Wireshark Guide: Detect LAN Flood Attacks Effectively

In a local area network, a flood attack is an attempt to occupy the network bandwidth or processing resources of a target by sending a large number of data packets to the target, causing network performance degradation or device paralysis. Wireshark is a powerful network protocol analysis tool that can be used to detect flood packet attacks in a local area network. The following are the best practices for detecting flood packets through Wireshark:

1. Start Wireshark and select the appropriate network interface

  • Start Wireshark and select the network interface you want to monitor.
  • Make sure you select the interface that communicates with your LAN so you can capture all traffic.

2. Set up capture filters

Before starting to capture, you can set filters to reduce the amount of data. Common flood attack types include ARP flood, ICMP flood (Ping Flood), UDP flood and TCP flood. For these types, you can set different capture filters:

  • ARP flood : arp
  • ICMP Flood (Ping Flood) : icmp
  • UDP flood : udp
  • TCP flood : tcp

These filters help focus on specific types of traffic.

3. Start capturing traffic

  • Once you have set up your filters, click “Start” to begin capturing traffic. Wireshark will begin recording the traffic types you specified.

4. Analyze the captured traffic

  • Use statistics function :
  • Wireshark provides many statistical functions that can help you quickly identify abnormal traffic, such as:
  • Statistics > Protocol Hierarchy: View the distribution of various protocols to find out whether the traffic of a certain protocol has increased significantly.
  • Statistics > Conversations: View conversations between hosts to determine if a certain IP or MAC address is sending a large number of packets to other hosts.
  • Statistics > I/O Graphs: Visualize traffic trends and see if there is a sudden increase in traffic during a certain period of time.
  • Check the source IP address :
  • Flood attacks usually come from a single or multiple spoofed IP addresses. By looking at the source IP address of the packet, you can identify if there is an abnormal IP address sending a large number of requests.

5. Detecting unusual patterns

  • High-frequency requests : A characteristic of a flood attack is that the same source IP sends a large number of high-frequency requests to the target. You can use the filter and statistics function of Wireshark to find out whether there are a large number of repeated requests.
  • Protocol asymmetry : For example, in an ICMP flood attack, you may see a large number of Echo Request packets but no corresponding Echo Reply packets.
  • Large number of repeated connections : In a TCP flood attack, check if there are a large number of SYN packets (i.e., SYN Flood attack). You can use the following display filter:
  • tcp.flags.syn == 1
  • This will display all SYN packets. If there are a large number of these SYN packets and no subsequent ACK packets, this could be a SYN flood attack.

6. Use display filters for further analysis

Once traffic has been captured, display filters can be used to further narrow the scope of analysis. For example:

  • To only show traffic from a specific source IP:
  • ip.src == 192.168.1.100
  • To show only traffic sent to a specific destination:
  • ip.dst == 192.168.1.200
  • To display a specific protocol type:
  • icmp or arp or tcp.flags.syn == 1

7. Observe the frequency and size of traffic

Flood attacks usually cause a large number of packets of a certain type to appear in the network, and the rate of these packets may significantly exceed the level of normal communication. Through the I/O graph (Statistics > I/O Graphs), you can clearly see the traffic changes at different time points, which can help you identify whether there are a large number of abnormal packets in a certain period of time.

8. Save captured traffic for further analysis

When you detect suspicious flood attack traffic, you can save the captured data to a file for further analysis later. Click File > Save As to export the captured data to the .pcap file format.

9. Countermeasures and Protection

Once you have detected a flood attack, you can take the following steps to prevent further attacks:

  • Restrict source IP or MAC addresses.
  • Limit the number of requests per second through a router or firewall (Rate Limiting).
  • Enable the protection features of the network firewall, such as SYN Cookies to prevent SYN floods.

The best practice for detecting LAN flood packet attacks with Wireshark is to set up appropriate capture filters and use statistical tools to analyze traffic patterns and identify high-frequency or abnormal traffic. Wireshark provides detailed traffic visualization and filtering capabilities to help you quickly identify and locate potential flood attacks.