The Art of Packet Analysis
Network traffic analysis is the cornerstone of security monitoring. Whether you're hunting threats, investigating incidents, or tuning detection rules, understanding what's happening on the wire is essential.
Why Traffic Analysis Matters
Use Cases:
Tools of the Trade
Wireshark
The industry-standard packet analyzer with deep protocol dissection.
Essential Features:
tshark
Command-line Wireshark for automation and scripting.
Power User Tips:
# Extract HTTP hosts
tshark -r capture.pcap -Y "http.request" -T fields -e http.host
# Find large transfers
tshark -r capture.pcap -q -z io,stat,1,"SUM(frame.len)frame.len"
# Export HTTP objects
tshark -r capture.pcap --export-objects http,./output/
Zeek (formerly Bro)
Network security monitor that creates structured logs.
Advantages:
Converts PCAPs to searchable logs Protocol-specific analysis Scriptable detection logic Integration with SIEM platforms
Advanced Analysis Techniques
1. Baseline Analysis
Establish Normal Behavior:
Step 1: Capture 24-hour sample
Step 2: Identify:
- Top talkers (IP addresses)
- Protocol distribution
- Port usage patterns
- Traffic volume by time
Step 3: Document baseline
Step 4: Set alerting thresholds
2. Protocol Analysis
DNS Analysis:
Look for suspicious patterns:
Excessive queries to same domain Long subdomain names (tunneling) Queries to recently registered domains TXT record abuse
HTTP/HTTPS Analysis:
User-Agent anomalies POST to GET ratio Suspicious file transfers Certificate validation issues
3. Temporal Analysis
Time-Based Patterns:
Traffic during off-hours Periodic beaconing (C2) Data exfiltration patterns Scan activities
Wireshark Display Filters
Basic Filters
# Show only HTTP traffic
http
# TCP traffic on port 443
tcp.port == 443
# Packets from specific IP
ip.src == 192.168.1.100
# Packet size filter
frame.len > 1000
Advanced Filters
# Find HTTP POST with large payloads
http.request.method == "POST" && http.content_length > 100000
# Detect port scans
tcp.flags.syn == 1 && tcp.flags.ack == 0 && tcp.window_size <= 1024
# Find potential data exfiltration
dns.qry.name.len > 50
# Identify encrypted tunnels
ssl.handshake.type == 1 && ssl.handshake.ciphersuite != 0
Threat Hunting with PCAP
Hunting for C2 Communication
Indicators:
Beaconing behavior (regular intervals) Uncommon ports for HTTP/HTTPS Certificate anomalies Suspicious User-Agents
Analysis Workflow:
Extract connection timestamps Calculate inter-packet arrival times Identify periodic patterns Correlate with threat intelligence 5. Investigate suspicious flows
Detecting Lateral Movement
Signs in Traffic:
Unusual SMB activity Pass-the-Hash indicators RDP connections to non-standard hosts PowerShell remoting traffic
Identifying Data Exfiltration
Exfiltration Methods:
DNS tunneling HTTPS uploads to cloud services FTP/SFTP large transfers Encrypted channels
Detection Queries:
# Large outbound transfers
ip.dst != 192.168.0.0/16 && frame.len > 1400 && tcp.len > 1400
# Unusual DNS query volumes
dns.qry.name && frame.len > 100
TLS/SSL Inspection
Certificate Analysis
Red Flags:
Self-signed certificates Expired certificates Mismatched common names Recently issued certificates
Wireshark Filters:
# View all certificates
ssl.handshake.certificate
# Find self-signed certs
ssl.handshake.certificate && !ssl.handshake.certificate.issuer
Decrypting SSL Traffic
Method 1: Pre-Master Secret
Set SSLKEYLOGFILE environment variable for browser captures.
Method 2: Private Key
If you control the server, load the private key in Wireshark.
Method 3: Inline Proxy
Use tools like mitmproxy for real-time decryption.
Statistical Analysis
Entropy Analysis
Detect encrypted payloads and packed malware:
import math
from collections import Counter
def calculate_entropy(data):
if not data:
return 0
entropy = 0
counter = Counter(data)
for count in counter.values():
probability = count / len(data)
entropy -= probability * math.log2(probability)
return entropy
# High entropy (>7.5) suggests encryption/compression
Packet Size Distribution
Analyze packet size patterns for anomalies:
Most traffic: 40-1500 bytes Large packets: potential data transfer Many small packets: potential scanning
Automating Analysis
Python + Scapy
from scapy.all import *
# Read PCAP
packets = rdpcap('capture.pcap')
# Extract unique IPs
unique_ips = set()
for pkt in packets:
if IP in pkt:
unique_ips.add(pkt[IP].src)
unique_ips.add(pkt[IP].dst)
print(f"Unique IPs: {len(unique_ips)}")
Zeek Scripts
# Detect long connections
event connection_state_remove(c: connection)
{
if ( c$duration > 1 hour )
{
print fmt("Long connection: %s -> %s (%s)",
c$id$orig_h, c$id$resp_h, c$duration);
}
}
Best Practices
**Capture Strategy** - Use span ports or TAPs
- Capture full packets when possible
- Implement ring buffers for continuous capture
- Store with timestamps and metadata
**Analysis Workflow** - Start with high-level statistics
- Drill down into suspicious flows
- Document findings
- Correlate with other data sources
**Performance** - Use capture filters to reduce volume
- Analyze in chunks for large PCAPs
- Leverage distributed processing
- Archive old captures efficiently
Real-World Case Studies
Case 1: Detecting Cobalt Strike
Indicators:
HTTP GET requests to /pixel.gif Jitter in callback timing POST with encrypted payloads
Case 2: DNS Tunneling
Detection:
Excessive TXT queries Long subdomain names Single client querying many unique domains
Tools Integration
SIEM Integration:
Forward Zeek logs to SIEM Create correlation rules Alert on anomalies Build dashboards
Threat Intelligence:
Check IPs against feeds Domain reputation lookups Certificate fingerprinting Payload hash analysis
Want to enhance your traffic analysis skills? Check out NeuroSmash IDPS for AI-powered packet analysis.