An intro video for finding hackers or anomalous behavior on your network in a packet capture with Wireshark. Plenty of stuff for beginners and something for everyone else too.

If you have any questions or ideas for future videos, please leave a comment and let me know.

Filters used:
**** I will add this list to my website soon and leave the link here. **

Scanning:
syn packets with no matching ack:
(tcp.flags.syn == True) && (tcp.completeness.synack == False)

TCP reset packets:
tcp.flags.reset

DNS:
dns

DNS server failure or no such name:
dns.flags.rcode == 2 or dns.flags.rcode == 3

user to user traffic:
put in your user networks in a filter like:
ip.addr == x.x.x.x/24 and ip.addr==x.x.x.x/24

Web enumuration:
http.request.method == "GET"

Web logins:
tcp matches "login"
http.request.method == "POST"
tcp matches "password"

login errors:
http.response.code gt 200

responder:
nbns
nbns.flags.response == True

logging in to machine running responder:
ntlmssp

service controller:
svcctl

kerberoasting, the enctype 23 id RC4 encryption:
kerberos && kerberos.enctype==23

not my dhcp Put your DNS servers in {}
dhcp and ip.addr not in {192.168.1.150, 192.168.2.150, 192.168.100.150} && (dhcp.option.dhcp == 2 || dhcp.option.dhcp == 5 || dhcp.option.dhcp == 5)

not my dns responses Put your DHCP servers in {}
(dns and ip.addr not in {192.168.1.150, 192.168.2.150, 192.168.100.150}) && (dns.flags.response == True)

ipv6 traffic filter:
ipv6

Timestamps:
00:00 Start
0:15 User vs Hacker
0:51 Port Scanning
1:27 DNS enumeration
2:01 User to user traffic
2:33 Attacking web servers Enumeration
2:58 Attacking web servers Passwords
3:34 NBNS & Responder
4:10 Manipulating services
4:38 Kerberoasting
5:25 Rogue DNS or DHCP
6:01 IPv6 / MITM6
6:21 Conclusion