormal network traffic leading to congestion  

2. Enables unauthorized communication with external servers  

3. Leads to data leakage or data theft  

4. Degrades system performance  

5. Compromises network security and privacy  

New Findings:

- Packet spikes clearly indicate abnormal behavior  

- Traffic patterns are irregular and non-human  

- Continuous communication suggests malware persistence  

- HTTP protocol is heavily used for stealth communication  

  Network Parameter Analysis using Wireshark

1. Introduction

Network throughput refers to the amount of data successfully transmitted across a network within a specific period of time. It is a critical parameter used to evaluate network performance and efficiency under varying traffic conditions. In this experiment, throughput analysis is performed using Wireshark by generating controlled traffic loads such as normal, low, medium, and heavy traffic.

By analyzing packet transmission rates and visualizing them using I/O graphs, it becomes possible to understand how network behavior changes with increasing load. This study helps in identifying performance bottlenecks, congestion patterns, and protocol-wise variations in real-time network environments.

2. Objectives

• To measure and analyze network throughput using Wireshark
• To study the behavior of network traffic under different load conditions
• To compare packet transmission patterns for normal, low, medium, and heavy traffic
• To observe protocol-wise variations (ICMP, TCP, UDP, DNS)
• To understand the impact of increasing traffic on network performance 

3. Reference

This experiment is inspired by concepts demonstrated in SharkFest, which focuses on practical network traffic analysis using Wireshark. These sessions provide real-world insights into analyzing throughput, packet behavior, and protocol performance. The methodologies used in this experiment are aligned with industry-standard practices for network monitoring and performance evaluation.

Description:
This experiment is inspired by SharkFest sessions which demonstrate how Wireshark can be used to analyze real-time network traffic and performance metrics.

4. Architecture

5. Procedure

1. Open Wireshark and select network interface
2. Start packet capture
3. Open Command Prompt
4. Generate traffic using commands:
5. Normal Traffic:
6. ping -n 20 google.com
7. Low Traffic:
8. ping -n 50 google.com
9. Medium Traffic:
10. ping -n 100 google.com
11. Heavy Traffic:
12. ping -n 500 google.com
13. Stop capture after execution
14. Go to Statistics → IO Graph
15. Set:
16. Y Axis → Bits
17. Y Field → Bits per second
18. Save graph images

Graph 1: Normal Traffic (All Packets)

Inference:

The graph shows very low throughput during normal traffic, indicating minimal network activity. Packet transmission remains stable with no significant spikes or fluctuations. This represents baseline network behavior under light usage conditions. The traffic pattern is smooth and predictable, which is typical of normal user operations. It serves as a reference point for comparing higher traffic loads.

Graph 2: Normal Traffic (ICMP)

Inference:

 ICMP traffic is consistent and uniform due to controlled ping requests. The throughput remains stable with very minor fluctuations throughout the observation period. This indicates predictable and well-regulated communication between source and destination. The absence of spikes suggests no congestion or abnormal activity. It reflects an ideal and controlled network environment.

Graph 3: Normal Traffic (TCP)

Inference:

TCP traffic is minimal under normal conditions, indicating very few active connections. Data transmission is low, reflecting light network usage. The graph shows a steady and stable pattern with no irregularities. This suggests that no heavy applications or data transfers are occurring. It represents efficient network performance under low load.

Graph 4: Normal Traffic (UDP)

Inference: 

UDP traffic is almost negligible, indicating minimal real-time or background communication. The graph shows very low activity with almost flat behavior. This suggests that no streaming or time-sensitive applications are active. The absence of fluctuations confirms stable network conditions. It reflects a low-demand network environment.

Graph 5: Normal Traffic (DNS)

Inference: 

DNS activity is limited to occasional requests for domain resolution. The graph shows small spikes corresponding to query responses. This behavior is typical for normal browsing activity. The traffic is consistent and does not indicate excessive external communication. It reflects standard network operations without anomalies.

