Network Forensics

Analyzing Network Traffic & Protocol Investigation

Section 7 of 12

Network Forensics Overview

Definition: Monitoring and analyzing network traffic to detect intrusions, investigate incidents, and gather evidence.

Key Objectives

  • • Detect unauthorized access
  • • Identify data exfiltration
  • • Trace attack origins
  • • Reconstruct network events
  • • Document evidence for legal proceedings

Evidence Sources

  • Packet Captures (PCAP) - Raw network data
  • Firewall Logs - Connection records
  • IDS/IPS Alerts - Security events
  • DNS Logs - Domain queries
  • Proxy Logs - Web traffic records

Packet Capture Fundamentals

Capture Methods

tcpdump (Linux/Unix)

# Capture all traffic on eth0

tcpdump -i eth0 -w capture.pcap

# Capture with filters

tcpdump -i eth0 'tcp port 80' -w web.pcap

# Read from file

tcpdump -r capture.pcap 'host 192.168.1.100'

Wireshark

  • GUI-based packet analyzer
  • Deep packet inspection
  • Protocol dissection (1000+ protocols)
  • Display filters for analysis
  • Statistics & visualizations
  • Export to multiple formats

Legal Warning

Only capture traffic on networks you own or have explicit authorization to monitor. Unauthorized packet capture may violate privacy laws.

Wireshark Display Filters

Display filters help isolate specific traffic patterns in large captures.

Essential Display Filters

# IP Address Filters

ip.addr == 192.168.1.100 # Any traffic to/from this IP

ip.src == 10.0.0.5 # Source IP only

ip.dst == 172.16.0.1 # Destination IP only

# Protocol Filters

http # All HTTP traffic

dns # All DNS queries/responses

tcp.port == 443 # HTTPS traffic

udp.port == 53 # DNS over UDP

# TCP Flags

tcp.flags.syn == 1 # SYN packets (connection attempts)

tcp.flags.reset == 1 # RST packets (connection resets)

tcp.analysis.retransmission # Retransmitted packets

# Combining Filters (AND, OR, NOT)

ip.src == 10.0.0.5 && tcp.port == 80

http || dns

!(arp || icmp) # Exclude ARP and ICMP

Protocol Analysis Techniques

HTTP/HTTPS Analysis

  • HTTP Methods: GET, POST, PUT, DELETE
  • User-Agent: Identifies client software
  • Referrer: Previous page URL
  • Cookies: Session tracking
  • Response Codes: 200, 404, 500, etc.

Wireshark: File → Export Objects → HTTP

TLS/SSL Inspection

  • Handshake Analysis: ClientHello, ServerHello
  • Certificate Inspection: Validate legitimacy
  • Cipher Suites: Encryption methods
  • SNI: Plaintext hostname

Note: Encrypted content requires private keys

SMTP/Email Analysis

  • Commands: MAIL FROM, RCPT TO, DATA
  • Headers: From, To, Subject, Message-ID
  • Attachments: Base64 encoded

DNS Analysis

  • Query Types: A, AAAA, MX, TXT, PTR
  • DNS Tunneling: Suspicious TXT records
  • DGA Detection: Algorithmically generated domains

Detecting Malicious Activity

Red Flags in Network Traffic

Attack Indicators

  • Port Scanning: Sequential SYN packets to multiple ports
  • ARP Spoofing: Duplicate IP with different MAC
  • DNS Exfiltration: Large TXT queries
  • Beaconing: Regular connections to external IPs
  • Data Exfiltration: Unusually large uploads
  • Unusual Protocols: IRC, Tor on corporate network

Detection Techniques

  • Baseline Analysis: Compare to normal traffic
  • Geo-IP Checking: Connections to risky countries
  • Protocol Anomalies: Non-standard port usage
  • Frequency Analysis: Suspicious traffic patterns
  • Payload Inspection: Malicious signatures

Wireshark: Find Port Scan

# Display only SYN packets from single source

tcp.flags.syn == 1 && tcp.flags.ack == 0 && ip.src == 192.168.1.100

# Statistics → Conversations → TCP (sort by packets)

# Statistics → Endpoints → IPv4 (sort by packets)

Network Forensics Tools

Wireshark

Leading GUI packet analyzer

  • • Deep protocol inspection
  • • Export objects & files
  • • Follow TCP streams

tcpdump / windump

Command-line packet capture

  • • Lightweight & fast
  • • Scriptable captures
  • • BPF filter syntax

NetworkMiner

Passive network analyzer

  • • Extracts files from PCAP
  • • OS fingerprinting
  • • Credential extraction

Zeek (Bro)

Network security monitor

  • • High-performance analysis
  • • Log generation
  • • Scripting framework

Snort

Intrusion Detection System

  • • Real-time traffic analysis
  • • Rule-based detection
  • • Packet logging

Moloch / Arkime

Full packet capture & search

  • • Web-based interface
  • • Large-scale PCAP indexing
  • • Fast searching

Session Reconstruction

Reassemble network sessions to understand complete communications.

Wireshark: Follow Stream

Right-click packet → Follow → TCP/UDP/HTTP/TLS Stream

Benefits

  • • View entire conversation
  • • Extract transmitted data
  • • Identify cleartext credentials
  • • Reconstruct file transfers
  • • Analyze malware C2 communications

Export Options

  • ASCII: Text-based data
  • Hex Dump: Binary data
  • Raw: Save to file
  • C Arrays: For analysis scripts

tshark: Command-line Stream Extraction

# Extract all HTTP objects

tshark -r capture.pcap --export-objects http,./extracted_files/

# Follow TCP stream #5

tshark -r capture.pcap -z follow,tcp,ascii,5

# Extract specific stream

tshark -r capture.pcap -qz follow,tcp,ascii,0 > stream0.txt

Network IOCs & Threat Hunting

Indicators of Compromise (IOCs)

Network-Based IOCs

  • IP Addresses: Known C2 servers
  • Domain Names: Malicious hosts
  • URLs: Phishing/exploit sites
  • User-Agents: Malware signatures
  • TLS Certificates: Self-signed or suspicious CAs
  • JA3 Hashes: TLS fingerprints

Hunting Techniques

  • Threat Intelligence Feeds: MISP, OpenCTI, AlienVault
  • Reputation Services: VirusTotal, AbuseIPDB
  • Anomaly Detection: ML-based baselines
  • YARA Rules: Pattern matching in traffic
  • Graph Analysis: Visualize connections

Extract Unique IPs from PCAP

# Using tshark

tshark -r capture.pcap -T fields -e ip.dst | sort -u > unique_ips.txt

# Extract DNS queries

tshark -r capture.pcap -Y "dns.flags.response == 0" -T fields -e dns.qry.name | sort -u

# Find connections to specific IP

tshark -r capture.pcap -Y "ip.addr == 203.0.113.50"