Network Traffic Analysis

intermediate40 minWriteup

Analyzing network traffic for threats

Learning Objectives

  • Use Wireshark effectively
  • Identify malicious traffic
  • Analyze network protocols
  • Find data exfiltration

Network traffic analysis is the art of reading the conversation between computers. Every packet tells a story - whether it's normal web browsing or a malware calling home to its C2 server. Understanding network traffic is essential for detecting attacks that logs might miss.

Think of network traffic like phone records. The logs tell you who called whom and for how long. But traffic analysis is like listening to the actual conversation. You can hear if someone is ordering pizza (normal) or negotiating a ransom (very bad).

Encrypted Traffic

Modern traffic is often encrypted (HTTPS, TLS). We can't see the content, but we CAN see metadata: who's talking to whom, when, how much data, and patterns. This metadata is still valuable!

Network Analysis Tools

1Network Traffic Analysis Tools:
2 
3PACKET CAPTURE
4├── tcpdump       │ CLI packet capture (Linux)
5├── Wireshark     │ GUI packet analyzer (cross-platform)
6├── tshark        │ CLI version of Wireshark
7└── windump       │ Windows pcap capture
8 
9NETWORK MONITORING
10├── Zeek (Bro)    │ Network security monitor, creates logs
11├── Suricata      │ IDS/IPS with traffic analysis
12├── Snort         │ Classic IDS
13└── ntopng        │ Network traffic monitor
14 
15PCAP ANALYSIS
16├── NetworkMiner  │ Extract files, images from PCAP
17├── Brim          │ Fast PCAP analysis with Zeek logs
18├── CapLoader     │ Fast PCAP loading and filtering
19└── PcapXray      │ Visual network forensics
20 
21FILE EXTRACTION
22├── foremost      │ Carve files from PCAP
23├── tcpflow       │ Reassemble TCP streams
24└── binwalk       │ Extract embedded files

tcpdump Basics

bash
1606070;"># tcpdump - Command line packet capture
2 
3606070;"># Basic capture (requires root)
4sudo tcpdump
5 
6606070;"># Capture on specific interface
7sudo tcpdump -i eth0
8 
9606070;"># Capture and save to file
10sudo tcpdump -i eth0 -w capture.pcap
11 
12606070;"># Read from saved file
13tcpdump -r capture.pcap
14 
15606070;"># Common filters:
16─────────────────────────────────────────────────────────────────
17606070;"># Filter by host
18tcpdump host 192.168.1.100
19tcpdump src host 192.168.1.100
20tcpdump dst host 192.168.1.100
21 
22606070;"># Filter by network
23tcpdump net 192.168.1.0/24
24 
25606070;"># Filter by port
26tcpdump port 80
27tcpdump port 443 or port 80
28tcpdump portrange 8000-9000
29 
30606070;"># Filter by protocol
31tcpdump tcp
32tcpdump udp
33tcpdump icmp
34 
35606070;"># Combine filters
36tcpdump 606070;">#a5d6ff;">'host 192.168.1.100 and port 443'
37tcpdump 606070;">#a5d6ff;">'src host 192.168.1.100 and dst port 22'
38 
39606070;"># Show packet contents in ASCII
40tcpdump -A
41 
42606070;"># Show packet contents in hex and ASCII
43tcpdump -X
44 
45606070;"># Don't resolve hostnames (faster)
46tcpdump -n
47 
48606070;"># Capture DNS traffic
49tcpdump -i eth0 606070;">#a5d6ff;">'port 53'
50 
51606070;"># Capture HTTP traffic
52tcpdump -i eth0 606070;">#a5d6ff;">'port 80' -A | grep -E "GET|POST|Host:"