Graph 6: Low Traffic (All Packets)

Inference:  

Throughput slightly increases compared to normal traffic, indicating moderate network activity. Small peaks appear in the graph, showing increased packet transmission. The traffic remains controlled without major fluctuations. This suggests a slight increase in user activity or background processes. The network continues to operate efficiently under low load.

Graph 7: Low Traffic (ICMP)

Inference:

ICMP packets increase due to a higher number of ping requests. The graph shows steady growth with minor fluctuations. This indicates consistent communication between systems. The increase in activity reflects moderate network probing. However, the traffic remains stable and predictable.

---

Graph 8: Low Traffic (TCP)

Inference:

TCP traffic increases under low load, showing more active connections. The graph reflects moderate data transmission with slight peaks. This indicates growing network usage. The behavior remains controlled without major instability. It suggests gradual scaling of network activity.

Graph 9: Low Traffic (UDP)

Inference:

UDP traffic shows slight variation, indicating minimal real-time communication. Small fluctuations appear in the graph. This suggests limited background processes. The overall contribution remains low compared to TCP traffic. The network remains stable and efficient.

Graph 10: Low Traffic (DNS)

Inference:
DNS queries increase slightly, indicating more frequent domain resolution. The graph shows more visible spikes compared to normal traffic. This reflects increased interaction with external servers. The behavior remains controlled without excessive activity. It suggests moderate browsing or application usage.

Graph 11: Medium Traffic (All Packets)

Inference: 

 The graph shows a clear increase in throughput, indicating moderate network load. Packet transmission becomes more frequent with noticeable peaks. The network begins to experience higher activity levels. Despite increased load, the traffic remains manageable. This reflects balanced network performance under medium conditions.

Graph 12: Medium Traffic (ICMP)

Inference:

ICMP traffic increases significantly with more ping requests. The graph shows consistent spikes, indicating continuous communication. This reflects sustained network probing activity. The pattern remains uniform despite increased load. It indicates stable but active communication.

Graph 13: Medium Traffic (TCP)

Inference: 

 TCP traffic rises sharply, showing increased connections and data transfer. The graph displays prominent peaks indicating higher throughput. This reflects active communication and data exchange. The network is moderately loaded but still stable. It indicates efficient handling of increased traffic.

Graph 14: Medium Traffic (UDP)

Inference:  

UDP traffic shows noticeable variation, indicating increased background or real-time communication. The graph reflects dynamic behavior with fluctuations. This suggests active processes running in the network. The network becomes more complex under medium load. It indicates growing communication diversity.

 

Graph 15: Medium Traffic (DNS)

Inference:

DNS activity becomes more frequent, indicating continuous domain resolution. The graph shows repeated spikes throughout the timeline. This reflects higher interaction with external servers. The traffic pattern indicates active network usage. It suggests increased dependency on domain-based communication.

 

Graph 16: Heavy Traffic (All Packets)

Inference:

The graph shows very high throughput with large and frequent peaks. Packet transmission becomes dense and continuous. This represents maximum network load conditions. The network is heavily utilized with minimal idle time. It indicates potential congestion under extreme usage.

Graph 17: Heavy Traffic (ICMP)

Inference:
ICMP traffic is extremely high due to continuous ping requests. The graph shows dense and repeated spikes. This indicates intense network probing activity. The communication is continuous and heavy. It reflects maximum stress on network resources.

Graph 18: Heavy Traffic (TCP)

Inference:  

TCP traffic dominates under heavy load with large data transfers. The graph shows strong peaks indicating high throughput. Multiple connections are active simultaneously. This reflects maximum utilization of network capacity. It indicates heavy application-level communication.

Graph 19: Heavy Traffic (UDP)

Inference: 

UDP traffic increases significantly with noticeable fluctuations. The graph shows dynamic and irregular patterns. This indicates active real-time communication processes. The network becomes highly dynamic under heavy load. It reflects increased complexity in traffic behavior.

Graph 20: Heavy Traffic (DNS)

Inference:

DNS requests are very frequent under heavy load, showing continuous spikes. This indicates constant domain resolution activity. The network heavily interacts with external servers. The behavior reflects high dependency on DNS services. It suggests intensive network usage and communication.

