Hunting
Statistics → Conversations → IPv4
Statistics → Endpoints → IPv4
Statistics → Protocol Hierarchy
Statistics → IO Graph
Goal
- Attacker sniffs traffic (needs visibility)
- Observes:
- Sequence numbers
- Acknowledgment numbers
- Injects packet with correct sequence number
- Spoofs source IP
- Disrupts legitimate endpoint (often via ARP poisoning)
(CRITICAL) Hijacking requires:
- On-path position (MITM)
- Or predictable sequence numbers (old stacks)
Modern TCP makes blind hijacking extremely difficult.
Red Flags
- Duplicate sequence numbers
- Unexpected data packets
- ACK desynchronization
- TCP retransmissions spike
- Window size inconsistencies
- ARP anomalies
- Out-of-order packets
Filters
# Duplicate ACK
tcp.analysis.duplicate_ack
# Retransmission (Hijacking often causes desync)
tcp.analysis.retransmission
# Out-of-order packets
tcp.analysis.out_of_order
# Same 4-tuple, different MAC (possible ARP poisoning/hijack)
# Inspect ethernet source address
ip.addr == TARGET_IP
Killchain
- Attacker gains on-path visibility (ARP poisoning)
- Monitors sequence numbers
- Blocks legitimate ACKs
- Injects crafted packet with valid sequence
- Session desynchronizes
- Legitimate endpoint retransmits
- Connection instability observed