Wireshark Analysis

1Wireshark Display Filters (Different from capture filters!):
2 
3BASIC FILTERS
4─────────────────────────────────────────────────────────────────
5ip.addr == 192.168.1.100       │ Traffic to/from IP
6ip.src == 192.168.1.100        │ Source IP
7ip.dst == 192.168.1.100        │ Destination IP
8 
9tcp.port == 80                  │ TCP port 80
10udp.port == 53                  │ UDP port 53
11tcp.port == 443 || tcp.port == 80  │ Multiple ports
12 
13http                            │ All HTTP traffic
14dns                             │ All DNS traffic
15tls                             │ All TLS/SSL traffic
16 
17FINDING MALICIOUS TRAFFIC
18─────────────────────────────────────────────────────────────────
19606070;"># HTTP to non-standard ports (potential C2)
20http && !(tcp.port == 80 || tcp.port == 8080)
21 
22606070;"># DNS requests to unusual domains
23dns && dns.qry.name contains 606070;">#a5d6ff;">"dga"
24 
25606070;"># Large DNS TXT records (DNS tunneling)
26dns && dns.txt
27 
28606070;"># Beaconing (regular interval connections)
29606070;"># Sort by Time and look for patterns
30 
31606070;"># Executable downloads
32http contains 606070;">#a5d6ff;">"MZ" || http.content_type contains "executable"
33 
34606070;"># Base64 in HTTP
35http.request.uri contains 606070;">#a5d6ff;">"base64"
36 
37USEFUL OPERATIONS
38─────────────────────────────────────────────────────────────────
39Follow TCP Stream    │ Right-click → Follow → TCP Stream
40Export Objects       │ File → Export Objects → HTTP
41Protocol Hierarchy   │ Statistics → Protocol Hierarchy
42Conversations        │ Statistics → Conversations
43Endpoints            │ Statistics → Endpoints
44IO Graph             │ Statistics → IO Graphs

TShark for Automation

tshark is Wireshark for the command line. Perfect for scripting: tshark -r capture.pcap -Y 'http.request.method == POST' -T fields -e http.host -e http.request.uri

Identifying Suspicious Traffic

1Suspicious Network Patterns:
2 
3C2 (COMMAND & CONTROL) INDICATORS
4─────────────────────────────────────────────────────────────────
5Beaconing:
6├── Regular interval connections (every 30s, 60s, etc.)
7├── Small data transfers at consistent times
8├── Connections to same IP at regular intervals
9└── Detection: Sort by time, look for patterns
10 
11DNS Tunneling:
12├── Very long DNS queries (TXT records)
13├── High volume of DNS requests
14├── Unusual DNS query types (TXT, NULL)
15└── Detection: dns && (dns.qry.type == 16)
16 
17HTTP C2:
18├── HTTP to non-standard ports
19├── POST requests with encoded data
20├── Unusual User-Agents
21├── Binary data in HTTP body
22└── Detection: Check http.request.method and http.user_agent
23 
24DATA EXFILTRATION
25─────────────────────────────────────────────────────────────────
26Large Outbound Transfers:
27├── Unusual amount of data leaving network
28├── Transfers to unknown external IPs
29├── Off-hours large uploads
30└── Detection: Statistics → Endpoints → Sort by bytes
31 
32Encrypted Exfil:
33├── TLS to non-standard ports
34├── Self-signed certificates
35├── Certificate issues (expired, wrong domain)
36└── Detection: ssl.alert_message or x509 analysis
37 
38LATERAL MOVEMENT
39─────────────────────────────────────────────────────────────────
40SMB Traffic:
41├── Workstation to workstation SMB
42├── Many SMB connections from single host
43├── SMB to admin shares (C$, ADMIN$)
44└── Detection: smb2 || smb
45 
46RDP:
47├── Internal RDP that shouldn't exist
48├── RDP to servers from workstations
49└── Detection: tcp.port == 3389
50 
51WMI/WinRM:
52├── TCP 5985/5986 between workstations
53├── Unusual remote management traffic
54└── Detection: tcp.port == 5985 or tcp.port == 5986

Zeek Network Logs

bash
1606070;"># Zeek (formerly Bro) - Network Security Monitor
2606070;"># Creates structured logs from PCAP
3 
4606070;"># Process a PCAP file
5zeek -r capture.pcap
6 
7606070;"># Produces logs in current directory:
8─────────────────────────────────────────────────────────────────
9conn.log       │ All connections (source, dest, ports, bytes)
10dns.log        │ All DNS queries and responses
11http.log       │ All HTTP requests
12ssl.log        │ All SSL/TLS connections
13files.log      │ Files transferred over network
14notice.log     │ Security notices and alerts
15 
16606070;"># Reading Zeek logs with zeek-cut
17cat conn.log | zeek-cut id.orig_h id.resp_h id.resp_p proto
18 
19606070;"># Find top talkers
20cat conn.log | zeek-cut id.orig_h | sort | uniq -c | sort -rn | head
21 
22606070;"># Find connections to port 443
23cat conn.log | zeek-cut id.orig_h id.resp_h id.resp_p | grep 443
24 
25606070;"># DNS queries
26cat dns.log | zeek-cut query answers | head
27 
28606070;"># HTTP requests
29cat http.log | zeek-cut host uri user_agent
30 
31606070;"># SSL certificates
32cat ssl.log | zeek-cut server_name issuer subject
33 
34606070;"># Find unusual ports
35cat conn.log | zeek-cut id.resp_p | sort | uniq -c | sort -rn | head
36 
37606070;"># Long connections (potential tunnels)
38cat conn.log | zeek-cut duration | sort -rn | head

