12 Days of Defense - Day 9: How to Analyze HTTP Traffic in Wireshark

In this episode I cover one of the most common and fundamental protocols for analysts to understand - HTTP. This protocol is used for everything from early stage delivery and exploitation to command and control and even exfiltration. Every blue team member must know the key fields included in HTTP, how to identify suspicious HTTP content, and how to extract files. This video shows how to read HTTP in Wireshark, examine fields for suspicious content and extract files from a HTTP PCAP. While in this video we focus on HTTP/1, don't miss the following video in this series for an important follow-on discussing the newer and much more complex HTTP/2 and HTTP/3 protocols! === My SANS Courses: SEC450 - Blue Team Fundamentals: https://sans.org/sec450 MGT551 - Building and Leading Security Operations Centers: https://sans.org/mgt551 PDF Guide to Security Operations: https://www.sans.org/security-resourc... Blueprint Podcast: https://sans.org/blueprint-podcast Twitter:   / sechubb