Network Traffic Analysis - Eye House

Why Network Traffic Analysis Matters

Network traffic analysis is the foundation of security monitoring, providing visibility into what's happening on your network at the packet level. It's essential for detecting threats that bypass other security controls.

Threat Detection

Identify malicious activity such as command and control (C2) communications, data exfiltration, lateral movement, and reconnaissance activities.

Incident Response

Reconstruct attack timelines, identify compromised systems, and understand attacker tactics, techniques, and procedures (TTPs).

Forensic Evidence

Packet captures provide irrefutable evidence of network activity, essential for legal proceedings and post-incident analysis.

Compliance & Monitoring

Meet regulatory requirements for network monitoring, detect policy violations, and ensure secure configurations.

Core Principle: Defense in Depth

Network traffic analysis complements other security layers (endpoint, application, perimeter). Attackers often evade one control but leave network traces. By analyzing packets, you see the ground truth of what actually happened on the wire.

Real-World Impact

According to the SANS Institute, organizations with strong network traffic analysis capabilities detect breaches 3-5 times faster than those without, reducing average dwell time from months to days.

Packet Capture Fundamentals

What is a Packet Capture (PCAP)?

A PCAP is a complete copy of network packets as they traverse the network. It includes all headers, payloads, and metadata - everything transmitted on the wire.

Network Interface

→

Capture Engine

→

PCAP File

→

Analysis Tools

Key Capture Tools

tcpdump (Linux/Unix)

Command-line packet analyzer. Lightweight and powerful for quick captures.

tcpdump -i eth0 -w capture.pcap
tcpdump -r capture.pcap 'tcp port 80'
          

Wireshark

GUI-based protocol analyzer. Industry standard for deep packet inspection and analysis.

Features: Protocol dissection, flow reconstruction, expert analysis, statistics

tshark (Wireshark CLI)

Command-line version of Wireshark for automated analysis and scripting.

tshark -r capture.pcap -Y "http.request"

Enterprise Solutions

Network taps, SPAN ports, full packet capture appliances (e.g., Gigamon, NetScout, SecurityOnion)

Legal and Ethical Considerations

Always obtain proper authorization before capturing network traffic. PCAPs may contain sensitive data (passwords, personal information, proprietary data). Follow your organization's data handling policies and legal requirements.

Capture Best Practices

Strategic placement: Capture at choke points (firewall, gateway, DMZ)
Filter intelligently: Use BPF filters to reduce capture size
Storage planning: 1Gbps link can generate 450GB/hour of full capture
Time synchronization: Ensure NTP is configured for accurate timestamps

Protocol Analysis: Understanding the Stack

OSI Model & Packet Structure

Layer 7 - Application: HTTP, DNS, SMB, FTP, SMTP

Layer 4 - Transport: TCP, UDP (Ports, Flags, Sequencing)

Layer 3 - Network: IP (Source/Dest IP, TTL, Protocol)

Layer 2 - Data Link: Ethernet (MAC addresses, VLAN tags)

Critical Protocols for Security Analysis

Protocol	Port(s)	Security Relevance	Key Indicators
HTTP/HTTPS	80, 443	Web traffic, C2 channels, exfiltration	User-agents, POST data, TLS certificates
DNS	53	Domain lookups, tunneling, DGA detection	Query volume, subdomain length, entropy
SMB	445, 139	Lateral movement, file sharing, ransomware	Authentication attempts, file access patterns
RDP	3389	Remote access, credential attacks	Connection frequency, source IPs
SSH	22	Remote shell, tunneling, brute force	Failed auth attempts, unusual sources
FTP	21, 20	Data transfer, credential exposure	Cleartext passwords, large transfers

TCP Three-Way Handshake

Client
[SYN]

→

Server

Client

←

Server
[SYN-ACK]

Client
[ACK]

→

Server

TCP Flags - The Security Lens

SYN - Connection initiation (watch for SYN floods)
ACK - Acknowledgment (normal in established connections)
FIN - Graceful connection close
RST - Abrupt connection reset (may indicate blocks, errors, scans)
PSH - Push data immediately (interactive traffic)
URG - Urgent data (rarely used, may indicate anomaly)

NetFlow/IPFIX vs Full Packet Capture

Understanding the Tradeoffs

NetFlow/IPFIX (Metadata)

