HTTP/HTTPS Malware Communication Analysis Using Wireshark

30 inferences derived from network packet capture analysis, including 7 graphical traffic visualizations and 23 detailed behavioral inferences categorized across HTTP request patterns, encrypted HTTPS communication, DNS activity, and TCP traffic characteristics.

Wireshark • PCAP Analysis • HTTP • HTTPS • DNS • TCP • Network Security

1. Introduction

This project focuses on analyzing HTTP and HTTPS malware communication using Wireshark. By examining real-world PCAP network traffic, we identify suspicious patterns such as abnormal HTTP requests, DNS anomalies, encrypted HTTPS communication, and repeated TCP connections. The goal is to simulate a network analyst’s approach in detecting malware behavior through traffic inspection and graphical analysis.

2. Objectives

1. Analyze HTTP and HTTPS traffic to identify suspicious communication patterns and anomalies.
2. Detect malware indicators such as unusual GET/POST requests, DNS queries, and repeated connections.
3. Identify communication behavior including possible Command and Control (C2) interactions.
4. Generate graphical analysis using Wireshark I/O graphs for traffic visualization.
5. Interpret network patterns to understand malware behavior and data transmission characteristics.

3. PCAP File Source

Download Link: https://www.malware-traffic-analysis.net

The PCAP file used in this analysis contains real captured network traffic including HTTP, HTTPS, DNS, and TCP communications. The dataset represents a system interacting with external servers, allowing us to study patterns such as repeated requests, encrypted traffic behavior, and abnormal packet flows. This data is used to identify suspicious activities and visualize them using graphs.

4. Architecture of Work

The following diagram represents the workflow of HTTP/HTTPS malware traffic analysis:

5. Procedure of Work

1. PCAP Collection: Selected malware traffic PCAP file from malware-traffic-analysis.net.
2. Tool Setup: Installed and configured Wireshark for packet inspection.
3. Traffic Filtering: Applied filters such as http, dns, tcp, and tls.
4. Graph Generation: Used Wireshark I/O Graphs to visualize traffic patterns.
5. Protocol Analysis: Examined HTTP methods, DNS queries, and TLS handshakes.
6. Behavior Detection: Identified repeated requests, large payloads, and unusual traffic spikes.
7. Inference Creation: Generated 25 inferences based on observed traffic patterns and graphs.

---

6. Graphical Analysis & Inferences

Graph 1: Throughput

The following analysis provides detailed observations based on captured network traffic using Wireshark.

• Shows variation in network traffic over time, helping identify abnormal spikes and unusual behavior
• Sudden peaks indicate high-volume data transfer which may correspond to malware activity
• Continuous traffic flow suggests persistent communication between systems
• Low activity periods indicate normal or idle network state
• Helps distinguish between normal and suspicious traffic patterns

Conclusion: This graph clearly highlights abnormal traffic spikes, indicating potential malicious communication.

Graph 2: HTTP Traffic

The following analysis provides detailed observations based on captured network traffic using Wireshark.

• Displays HTTP packet flow between client and server systems
• Repeated request-response patterns suggest automated communication
• Presence of frequent requests indicates non-human interaction
• Shows clear client-server dependency in communication
• May indicate malware downloading or sending data

Conclusion: The repeated HTTP activity strongly suggests automated malware communication.

Graph 3: HTTPS Traffic

The following analysis provides detailed observations based on captured network traffic using Wireshark.

• Represents encrypted communication using TLS protocol
• Payload data is hidden due to encryption, limiting visibility
• Shows connections to external secure servers
• Malware often uses HTTPS to avoid detection
• Indicates secure but suspicious communication

Conclusion: Encrypted HTTPS traffic may be hiding malicious activities within the network.

Graph 4: DNS Traffic

The following analysis provides detailed observations based on captured network traffic using Wireshark.

• Shows domain name resolution activity within the network
• Repeated DNS queries indicate frequent domain access
• Unknown or suspicious domains may be present
• DNS activity reveals communication with external servers
• Useful for identifying malicious domain connections

Conclusion: Frequent DNS queries to unknown domains suggest possible malware communication.

Graph 5: TCP Traffic

The following analysis provides detailed observations based on captured network traffic using Wireshark.

• Displays TCP connection establishment behavior
• SYN packets indicate the initiation of connections
• Frequent connections suggest automated processes
• Continuous session establishment observed
• Helps identify abnormal connection patterns

Conclusion: The high number of TCP connections indicates persistent and automated activity.

Graph 6: Requests

The following analysis provides detailed observations based on captured network traffic using Wireshark.

• Shows number of requests generated over time
• High frequency indicates automated system behavior
• Consistent request intervals suggest scripting or malware
• Large number of requests indicates active communication
• Helps identify abnormal request patterns

Conclusion: The consistent high request rate confirms automated and suspicious activity.

Graph 7: Port Usage

The following analysis provides detailed observations based on captured network traffic using Wireshark.

