1. How do you locate the attacking IP address?
- Statistics > Conversations in Wireshark to see traffic direction; identify suspicious IP.
- Locate webshell:
ip.addr == <IP> && http matches "upload|eval|select|xp_cmdshell" && http.request.method == "POST"
- Trace vulnerability:
http.request.uri contains "webshell.php" to find initial execution/upload.
- Determine vulnerability type from initial upload packet or other signatures.