What it captures: Flow records with 5-tuple (src IP, dst IP, src port, dst port, protocol) + byte counts, packet counts, timestamps

Pros:

Scalable (1% of full capture size)
Long-term retention feasible
Fast querying and analysis
Lower privacy concerns

Cons:

No payload data (can't extract files/credentials)
Limited protocol visibility
Can't reconstruct sessions

Full Packet Capture (PCAP)

What it captures: Complete packets including all headers and payloads

Pros:

Complete forensic detail
Deep protocol analysis
Session reconstruction
Extract files, credentials, IOCs

Cons:

Massive storage requirements
Retention limited (days/weeks)
Performance overhead
Privacy and compliance challenges

Hybrid Approach: Best of Both Worlds

Modern SOCs use a tiered strategy:

NetFlow for everything: Long-term metadata retention (30-90 days)
PCAP for critical segments: Full capture at DMZ, critical servers (7-14 days)
On-demand PCAP: Trigger full capture when alerts fire
Indexed PCAP: Extract and index key metadata for fast retrieval

Use Cases by Method

Scenario	NetFlow	PCAP
Identify top talkers and bandwidth hogs	✓ Ideal	~ Overkill
Detect port scanning activity	✓ Ideal	✓ More detail
Extract malware from HTTP session	✗ Impossible	✓ Required
Follow TCP stream to read commands	✗ Impossible	✓ Required
Identify beaconing intervals	✓ Ideal	✓ Works
Track lateral movement over 30 days	✓ Ideal	✗ Storage limits

Traffic Patterns: Normal vs Malicious Baselines

Why Baselines Matter

You cannot detect abnormal traffic without understanding what's normal for your environment. Baselines establish expected behavior patterns.

Normal Business Traffic Patterns

Peak hours: 9 AM - 5 PM weekdays
DNS queries: consistent volume, known domains
Web traffic: standard user-agents, HTTPS to known sites
Internal SMB: predictable file server access
Email: regular SMTP/IMAP patterns

Baseline Metrics to Track

Bytes in/out per protocol
Connections per hour
Top talkers (source/destination IPs)
Port distribution
Geographic connections
Protocol ratios (HTTP vs HTTPS)

Anomaly Detection Indicators

Volume Anomalies

Indicator: Sudden spikes or drops in traffic volume

Possible Threats: Data exfiltration, DDoS, service outage, crypto mining

Temporal Anomalies

Indicator: Traffic during off-hours (2 AM on Sunday)

Possible Threats: Insider threat, compromised credentials, automated malware

Behavioral Anomalies

Indicator: Workstation initiating SMB to 50 hosts in 5 minutes

Possible Threats: Lateral movement, ransomware propagation, credential harvesting

Geographic Anomalies

Indicator: Connections to countries where you have no business presence

Possible Threats: C2 servers, compromised accounts, data exfiltration

Building Your Baseline

Collection period: Capture 2-4 weeks of normal traffic
Segment by context: Separate baselines for servers, workstations, DMZ
Statistical analysis: Calculate mean, median, standard deviation for key metrics
Time-based patterns: Account for hourly, daily, weekly cycles
Continuous refinement: Update baselines as business needs change

Detecting Command and Control (C2) Traffic

What is C2 Traffic?

After initial compromise, malware establishes communication with attacker-controlled infrastructure to receive commands and exfiltrate data. Detecting C2 is critical for early threat containment.

C2 Detection Techniques

1. Beaconing Detection

Regular, periodic communication intervals indicating automated check-ins.

Indicators:

Connections at fixed intervals (every 60 seconds, every 5 minutes)
Consistent payload sizes
Same destination IP/domain repeatedly
Low data volume per connection

# Wireshark filter for potential beacons
tcp.flags.syn == 1 && tcp.flags.ack == 0
Statistics → Conversations → Sort by packets
          

2. DNS Tunneling

Encoding data in DNS queries/responses to bypass firewall restrictions.

Indicators:

Unusually long subdomain names (>40 chars)
High entropy in domain strings
Excessive DNS query volume from single host
TXT or NULL record queries (uncommon)

# Wireshark filter for suspicious DNS
dns.qry.name.len > 50
dns.qry.type == 16  # TXT records
          

3. Domain Generation Algorithms (DGA)

Malware generates random-looking domains to evade blocklists.

