What if the attacker is already inside-and the only evidence is buried in your packets?
Lateral movement is where intrusions turn into breaches, as compromised credentials, SMB sessions, RDP connections, and suspicious authentication patterns spread quietly across the network.
Wireshark gives investigators a ground-level view of that activity, revealing what endpoint logs may miss: who talked to whom, when, how often, and over which protocols.
This step-by-step guide shows how to use Wireshark to identify lateral movement indicators, filter noisy traffic, trace attacker paths, and turn packet evidence into defensible findings.
What Lateral Movement Looks Like in Wireshark: Protocols, Indicators, and Attack Paths
In Wireshark, lateral movement rarely appears as one obvious “attack packet.” It usually looks like a trusted workstation suddenly authenticating to multiple internal systems, opening admin protocols, and transferring tools or commands across the network.
Start by filtering for common enterprise protocols used during post-compromise activity: SMB, Kerberos, LDAP, WinRM, RDP, and DNS. A practical filter such as smb2 || kerberos || ldap || tcp.port == 3389 || tcp.port == 5985 can quickly expose suspicious internal authentication and remote access patterns.
- SMB: Watch for access to ADMIN$, C$, IPC$, unusual file writes, or remote service creation behavior.
- Kerberos/NTLM: Look for repeated logons, service ticket requests, or authentication from a host that normally has no admin role.
- RDP/WinRM: Investigate new remote sessions between workstations, especially outside normal IT support workflows.
A real-world example: a finance user’s laptop starts connecting to several domain controllers and file servers over SMB within minutes, followed by Kerberos ticket requests and DNS lookups for server hostnames. In Wireshark, that sequence can indicate credential theft followed by internal reconnaissance and remote execution.
One useful analyst habit is to pivot by source IP and time window, then compare the traffic against endpoint logs in tools like Microsoft Defender for Endpoint or Splunk. Wireshark gives packet-level proof, while a SIEM or EDR platform helps confirm the user, process, device risk, and response cost of a potential breach.
How to Investigate Lateral Movement Step by Step Using Wireshark Filters and Packet Analysis
Start by narrowing the capture to the suspected internal host and authentication traffic. In Wireshark, use filters such as ip.addr == 10.0.5.23, tcp.port == 445, tcp.port == 3389, or kerberos to focus on SMB, RDP, and Kerberos activity commonly used during lateral movement.
Next, look for one workstation connecting to many internal systems in a short time. A practical filter is ip.src == 10.0.5.23 && tcp.flags.syn == 1, then sort conversations by destination IP; this often exposes scanning, remote admin abuse, or compromised credentials being tested across the network.
- SMB: Use
smb2ortcp.port == 445and check for access to admin shares likeADMIN$orC$. - RDP: Use
tcp.port == 3389and verify whether the connection matches normal user behavior. - Kerberos/NTLM: Use
kerberosorntlmsspto spot repeated authentication attempts or unusual service ticket requests.
For example, in a real incident response review, a finance laptop repeatedly opened SMB sessions to domain controllers and file servers after business hours. Packet analysis showed NTLM authentication followed by access to ADMIN$, which aligned with endpoint security alerts from Microsoft Defender for Endpoint.
Finally, correlate the packet evidence with firewall logs, EDR telemetry, and SIEM events from platforms like Splunk or Microsoft Sentinel. Wireshark shows what crossed the wire, but combining it with cybersecurity incident response tools helps confirm whether the traffic was legitimate administration or active lateral movement.
Common Wireshark Investigation Mistakes That Hide Lateral Movement Evidence
One of the biggest mistakes is filtering too aggressively too early. If you start with only smb, rdp, or kerberos filters in Wireshark, you may miss the setup traffic that shows how the attacker found the target, such as DNS lookups, LDAP queries, ARP scans, or failed TCP connections.
Another common issue is ignoring “normal” administrative protocols. In real incident response work, lateral movement often blends into legitimate Windows traffic: SMB file access, WinRM, PsExec-style service creation, RDP sessions, or Kerberos ticket requests. For example, a workstation suddenly connecting to multiple admin shares like \HOSTC$ after hours is more suspicious than a single failed login.
- Looking only at successful connections: failed logins, reset packets, and repeated SMB negotiation attempts can reveal attacker trial-and-error.
- Skipping time correlation: compare packet timestamps with SIEM alerts from Splunk, Microsoft Defender, or firewall logs.
- Not checking internal DNS: attackers often query hostnames before moving laterally across servers or domain controllers.
A practical mistake is capturing traffic from the wrong network point. A laptop packet capture will not show east-west traffic between servers unless the switch mirror port, TAP, or cloud packet capture is correctly configured. In enterprise environments, this can mean the difference between seeing a full compromise path and seeing only noise.
Finally, do not rely on packet content alone. Encrypted traffic, modern endpoint protection, and segmented networks can limit visibility, so combine Wireshark analysis with Zeek logs, EDR telemetry, and asset inventory. Good lateral movement investigation is about correlation, not just packet inspection.
Summary of Recommendations
Effective lateral movement investigation with Wireshark comes down to judgment, not packet volume. The goal is to separate routine internal traffic from authentication abuse, unusual protocol use, and unexpected host-to-host communication.
- Prioritize evidence that links a source host, target host, protocol, credential activity, and time window.
- Escalate when packet findings align with suspicious logins, admin share access, RDP/SMB anomalies, or known compromised accounts.
- Use Wireshark as a verification tool alongside endpoint, identity, and firewall telemetry.
The best decision is fast containment when patterns show unauthorized internal expansion, even before full attribution is complete.
