This plugin enhances Wireshark's capabilities by integrating privacy-preserving threat detection algorithms that analyze encrypted traffic without compromising user privacy. It leverages advanced traffic metadata analysis techniques and integrates with real-time threat intelligence feeds to empower security teams to detect and respond to security threats effectively while safeguarding user privacy.

• Encrypted Traffic Analysis: Analyze encrypted packets without decryption to enhance security and privacy.
• Machine Learning Integration: Use a Naive Bayes Classifier for detecting malware in encrypted traffic.
• Network Protocol Fingerprinting: Identify protocols and potential threats using pattern recognition.
• Fingerprinting with Destination Context: Utilize a Weighted Naive Bayes Classifier to analyze destination context and identify malware.

• Wireshark
• Lua (for dissector scripting)
• C Compiler (for plugin development)

1. Clone the repository:

   git clone git@github.com:saurabh4269/fdc_plugin.git
   cd fdc_plugin

2. Compile the C components:

   gcc -o libmerc_test libmerc_test.c -lwireshark
   gcc -o libmerc_util libmerc_util.cc -lwireshark

3. Place the Lua dissector script in the Wireshark plugins directory:

   cp libmerc_disector.lua ~/.wireshark/plugins/

4. Ensure the required resource files are in place:

   cp resources/* ~/.wireshark/plugins/resources/

1. Launch Wireshark.
2. Load a packet capture file (.pcap) containing encrypted traffic.
3. The plugin will automatically start analyzing the traffic.
4. Check the analysis results for detected threats in the Wireshark interface.

• libmerc_disector.lua: Lua script for dissecting and analyzing traffic.
• libmerc_test.c: Test suite for the plugin.
• libmerc_util.cc: Utility functions for the plugin.

• fingerprint_db.json.gz: Knowledge base mapping processes and destinations to characteristic fingerprint strings.
• fp_prevalence_tls.txt.gz: Lists all observed characteristic fingerprint strings.

• resources.tgz.enc: Encrypted test resources.

• Utilizes Bayesian probability for threat detection.
• Assumes conditional independence of data features for simplicity and efficiency.

• Assigns different weights to each data feature to improve accuracy.
• Uses log probabilities to enhance numerical stability and accuracy.

• Identifies the software process that created a TLS client_hello.
• Uses a database of fingerprints to determine if the process is malware.

• Integrate Encrypted Metadata Analysis with the Wireshark GUI.
• Rewrite the plugin in C according to Wireshark's contribution guidelines.
• Request a merge with the main branch on GitLab.

1. Fork the repository.
2. Create a new branch:

   git checkout -b feature-branch

3. Make your changes and commit them:

   git commit -m "Description of changes"

4. Push to the branch:

   git push origin feature-branch

5. Create a pull request on GitLab.

This project is licensed under the MIT License. See the LICENSE file for details.

For questions or feedback, please contact:

• @Shiwani
• @Saurabh

Enhance your network security with privacy-preserving threat detection using the Wireshark plugin!