Indicators:

Queries to non-existent domains (NXDOMAIN)
Random character strings in domain names
Low character diversity (aaaaabbbbcccc)
Multiple failed lookups in sequence

4. TLS/SSL Anomalies

C2 traffic often uses HTTPS to hide in encrypted traffic.

Indicators:

Self-signed or invalid certificates
Unusual certificate subjects/issuers
JA3/JA3S fingerprint mismatches
HTTPS to non-standard ports

Advanced C2 Evasion Techniques

Domain fronting: Using legitimate CDN domains to hide C2 traffic
Fast flux: Rapidly changing DNS resolution for C2 domains
Protocol mimicry: Disguising C2 as legitimate protocols (HTTP, SMTP)
Living off the land: Using built-in tools (PowerShell, WMI) over legitimate channels

C2 Analysis Workflow

Identify suspicious patterns: Beaconing, unusual domains, geo-anomalies
Correlate with threat intel: Check IPs/domains against IOC feeds
Analyze connection metadata: Frequency, size, timing, duration
Investigate source system: Process analysis, memory forensics, disk artifacts
Map lateral movement: Identify other potentially compromised systems

Detecting Data Exfiltration

Data Exfiltration Patterns

Attackers steal data through various network channels. Detecting exfiltration requires understanding normal data flow patterns and identifying deviations.

Large Outbound Transfers

Indicator: Gigabytes of data leaving the network to external IPs

Detection:

Monitor byte counts in NetFlow/PCAP
Baseline normal upload volumes
Alert on transfers exceeding 3 standard deviations

ip.dst != 10.0.0.0/8 && ip.dst != 172.16.0.0/12 && ip.dst != 192.168.0.0/16 Statistics → Conversations → Sort by bytes

Unusual Protocols or Ports

Indicator: FTP, TFTP, or custom ports used unexpectedly

Detection:

Monitor rarely-used protocols (FTP, Telnet)
Track non-standard ports (8080, 4444, 1337)
Look for protocol tunneling (SSH on port 80)

tcp.port > 49152 # Ephemeral/non-standard ports ftp-data # FTP data transfers

Steganography or Encoding

Indicator: Data hidden in images, DNS, or ICMP packets

Detection:

Unusual ICMP payload sizes
Excessive DNS TXT record queries
HTTP POST with large binary data

Cloud Storage Services

Indicator: Uploads to Dropbox, Google Drive, OneDrive from unexpected hosts

Detection:

Monitor connections to cloud storage IPs
Check for large HTTPS uploads
Correlate with user baseline behavior

http.host contains "dropbox" || http.host contains "drive.google" ssl.handshake.extensions_server_name contains "amazonaws"

Exfiltration Detection Strategy

Multi-Layered Approach

Volume-based detection: Alert on unusual data transfer volumes (MB/GB thresholds)
Frequency-based detection: Multiple small transfers over time (slow exfiltration)
Destination-based detection: Transfers to known malicious IPs, suspicious countries
Content-based detection: DLP integration to detect sensitive data patterns
Behavioral analytics: Machine learning to identify anomalous user/system behavior

Case Study: Detecting Slow Exfiltration

An attacker exfiltrated 200GB of customer data over 60 days using HTTPS to a compromised WordPress site. NetFlow showed the pattern: daily uploads of 3-5GB during off-hours. Baseline analysis revealed this server normally had <100MB daily uploads. Alert triggered investigation, leading to breach containment.

Detecting Lateral Movement

What is Lateral Movement?

After initial compromise, attackers move through the network to access additional systems, escalate privileges, and reach high-value targets. Network traffic analysis is essential for detecting this activity.

