Network Analysis Fundamentals

Capture packets. Decode traffic. Find the breach.

CAPTURED TRAFFIC

A network administrator noticed suspicious outbound traffic and captured it to breach.pcap (5.2 MB). Your mission: analyze this packet capture to identify the attack vector, find the attacker's IP, and determine what data was exfiltrated.

Understanding Packet Captures

Network traffic is the lifeblood of modern attacks. Whether it's command and control (C2) communications, data exfiltration, or lateral movement - it all leaves traces in packet captures. PCAP files are recordings of network traffic that capture every packet.

Tools like tcpdump (CLI) and Wireshark/tshark (GUI/CLI) let you dissect these captures packet by packet, revealing the attacker's every move.

Network Analysis Commands

Command	Purpose
`tcpdump -r file.pcap`	Read and display packets from a capture file
`tcpdump -r file.pcap -n`	Don't resolve hostnames (faster, shows raw IPs)
`tcpdump -r file.pcap host 192.168.1.1`	Filter packets to/from specific IP
`tcpdump -r file.pcap port 80`	Filter by port number
`tshark -r file.pcap`	Wireshark CLI - more readable output
`tshark -r file.pcap -Y "http"`	Display filter for HTTP traffic only

analyst@kali:~$ tcpdump -r breach.pcap -n | head -5
reading from file breach.pcap, link-type EN10MB (Ethernet)
09:15:22.123456 IP 192.168.1.105.52341 > 10.0.0.50.443: TCP [S]
09:15:22.125789 IP 10.0.0.50.443 > 192.168.1.105.52341: TCP [S.]
09:15:22.126012 IP 192.168.1.105.52341 > 10.0.0.50.443: TCP [.]
09:15:23.456789 IP 192.168.1.105.52341 > 45.33.32.156.4444: TCP [P.]

analyst@kali:~$ tcpdump -r breach.pcap -n port 4444 | wc -l
847
# Port 4444 = Metasploit default! 847 packets = active C2 session!

Suspicious Indicators

Non-Standard Ports

Port 4444 (Metasploit), 5555, 6666, 8888 - often used by malware and reverse shells.

Large Outbound Transfers

Data exfiltration often shows as large volumes of data leaving to external IPs.

External IP Connections

Connections to IPs outside your network, especially to known bad reputation ranges.

Beaconing Patterns

Regular, periodic connections (every 30s, 60s) indicate C2 heartbeat traffic.

LAB: Analyze breach.pcap

You have access to the captured traffic. Use network analysis commands to investigate the breach and answer: Who attacked? What port? How many packets?

12,847

Total Packets

???

Attacker IP

???

C2 Port

???

C2 Packets

network-forensics

Network Forensics Lab - breach.pcap Analysis ============================================= File: breach.pcap (5.2 MB, 12,847 packets) Try these commands: tcpdump -r breach.pcap | head tcpdump -r breach.pcap -n port 4444 tcpdump -r breach.pcap -n | grep -oE "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" | sort | uniq -c | sort -rn | head

forensics$

ANALYSIS COMPLETE!

You've identified the breach:

Attacker IP: 45.33.32.156
C2 Port: 4444 (Metasploit default)
C2 Traffic: 847 packets over 45 minutes
Verdict: Active reverse shell session detected

Ready to Test Your Skills?

Complete the quiz to prove your network analysis abilities.

Take the Quiz → Back to Script House

Completing CLH-001 to CLH-003 earns: CLI Recruit