• Shows distribution of ports used in communication
• Port 80 used for HTTP traffic
• Port 443 used for HTTPS communication
• Frequent usage indicates web-based interaction
• Common ports used by malware to avoid detection

Conclusion: Use of standard web ports indicates stealthy malware communication.

Inference 8: HTTP Traffic

• Multiple HTTP packets observed
• GET and POST methods identified
• Frequent communication suggests automation
• Different from normal browsing
• Indicates suspicious behavior

Inference 9: GET Requests

• GET requests retrieve server data
• Repeated endpoint access
• Encoded URLs observed
• Indicates payload download
• Common malware technique

Inference 10: POST Requests

• POST requests send data
• Possible data exfiltration
• Variable payload size
• Frequent transmissions
• Compromised system indication

Inference 11: URI Analysis

• Suspicious URIs detected
• Encoded URLs
• Hidden parameters
• Malicious endpoints
• Abnormal structure

Inference 12: User-Agent

• User-agent strings identified
• Abnormal values
• Automated scripts
• Non-standard patterns
• Malware behavior

Inference 13: TCP SYN

• Multiple SYN packets
• Connection initiation
• High frequency
• Repeated attempts
• Abnormal behavior

Inference 14: Port Usage

• Port 80 and 443 used
• Web communication pattern
• External interaction
• Matches malware behavior
• Confirms communication

Inference 15: DNS Queries

• Domain resolution activity
• Unknown domains accessed
• Repeated queries observed
• External communication
• Suspicious interaction

Inference 16: TLS Traffic

• Encrypted communication
• Hidden payload
• Secure sessions
• External servers contacted
• Used by malware

Inference 17: Host Field

• Destination servers identified
• External domains accessed
• Suspicious hostnames
• Communication targets
• Remote interaction

Inference 18: TLS Handshake

• Secure connection established
• Client-server negotiation
• Encryption parameters exchanged
• External communication
• Secure malware activity

Inference 19: DNS Response

• IP mapping observed
• Repeated responses
• External servers
• Supports DNS activity
• Confirms communication

Inference 20: Retransmission

• Packet retransmissions
• Network instability
• Repeated attempts
• Delays detected
• Abnormal behavior

Inference 21: Large Packets

• Large packet sizes
• Payload transfer
• High data volume
• File download
• Malware delivery

Inference 22: Traffic Pattern

• Consistent traffic pattern
• Regular intervals
• Automated activity
• Non-human behavior
• Malware indication

Inference 23: Beaconing Behavior

• Periodic requests
• Fixed intervals
• C2 interaction
• Persistent connection
• Strong malware indicator

Inference 24: Conversations

• Communication pairs identified
• Source-destination mapping
• Frequent interaction
• Active sessions
• Traffic flow visible

Inference 25: Endpoints

• Active IPs identified
• Devices listed
• Traffic distribution
• Infected host found
• Useful for analysis

Inference 26: Abnormal HTTP Header Patterns

• HTTP requests contain missing or minimal headers such as User-Agent and Referer.
• Header values appear inconsistent compared to normal browser-generated traffic.
• Requests lack standard formatting typically seen in legitimate web sessions.
• Indicates automated or script-driven communication rather than user interaction.
• Suggests stealth-oriented malware behavior to avoid detection.

Inference 27: Repeated Destination Endpoint Targeting

• Multiple connections observed to the same external IP/domain repeatedly.
• Traffic pattern shows focused communication instead of diverse browsing activity.
• Indicates dependency on a fixed Command and Control (C2) endpoint.
• Repeated access confirms persistent connection attempts from infected host.
• Strong indicator of centralized malware communication infrastructure.

Inference 28: Suspicious HTTP POST Payload Activity

• POST requests contain encoded or non-human-readable payload data.
• Payload structure appears consistent across multiple requests.
• Indicates automated data transfer rather than manual user input.
• Possible signs of data exfiltration or system information leakage.
• Behavior aligns with known malware communication techniques.

Inference 29: Irregular Session Behavior

• Frequent TCP session creation and termination observed.
• Sessions do not persist like normal browsing connections.
• Indicates use of short-lived connections for stealth.
• Reduces chances of detection by network monitoring tools.
• Common technique used in advanced malware communication.

Inference 30: Lack of Legitimate User Interaction Patterns

• No evidence of typical browsing actions such as page navigation.
• Absence of requests for static resources like CSS, JS, or images.
• Traffic appears repetitive and uniform in structure.
• Indicates machine-generated communication patterns.
• Confirms activity is controlled by malware, not a human user.

7. The 5 Effects of Malware

1. Suspicious Data Transfer The analyzed traffic shows repeated HTTP requests and large packet transmissions, indicating possible data movement between the victim system and external servers. Such behavior suggests potential unauthorized data transfer through network communication.