Key Lateral Movement Protocols

SMB/CIFS (Port 445)

Attack Techniques:

Pass-the-Hash (PtH)
PSExec remote execution
Credential harvesting
File share enumeration

Detection Indicators:

Workstation-to-workstation SMB (uncommon)
Admin shares access (C$, ADMIN$)
Rapid connections to multiple hosts
Failed authentication attempts

smb2.cmd == 1 # Session setup smb2.filename contains "ADMIN$" || smb2.filename contains "C$"

RDP (Port 3389)

Attack Techniques:

Credential stuffing/brute force
Session hijacking
Remote interactive access

Detection Indicators:

RDP from external IPs
Lateral RDP between servers
Multiple failed RDP attempts
RDP during off-hours

tcp.port == 3389 rdp # RDP protocol filter

WMI (Port 135, 49152+)

Attack Techniques:

Remote command execution
Process creation
Persistence mechanisms

Detection Indicators:

DCOM/RPC connections to multiple hosts
Unusual source hosts initiating WMI
High volume of RPC calls

dcerpc # DCOM/RPC traffic tcp.port == 135

SSH (Port 22)

Attack Techniques:

Lateral shell access
Port forwarding/tunneling
Key-based authentication abuse

Detection Indicators:

SSH between internal systems
Multiple SSH sessions from single source
SSH to non-standard ports

Lateral Movement Analysis Workflow

Initial
Compromise

→

SMB/RDP
Lateral Spread

→

Privilege
Escalation

→

Domain
Admin Access

Network-Based Lateral Movement Detection

Identify pivot points: Systems making unusual outbound connections
Map connection patterns: Visualize which systems connect to what
Detect scanning behavior: Connections to many hosts in short timeframe
Correlate with authentication logs: Failed logins + network connections
Timeline reconstruction: Sequence of compromised systems

Living Off the Land (LOL) Techniques

Attackers increasingly use legitimate Windows tools (PsExec, PowerShell, WMI) for lateral movement, making detection harder. Network traffic analysis must focus on behavioral anomalies rather than just known-bad signatures.

Detecting Reconnaissance Activity

Reconnaissance: The Attacker's First Step

Before exploitation, attackers gather information about the target network - open ports, services, vulnerabilities, and network topology. Detecting recon early can prevent full compromise.

Common Reconnaissance Techniques

Port Scanning

Description: Systematic probing of ports to identify open services

Types:

TCP SYN scan: Half-open connections (most common)
TCP connect scan: Full connections
UDP scan: Probing UDP services
Stealth scans: FIN, NULL, XMAS flag combinations

Detection:

tcp.flags.syn == 1 && tcp.flags.ack == 0 # SYN packets tcp.flags == 0x00 # NULL scan tcp.flags.fin == 1 && tcp.flags.ack == 0 # FIN scan

Indicators:

Single source IP connecting to many destination ports
Sequential port numbers (1, 2, 3, 4...)
Short connection durations
Many RST or SYN-ACK responses

ARP Sweeping

Description: Discovering live hosts on local network segment

Detection:

arp.opcode == 1 # ARP requests arp.dst.proto_ipv4 == 0.0.0.0 # Gratuitous ARP

Indicators:

Rapid succession of ARP requests
Requests for sequential IP addresses
Single source generating excessive ARP traffic

ICMP Sweeping (Ping Scans)

Description: Using ICMP echo requests to find live hosts

Detection:

icmp.type == 8 # Echo requests icmp.type == 0 # Echo replies

Indicators:

ICMP requests to sequential IPs
High volume from single source
Unusual ICMP payload sizes

Service Enumeration

Description: Banner grabbing and service version detection

Indicators:

Connections followed by immediate disconnects
Unusual HTTP User-Agent strings (Nmap, Nessus)
SNMP community string guessing
DNS zone transfer attempts

http.user_agent contains "Nmap" || http.user_agent contains "Nessus" dns.qry.type == 252 # Zone transfer (AXFR)

Distinguishing Recon from Legitimate Activity

Context Matters

Activity	Legitimate	Suspicious
Port scanning	Authorized vulnerability scanner from known IP	Unknown external IP scanning all hosts
ICMP requests	Monitoring tool pinging specific servers	Workstation pinging entire subnet
Service connections	Application connecting to database	User workstation connecting to all servers on port 22

Recon Detection Best Practice

Maintain an inventory of authorized scanning tools (IP addresses, schedules). Any scanning activity outside this inventory should trigger alerts. Use reputation feeds to identify known scanner IPs (Shodan, Censys).

Wireshark Display Filters & Analysis Techniques

Essential Wireshark Display Filters

Display filters allow you to slice through massive packet captures to find exactly what you need. Mastering filter syntax is critical for efficient analysis.