Brim for Fast Analysis

Brim (now Zui) is a desktop app that combines Zeek logs with Wireshark. Open a PCAP, it processes with Zeek, and you can search logs and drill down to packets. Much faster than Wireshark for large files!

DNS Traffic Analysis

bash
1606070;"># DNS Traffic Analysis
2 
3606070;"># Capture DNS traffic
4sudo tcpdump -i eth0 port 53 -w dns.pcap
5 
6606070;"># View DNS queries in Wireshark
7dns.flags.response == 0    606070;"># Queries only
8dns.flags.response == 1    606070;"># Responses only
9 
10606070;"># Extract DNS queries with tshark
11tshark -r capture.pcap -Y 606070;">#a5d6ff;">'dns.flags.response == 0' \
12  -T fields -e dns.qry.name | sort | uniq -c | sort -rn
13 
14606070;"># Suspicious DNS Patterns:
15─────────────────────────────────────────────────────────────────
161. VERY LONG DOMAIN NAMES (DNS tunneling)
17   bXkgc2VjcmV0IG1lc3NhZ2U.evil.com
18   └── Base64 encoded data in subdomain!
19 
202. HIGH QUERY VOLUME
21   Thousands of queries to same domain = tunneling
22 
233. UNUSUAL RECORD TYPES
24   TXT, NULL, MX with data in name = tunneling
25   Filter: dns.qry.type == 16 (TXT records)
26 
274. DGA DOMAINS
28   Random-looking domains: a7f3c2b1d9e4.com
29   Filter: dns.qry.name matches 606070;">#a5d6ff;">"^[a-z0-9]{10,}\."
30 
315. NON-STANDARD DNS PORTS
32   DNS over non-53 = suspicious
33   Filter: dns && !(udp.port == 53 || tcp.port == 53)
34 
35606070;"># Find long DNS queries (potential tunneling)
36tshark -r capture.pcap -Y 606070;">#a5d6ff;">'dns' -T fields -e dns.qry.name | \
37  awk 606070;">#a5d6ff;">'length > 50 {print length, $0}' | sort -rn | head
38 
39606070;"># Extract DNS TXT records
40tshark -r capture.pcap -Y 606070;">#a5d6ff;">'dns.txt' -T fields -e dns.txt

HTTP Traffic Analysis

bash
1606070;"># HTTP Traffic Analysis
2 
3606070;"># Wireshark HTTP filters
4http.request.method == 606070;">#a5d6ff;">"POST"          # POST requests
5http.request.method == 606070;">#a5d6ff;">"GET"           # GET requests
6http.response.code == 200              606070;"># Successful responses
7http.response.code >= 400              606070;"># Errors
8http.user_agent contains 606070;">#a5d6ff;">"curl"        # Specific User-Agent
9http.host contains 606070;">#a5d6ff;">"evil"              # Specific host
10 
11606070;"># Extract HTTP objects from PCAP
12606070;"># Wireshark: File → Export Objects → HTTP
13606070;"># tshark:
14tshark -r capture.pcap --export-objects http,./exported_files
15 
16606070;"># Find all HTTP hosts accessed
17tshark -r capture.pcap -Y 606070;">#a5d6ff;">'http.request' \
18  -T fields -e http.host | sort | uniq -c | sort -rn
19 
20606070;"># Find POST data
21tshark -r capture.pcap -Y 606070;">#a5d6ff;">'http.request.method == "POST"' \
22  -T fields -e http.host -e http.request.uri -e http.file_data
23 
24606070;"># Follow HTTP stream in tshark
25tshark -r capture.pcap -Y 606070;">#a5d6ff;">'tcp.stream eq 5' -z follow,tcp,ascii,5
26 
27606070;"># Look for suspicious patterns
28─────────────────────────────────────────────────────────────────
29606070;"># Encoded data in URL
30http.request.uri contains 606070;">#a5d6ff;">"base64"
31http.request.uri contains 606070;">#a5d6ff;">"eval"
32 
33606070;"># Executable downloads
34http.content_type contains 606070;">#a5d6ff;">"application/x-msdownload"
35http.content_type contains 606070;">#a5d6ff;">"application/x-executable"
36 
37606070;"># Web shells
38http.request.uri contains 606070;">#a5d6ff;">".php" && http.request.uri contains "cmd"
39 
40606070;"># Suspicious User-Agents
41http.user_agent == 606070;">#a5d6ff;">"-"
42http.user_agent contains 606070;">#a5d6ff;">"Python"
43http.user_agent contains 606070;">#a5d6ff;">"curl"
44http.user_agent contains 606070;">#a5d6ff;">"PowerShell"