7. New Findings and Recommendations

Packet spikes indicate abnormal and automated activity

Persistent TCP connections suggest command-and-control (C2) communication

HTTP protocol is heavily used for stealth communication and data transfer

Repeated DNS queries indicate frequent domain resolution attempts

Multi-protocol traffic shows irregular and non-uniform behavior

I/O graphs clearly reveal hidden traffic anomalies

UDP spikes indicate background or auxiliary malicious processes

Traffic pattern is dynamic and non-linear compared to normal behaviour

8. Use of AI

Artificial Intelligence tools played an important supporting role in this experiment by improving both the analytical process and the presentation quality of the results. AI-assisted platforms were used to organize the workflow, refine technical explanations, and structure the overall report in a clear and logical manner. In addition, AI helped in interpreting traffic patterns and converting raw observations into meaningful inferences that are easier to understand.

Beyond analysis, AI was also useful in enhancing the documentation aspect by generating structured diagrams, improving language clarity, and ensuring consistency throughout the report. This reduced manual effort and helped in presenting complex network analysis in a simplified and visually appealing way. Overall, AI acted as a productivity tool that complemented human understanding rather than replacing it.

9. Conclusion

This experiment successfully demonstrates how network traffic analysis can be used to identify and confirm malware activity using tools like Wireshark. By carefully analyzing packet rates, protocol behavior, and communication patterns, it becomes possible to detect abnormal network behavior that is not typically generated by legitimate users or applications.

The presence of sudden spikes, irregular packet transmission, and repeated communication patterns clearly indicates malicious activity, particularly in the case of a Qakbot-infected system. The use of HTTP as a primary communication channel highlights how modern malware attempts to remain hidden within normal-looking traffic.

Furthermore, the experiment emphasizes the importance of visualization techniques such as I/O graphs in identifying anomalies that may not be easily visible through raw packet inspection alone. Combining filtering, graphical analysis, and detailed packet inspection provides a powerful approach to network forensics.

Overall, this study highlights that continuous monitoring and analysis of network traffic is essential for maintaining cybersecurity, detecting threats early, and preventing potential data breaches or system compromise.

10. References

Wireshark Official Documentation – Used for understanding packet analysis, protocol decoding, and I/O graph features

SharkFest – Reference for advanced traffic analysis techniques and real-world use cases

Malware Traffic Analysis Repository –
https://www.malware-traffic-analysis.net/2020/04/24/index.html
(Used as the primary source for PCAP dataset)

Blogs by Bradley Duncan – Provided insights into malware behavior and traffic patterns

Research articles and online resources related to network security, packet analysis, and malware detection

Academic materials from Vellore Institute of Technology (SCOPE – Computer Networks course)

13. Acknowledgement

• I would like to express my sincere gratitude to the School of Computer Science and Engineering (SCOPE), Vellore Institute of Technology, Chennai, for offering the theory and lab courses of Computer Networks during the Winter Semester 2025–2026 with an industry-standard syllabus that enabled practical learning.

• I would like to thank my course faculty, Dr. T. Subbulakshmi, Professor, SCOPE, VIT Chennai, for her valuable guidance, support, and encouragement throughout the completion of this assignment.
• I would like to acknowledge Gerald Combs, the founder of Wireshark and ACM Software System Award winner (2018), for providing such a powerful and efficient software tool for network traffic analysis.
• I would also like to thank Bradley Duncan for creating insightful blogs on malware analysis, which helped me understand the behavior and effects of malware without executing it. His work also inspired me to explore deeper analysis as part of this assignment.
• I sincerely thank my peers for their valuable suggestions and discussions, which helped me improve my understanding and complete this assignment more effectively.
• I would like to express my gratitude to my special friend who helped me understand the initial concepts and supported me throughout the process.
• I am also thankful to my parents, siblings, and family members for their constant encouragement, motivation, and support during this assignment.
• I would also like to acknowledge various online resources, webpages, and reference materials that contributed to my learning and successful completion of this work.

   

14.Author

Mr. Ramakrushna Das, II year B.Tech. CSE student, School of Computer Science and Engineering, VIT Chennai