misp-wireshark is a Lua plugin intended to help analysts extract data from Wireshark and convert it into the MISP Core format
- Go to
Toolslocated in Wireshark's top bar and click onMISP: Export to MISP format - Enter the export options to configure the behavior of the exporter
Main filter: Fill this field to filter the exported data. Essentially, it will just be a copy/paste from the global filter in the interface. (This cannot be done automatically because of this)Include HTTP payload: Should the payloads sent via HTTP 8089 be included as a file in the outputExport path: The location where the exported file should be saved when clicking onSave to fileTags: Optional tags can be attached to some MISP attributes.
- Copy or save in a file the data to be imported in MISP
- Import in MISP
On linux, clone the repository in wireshark's plugin location folder
mkdir -p ~/.local/lib/wireshark/plugins
cd ~/.local/lib/wireshark/plugins
git clone https://github.com/MISP/misp-wireshark
cd misp-wireshark/
git submodule update --init --recursivegit pull
git submodule updateBy default, community-id is disabled. To enable it, you have to perform these steps:
- On the top bar go to
Analyze/Enabled Protocols... - Search for
CommunityIDin the list - Check the checkbox
network-connectionfrom tcphttp-requestfrom tcp.http, including HTTP payloadsdns-recordfrom udp.dns