Investigation Example

bash
1606070;"># PCAP Investigation Workflow
2 
3606070;"># Scenario: Possible malware infection, analyze PCAP
4 
5606070;"># STEP 1: Get overview
6capinfos suspicious.pcap
7606070;"># Packets, time range, file size
8 
9606070;"># STEP 2: Protocol breakdown
10tshark -r suspicious.pcap -qz io,phs
11606070;"># Shows protocol hierarchy
12 
13606070;"># STEP 3: Process with Zeek for logs
14zeek -r suspicious.pcap
15ls *.log
16 
17606070;"># STEP 4: Find suspicious connections
18cat conn.log | zeek-cut id.orig_h id.resp_h id.resp_p duration | \
19  sort -t$606070;">#a5d6ff;">'\t' -k4 -rn | head
20606070;"># Look for long connections (tunnels, C2)
21 
22606070;"># STEP 5: Check DNS
23cat dns.log | zeek-cut query | sort | uniq -c | sort -rn | head
24606070;"># Look for:
25606070;"># - DGA domains (random names)
26606070;"># - High query volume to single domain
27606070;"># - Suspicious TLDs
28 
29606070;"># STEP 6: Check HTTP
30cat http.log | zeek-cut method host uri user_agent
31606070;"># Look for:
32606070;"># - Downloads from suspicious domains
33606070;"># - Unusual User-Agents
34606070;"># - POST to unknown hosts
35 
36606070;"># STEP 7: Extract files
37zeek -r suspicious.pcap local 606070;">#a5d6ff;">"Log::default_logdir=./zeek-logs"
38cat files.log | zeek-cut extracted | head
39606070;"># Check ./extract_files/ for carved files
40 
41606070;"># STEP 8: Analyze in Wireshark
42606070;"># Open PCAP
43606070;"># Filter: ip.addr == <suspicious_ip>
44606070;"># Follow TCP Stream for interesting conversations
45606070;"># Export suspicious files
46 
47606070;"># STEP 9: Check for beaconing
48606070;"># In Wireshark: Statistics → Flow Graph
49606070;"># Look for regular interval patterns
50 
51606070;"># STEP 10: Document findings
52606070;"># - Timeline of events
53606070;"># - Malicious IPs/domains
54606070;"># - Downloaded files (with hashes)
55606070;"># - C2 communication patterns

Network Analysis Methodology

PCAP Analysis Workflow

1
OverviewGet file info, packet count, time range
2
StatisticsProtocol hierarchy, conversations, endpoints
3
DNS AnalysisCheck for tunneling, DGA, suspicious queries
4
HTTP AnalysisLook for downloads, C2, web shells
5
File ExtractionExport and hash transferred files
6
Pattern AnalysisLook for beaconing, lateral movement
7
DocumentRecord IOCs, timeline, findings

Knowledge Check

Quick Quiz
Question 1 of 3

What network pattern typically indicates C2 beaconing?

Challenges

Find the C2 Traffic

Challenge
🔥 intermediate

You have a PCAP file. Write a tshark command to find all HTTP POST requests, showing the destination host and URI. This could reveal C2 communication.

Need a hint? (4 available)

Key Takeaways

  • tcpdump captures packets; Wireshark analyzes them visually
  • Zeek creates structured logs from PCAP - easier to search than packets
  • C2 beaconing shows regular interval connections to same host
  • DNS tunneling uses long subdomains and TXT records
  • Even encrypted traffic reveals metadata: who, when, how much
  • "Follow TCP Stream" reassembles conversations in Wireshark