Core Filter Categories

IP Address Filters

ip.addr == 192.168.1.100 ip.src == 10.0.0.5 ip.dst == 172.16.0.10 ip.addr == 10.0.0.0/24 # Subnet

Port Filters

tcp.port == 443 udp.port == 53 tcp.srcport == 80 tcp.dstport == 22 tcp.port >= 49152 # Ephemeral ports

Protocol Filters

http dns smb2 tls arp icmp

TCP Flag Filters

tcp.flags.syn == 1 tcp.flags.rst == 1 tcp.flags == 0x012 # SYN-ACK tcp.flags.ack == 1 && tcp.flags.syn == 1

Advanced Filter Techniques

Logical Operators

# AND (both conditions must be true) ip.src == 10.0.0.5 && tcp.port == 443 # OR (either condition can be true) tcp.port == 80 || tcp.port == 443 # NOT (inverse) !(arp || icmp) # Combining operators (ip.src == 10.0.0.5 || ip.src == 10.0.0.6) && tcp.port == 22

Security-Focused Filters

Find Cleartext Credentials

http.request.method == "POST" ftp.request.command == "PASS" telnet

Suspicious DNS

dns.qry.name.len > 50 dns.qry.type == 16 # TXT records dns.flags.rcode == 3 # NXDOMAIN

Potential Data Exfiltration

tcp.len > 1400 # Large packets http.request.method == "POST" && http.file_data ftp-data

Scanning Activity

tcp.flags.syn == 1 && tcp.flags.ack == 0 tcp.flags.reset == 1 tcp.analysis.retransmission

Wireshark Analysis Workflows

Follow TCP Stream (Right-click → Follow → TCP Stream)

Reconstructs entire conversation between client and server. Essential for:

Reading HTTP requests/responses
Extracting transferred files
Viewing cleartext protocols (Telnet, FTP)
Understanding application-layer interactions

Statistics Menu - Your Best Friend

Conversations: View all IP/port pairs, sort by bytes/packets
Protocol Hierarchy: See protocol distribution in capture
Endpoints: Identify top talkers by IP
HTTP → Requests: List all HTTP requests
DNS → Statistics: Analyze DNS query patterns

Pro Tip: Capture Filters vs Display Filters

Capture filters (BPF syntax) limit what's captured: tcpdump -i eth0 'tcp port 80'
Display filters (Wireshark syntax) control what's shown in already-captured data: http.request.method == "GET"

Use capture filters to reduce file size, display filters for analysis flexibility.

Encrypted Traffic Analysis

The Challenge: Most Traffic is Encrypted

Over 95% of web traffic uses HTTPS/TLS. While encryption protects privacy, it also hides malicious activity. Analysts must use metadata analysis since payload inspection is not possible.

TLS Metadata Analysis

Certificate Analysis

What to examine:

Certificate validity period (newly issued = suspicious)
Issuer (self-signed vs trusted CA)
Subject/Common Name (generic names, misspellings)
Subject Alternative Names (SANs)
Certificate chain completeness

tls.handshake.certificate tls.handshake.extensions_server_name

Red flags:

Self-signed certificates in production
Expired or not-yet-valid certificates
Certificate issued hours before connection

Server Name Indication (SNI)

Domain name sent in cleartext during TLS handshake

tls.handshake.extensions_server_name == "evil.com" tls.handshake.extensions_server_name contains "amazonaws"

Analysis value:

Identify destination domains even with HTTPS
Detect connections to known malicious domains
Track cloud service usage (S3, Azure, GCP)

JA3/JA3S Fingerprinting

What is JA3?

JA3 creates a fingerprint from TLS client hello parameters (TLS version, cipher suites, extensions, elliptic curves, formats). The fingerprint identifies the client application, not the user.

JA3S does the same for server hello, identifying the server configuration.