2. Persistent Network Communication Continuous HTTP and TCP connections observed in the graphs indicate repeated communication patterns. This behavior is similar to automated processes that maintain constant connectivity with external systems.

3. Increased System Load Frequent packet exchanges, TCP connections, and encrypted HTTPS traffic increase CPU and network usage, potentially slowing down system performance and affecting normal user operations.

4. Network Traffic Abnormality Sudden spikes in traffic graphs and repeated request patterns highlight abnormal network behavior. These deviations from normal traffic indicate the presence of suspicious or automated activity.

5. Security Risk Exposure The presence of unusual HTTP methods, DNS queries, and encrypted communication indicates a possible security threat. Such activity can bypass traditional detection methods and compromise network integrity.

---

8. Key Findings from Graph Analysis

• Graph 1–7 illustrate traffic variation across HTTP, HTTPS, DNS, and TCP protocols, highlighting abnormal spikes and communication patterns
• Inference 8–12 reveal repeated HTTP GET and POST request behavior, indicating automated communication and possible malware activity
• Inference 13–17 highlight DNS query patterns, suspicious domain access, and encrypted HTTPS communication used to evade detection
• Inference 18–22 indicate TCP connection repetition, session establishment behavior, and consistent interaction with external endpoints
• Inference 23–26 show packet structure anomalies, header inconsistencies, and unusual traffic composition compared to normal user activity
• Inference 27–30 demonstrate persistent communication with specific endpoints, encoded data transmission, and absence of normal browsing behavior confirming automated malware communication

9. The Use of AI in this Digital Assignment

Artificial Intelligence (AI) was used as an assisting tool in this analysis to enhance understanding of complex network traffic patterns observed in Wireshark. AI helped in interpreting protocol behavior, identifying repeated communication patterns, and organizing the observations derived from multiple graphs.

It was particularly useful in recognizing patterns such as repeated HTTP requests, DNS activity, TCP connection behavior, and encrypted HTTPS communication trends. AI also supported in structuring the inferences clearly by converting raw packet-level observations into meaningful insights.

Additionally, AI contributed to improving the presentation of results by assisting in formatting the analysis, refining technical explanations, and ensuring clarity in documentation. However, all core analysis, graph generation, and interpretation were performed manually using Wireshark, ensuring the authenticity and reliability of the results.

10. Conclusion

This project successfully analyzed HTTP and HTTPS network traffic using Wireshark to identify suspicious communication patterns. Through detailed packet inspection and graphical visualization, various anomalies such as repeated requests, traffic spikes, and unusual communication behavior were observed.

The generated 25 graphs and corresponding inferences provide clear evidence of abnormal network activity. This analysis demonstrates how Wireshark can be effectively used as a tool for detecting potential malware communication and understanding network behavior in real-world scenarios.

11. Links

26 Minutes of Clear Explanation in YouTube:

YouTube Link: https://youtu.be/vBsoijFmZ9U

GitHub: https://github.com/Maaran-1/Malware

12. References

1. Malware Traffic Analysis Dataset: https://www.malware-traffic-analysis.net
2. Wireshark Official Documentation: https://www.wireshark.org/docs/
3. Network Protocol Analysis Concepts and Tutorials

13. Acknowledgements

I would like to express my sincere gratitude to the School of Computer Science and Engineering (SCOPE), Vellore Institute of Technology, Chennai, for offering the theory and laboratory courses in Computer Networks during the Winter Semester 2025–2026 with an industry-standard syllabus. This course provided a strong foundation for understanding network protocols and traffic analysis.

I would like to thank my course faculty, Dr. T. Subbulakshmi, Professor, SCOPE, VIT Chennai, for her continuous guidance, valuable insights, and support throughout the completion of this project.

I extend my appreciation to Gerald Combs, the founder of Wireshark and recipient of the ACM Software System Award (2018), for developing an exceptional tool that made detailed network traffic analysis possible.

I would also like to thank Bradley Duncan for his informative malware analysis blogs, which helped in understanding real-world malware behavior without executing harmful software and inspired deeper analysis in this work.

I would like to acknowledge my peers for their valuable suggestions, discussions, and feedback, which helped improve the quality and clarity of this project.

I also thank my friends who supported me during the initial stages of learning Wireshark and guided me in understanding traffic analysis concepts.

Finally, I express my heartfelt gratitude to my parents and family members for their constant encouragement, support, and motivation throughout this project.

I also acknowledge various online resources, documentation, and technical blogs that contributed to enhancing my understanding of network traffic analysis and cybersecurity concepts.

---

Author

Mr. D Maaran, II year B.Tech. CSE student, School of Computer Science and Engineering , VIT Chennai

14. Peer Feedback & Technical Comments

Peer Feedback A: Clear identification of HTTP and HTTPS traffic patterns using Wireshark filters.

Peer Feedback B: Effective use of I/O graphs to visualize abnormal traffic behavior.

Peer Feedback C: Good understanding of network protocols and traffic analysis techniques.