Listen to this Post
Introduction:
Network forensics is a critical discipline in cybersecurity, focused on investigating malicious activity by analyzing network traffic. This article provides a hands-on guide to dissecting Packet Capture (PCAP) files, equipping you with the skills to identify attacker techniques and strengthen your incident response capabilities.
Learning Objectives:
- Master fundamental and advanced Wireshark display and capture filters.
- Utilize command-line tools for efficient bulk analysis and extraction of Indicators of Compromise (IOCs).
- Reconstruct network sessions to understand the full scope of an attack.
You Should Know:
1. Mastering Wireshark Display Filters
Wireshark is the premier GUI tool for PCAP analysis. Display filters allow you to sift through massive amounts of traffic to find the proverbial needle in a haystack.
Filter HTTP requests to a specific suspicious domain http.host contains "malicious-domain.com" Filter traffic by a specific source IP ip.src == 192.168.1.100 Filter for TCP traffic on port 443 (HTTPS) tcp.port == 443 Show all DNS query traffic dns Filter packets by a specific TCP flag (e.g., SYN) tcp.flags.syn == 1
Step-by-step guide: After loading your PCAP into Wireshark, apply these filters in the display filter bar. For instance, if you have a suspect IP, use `ip.addr == and/or (e.g., ip.src==x.x.x.x and http) is powerful for narrowing down specific events.
2. Command-Line Power with Tshark
Tshark is the command-line counterpart to Wireshark. It is indispensable for automating analysis, parsing large volumes of PCAPs, and extracting data for further processing.
List all unique IP addresses in the capture tshark -r capture.pcap -T fields -e ip.src | sort | uniq Extract all HTTP GET requests and their URIs tshark -r capture.pcap -Y "http.request" -T fields -e http.host -e http.request.uri Extract all DNS queries made tshark -r capture.pcap -Y "dns" -T fields -e dns.qry.name Count packets by protocol tshark -r capture.pcap -q -z io,stat,0,"ip","tcp","udp","icmp" Export all objects (files) transferred via HTTP tshark -r capture.pcap --export-objects http,./exported_files/
Step-by-step guide: Run these commands in your terminal. The `-r` flag specifies the input file. The `-Y` flag is your display filter (equivalent to Wireshark’s). The `-T fields -e
3. Following the Stream with NetworkMiner
NetworkMiner is a network forensic analysis tool (NFAT) that passively parses a PCAP file to extract artifacts like files, certificates, and sessions without manually filtering.
Action: Load the PCAP file. Navigate to the “Files” tab to see all extracted content. Check the “Credentials” tab for any cleartext usernames/passwords. Review the “Sessions” tab to quickly see all conversations between hosts.
Step-by-step guide: Open NetworkMiner, go to `File > Open` and select your PCAP. The tool will automatically parse it. Focus on the “Hosts” tab to identify external IPs communicating with internal hosts. The “Files” tab is critical for extracting malware payloads.
4. Deep Dive with Zeek (formerly Bro)
Zeek is not a packet sniffer but a powerful network analysis framework. It translates raw traffic into high-level, structured logs that describe what is happening on the network.
Basic command to run Zeek on a PCAP file zeek -r capture.pcap This generates several log files including: conn.log (all connections) http.log (all HTTP activity) dns.log (all DNS activity) files.log (extracted files) To use a specific script to detect suspicious activity zeek -r capture.pcap /opt/zeek/share/zeek/policy/frameworks/notice/extend-format/host-weird.zeek
Step-by-step guide: Run Zeek against your PCAP from the command line. It will output log files in the current directory. Analyze `conn.log` to see all network connections with timestamps, duration, and bytes transferred. Use `cat http.log | zeek-cut uri host` to quickly see all visited URLs.
5. Traffic Flow Analysis with Capinfos and Editcap
Sometimes you need to understand the capture itself or manipulate it before analysis.
Get basic statistics about the PCAP file (duration, packet count, etc.) capinfos capture.pcap Split a large PCAP into smaller files by count editcap -c 10000 large_capture.pcap split_output.pcap Filter a PCAP to only include traffic to/from a specific IP editcap -F pcap -A "192.168.1.50" input.pcap filtered_output.pcap
Step-by-step guide: Use `capinfos` to get a high-level overview of the capture. If the file is too large for Wireshark to handle comfortably, use `editcap` to split it into manageable chunks or filter it down to only relevant traffic based on a known bad IP.
6. Advanced Hunting with Scapy
Scapy is a Python-based interactive packet manipulation program. It allows for deep, custom analysis and packet crafting.
from scapy.all import
Read the PCAP file
packets = rdpcap('capture.pcap')
Iterate through packets and print source/destination IP for TCP packets
for pkt in packets:
if pkt.haslayer(TCP):
print(f"Source: {pkt[bash].src} -> Destination: {pkt[bash].dst}")
Extract a specific layer (e.g., DNS) and print questions
dns_packets = packets.filter(lambda p: p.haslayer(DNS))
for p in dns_packets:
print(p[bash].qd.qname)
Step-by-step guide: Write a Python script using Scapy. The example above loads a PCAP and allows you to programmatically iterate through packets. You can build custom logic to detect beaconing (consistent, timed packets) or extract specific payloads that other tools might miss.
7. Extracting IOCs and Building a Timeline
The final step is synthesizing findings into actionable intelligence—Indicators of Compromise (IOCs) and a timeline of the attack.
Use tshark to get a timeline of HTTP requests tshark -r capture.pcap -Y http.request -T fields -e frame.time -e ip.src -e http.host -e http.request.uri > http_timeline.txt Extract all unique user agents tshark -r capture.pcap -Y http.request -T fields -e http.user_agent | sort | uniq -c | sort -nr Combine tools: Extract suspicious IPs and check them against Threat Intel tshark -r attack.pcap -T fields -e ip.dst | sort | uniq | grep -v "192.168." | grep -v "10." > external_ips.txt
Step-by-step guide: Create a timeline of key events (e.g., first contact, malware download, data exfiltration). Compile a list of IOCs: malicious IPs, domains, URLs, file hashes, and suspicious user agents. This list is crucial for threat hunting and updating security controls to block future attacks.
What Undercode Say:
- The Devil is in the Details: A single packet can reveal the entire attack chain. Focus on outlier behavior—odd ports, unusual protocols, or DNS queries for non-existent domains (DGA traffic).
- Automate or Perish: Manual analysis is necessary for deep discovery, but initial triage and IOC extraction must be automated with scripts and tools like Tshark and Zeek to handle modern network volumes.
The shift towards encrypted traffic (TLS 1.3) is making traditional packet analysis more challenging. The future of network forensics lies in combining encrypted traffic analysis (JA3 fingerprints, certificate inspection), flow data (NetFlow), and endpoint logs to build a composite picture of an attack, moving beyond reliance on deep packet inspection alone.
Prediction:
The increasing default use of encryption will continue to obfuscate malicious network traffic, pushing forensic investigators towards metadata analysis and machine learning. Tools that can analyze behavioral patterns (e.g., beaconing periods, packet sizes, JA3/S fingerprints) without decrypting content will become standard in the forensic toolkit. Furthermore, the integration of AI to automatically correlate events across massive PCAPs and other data sources will drastically reduce time-to-detection for complex threats.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: https://lnkd.in/p/dW44GkRB – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
