Operator On The Wire· OOTW · 2026 ·

← Back to Knowledge Base

BLUE TEAM / SOC / FILTERING / ATTACKS / INTERNET LAYER / IP

IP Spoofing

Hunting

Statistics → Conversations → IPv4
Statistics → Endpoints → IPv4
Statistics → Protocol Hierarchy
Statistics → IO Graph

Goal

We should always consider the following when analyzing these fields for our traffic analysis efforts.

Internal → Outbound Traffic. Source IP should belong to internal subnet.
External → Inbound Traffic. Source IP should NOT belong to internal subnet. Otherwise → likely spoofed.

Filters

# Inbound packet spoofed as internal
ip.src == 192.168.0.0/16 && ip.dst != 192.168.0.0/16


# Outbound packet with external source
ip.src != 192.168.0.0/16 && ip.dst != 192.168.0.0/16