Table of Contents
What is Network Forensics?
Network forensics is the capture, recording, and analysis of network traffic to discover the source of security attacks or other problem incidents. It's essential for incident response and legal investigations.
Packet Capture Methods
tcpdump
# Capture all traffic on eth0
tcpdump -i eth0 -w capture.pcap
# Capture specific host
tcpdump -i eth0 host 192.168.1.100 -w host.pcap
# Capture HTTP traffic
tcpdump -i eth0 port 80 or port 443 -w http.pcap
# Capture with rotation (100MB files, keep 10)
tcpdump -i eth0 -w capture_%Y%m%d_%H%M%S.pcap -G 3600 -C 100 -W 10Zeek (formerly Bro)
# Process PCAP file
zeek -r capture.pcap
# Generates logs:
# conn.log - All connections
# dns.log - DNS queries
# http.log - HTTP requests
# ssl.log - TLS/SSL connections
# files.log - Files transferredWireshark Analysis
Essential Display Filters
# Filter by IP
ip.addr == 192.168.1.100
# Filter by protocol
http || dns || tls
# Failed TCP connections
tcp.flags.syn == 1 && tcp.flags.ack == 0 && tcp.analysis.retransmission
# HTTP POST requests
http.request.method == "POST"
# Find passwords in cleartext
http contains "password" || ftp contains "PASS"
# DNS queries to suspicious TLD
dns.qry.name contains ".xyz" || dns.qry.name contains ".top"
# Large data transfers (exfiltration)
tcp.len > 10000Follow Streams
Right-click packet → Follow → TCP Stream to reconstruct full conversation.
Key Network Artifacts
| DNS Queries | C2 domains, tunneling, DGA detection |
| HTTP Headers | User-agent strings, referrers, cookies |
| TLS Certificates | Self-signed, expired, suspicious issuers |
| Connection Duration | Beaconing patterns (regular intervals) |
| Data Volume | Unusual upload (exfiltration) |
Malware Traffic Analysis
Indicators to Look For
- Beaconing: Regular connections at fixed intervals (every 60s)
- DNS tunneling: Long TXT records, high query volume
- C2 over HTTP: Base64 in URL parameters, unusual User-Agents
- Data exfil: Large POST requests, encoded data
Extract Files from PCAP
# Wireshark: File → Export Objects → HTTP
# NetworkMiner (Windows)
# Automatically extracts files, images, credentials
# Foremost
foremost -i capture.pcap -o extracted_files/Updated: December 2024