JA3 Use Cases

Malware identification: Known malware families have unique JA3 signatures
Policy enforcement: Detect unauthorized applications (Tor, VPNs)
Anomaly detection: New JA3 fingerprint from known host
Hunting: Correlate JA3 across network to find infected hosts

Example Analysis

# Normal Chrome JA3:
771,49195-49199-49196-49200-52393-52392...

# Trickbot Malware JA3:
a0e9f5d64349fb13191bc781f81f42e1

# Detection: Alert on known-bad JA3 hashes
          

Tools: ja3er.com (JA3 database), Zeek, Suricata

Behavioral Analysis of Encrypted Traffic

What You CAN Still See

Packet sizes: Pattern of request/response sizes
Timing: Inter-arrival times, session duration
Volume: Total bytes transferred
Connection patterns: Frequency, beaconing intervals
IP geolocation: Destination countries
Port usage: HTTPS on non-standard ports

Encrypted Threat Detection

Encrypted C2 Beaconing

Method: Analyze connection frequency and payload sizes despite encryption

tls # Filter to TLS only Statistics → Conversations → Identify regular intervals

Encrypted Data Exfiltration

Method: Detect large HTTPS uploads to unusual destinations

tls && ip.dst != 10.0.0.0/8 # External TLS Statistics → Conversations → Sort by bytes sent

The Future: TLS 1.3 & ESNI

TLS 1.3 encrypts more of the handshake, and Encrypted SNI (ESNI) hides the server name. This reduces metadata visibility. Analysts must increasingly rely on behavioral analytics, machine learning, and endpoint telemetry to detect threats in encrypted traffic.

Network Forensics Workflow

Structured Approach to PCAP Analysis

When responding to an incident, follow a systematic workflow to ensure thorough analysis and defensible findings.

6-Phase Forensic Workflow

1. Collection

→

2. Preservation

→

3. Examination

6. Reporting

←

5. Documentation

←

4. Analysis

Phase Details

1. Collection

Identify relevant capture sources (SPAN, TAP, sensor)
Determine time window of interest
Retrieve PCAPs from storage/sensors
Document chain of custody
Note capture limitations (filters, packet loss)

2. Preservation

Create hash of original PCAP (MD5/SHA256)
Store original in write-protected location
Work on copies, never originals
Maintain access logs
Follow evidence handling procedures

3. Examination

Validate PCAP integrity (capinfos, tshark -r)
Review protocol hierarchy
Identify conversations and endpoints
Check for capture errors/warnings
Establish timeline boundaries

4. Analysis

Apply filters based on IOCs/hypotheses
Follow suspicious streams
Extract artifacts (files, credentials, domains)
Correlate with logs and threat intel
Build attack timeline

5. Documentation

Screenshot key findings
Record filter syntax used
Document IOCs extracted
Note analyst observations
Maintain analysis log

6. Reporting

Executive summary
Technical findings with evidence
Timeline of events
IOCs and recommendations
Lessons learned

Key Forensic Questions to Answer

The 5 W's of Network Forensics

Who? Internal IP, user, system name
What? Attack type, malware family, data accessed
When? Initial compromise, dwell time, exfiltration timing
Where? External IPs, countries, domains, infrastructure
Why? Attack motivation (espionage, ransomware, hacktivism)

Tools for Network Forensics

Tool	Purpose	Key Features
Wireshark	Interactive analysis	Protocol dissection, stream following, expert info
NetworkMiner	Automated artifact extraction	File extraction, OS fingerprinting, session reconstruction
Zeek (Bro)	Log generation from PCAPs	Protocol logs, file extraction, scripting capability
Moloch	Full packet capture indexing	Fast search, tagging, PCAP retrieval at scale
Security Onion	Complete NSM platform	IDS, PCAP, Zeek, visualization, hunting

Best Practice: Hypothesis-Driven Analysis

Don't just explore PCAPs randomly. Start with a hypothesis based on alerts, IOCs, or anomalies. Example: "I suspect this host is exfiltrating data via DNS tunneling." Then use filters and analysis techniques to prove or disprove the hypothesis systematically.

Common Pitfalls to Avoid

Analysis paralysis: Huge PCAPs can be overwhelming - filter early
Confirmation bias: Don't just look for evidence supporting your theory
Missing context: Correlate with endpoint logs, SIEM, threat intel
Poor documentation: Document as you go, not after analysis
Chain of custody gaps: Maintain evidence integrity throughout

Completion Achievement

Congratulations! You've completed the Network Traffic Analysis presentation. You now have the foundational knowledge to analyze packets, detect threats, and conduct network forensics at a SOC Analyst / CySA+ level.

Click "Complete Module" below to mark this presentation as finished and unlock the next components.