I am faced with the task of detecting an intrusion (either internal or external) using packet analysis techniques with WireShark packet analysis tool. Please may someone explain to me how I may go about this / things I should look out for. Thanks!
Is this for school?
Anyway, if you already have your logs allow Wireshark to parse the logs, then filter the Event IDs. I would go through and if you are unfamiliar with what the event ID is referencing then google that event ID. Once you become more familiar with what Wireshark is parsing out for you then filter by time and look for event IDs pertaining to what you are looking for. I don't have it installed on my computer at this moment but it may give an explanation of what the event IDs are referencing, however I recall them sometimes being unhelpful.
Is this for school?
Anyway, if you already have your logs allow Wireshark to parse the logs, then filter the Event IDs. I would go through and if you are unfamiliar with what the event ID is referencing then google that event ID. Once you become more familiar with what Wireshark is parsing out for you then filter by time and look for event IDs pertaining to what you are looking for. I don't have it installed on my computer at this moment but it may give an explanation of what the event IDs are referencing, however I recall them sometimes being unhelpful.
Thank you for your response, which I shall print and attempt to follow. Thanks for taking the time to write such a detailed response.
look for ARP and MAC flooding in the network, as they are common in intrusions.
Loads of ICMP packets are also common in recon of private network though ping scans.