Network Analysis
Objectives: By the end of this topic, you will be able to…
- Capture network traffic with graphical and CLI tools
- Apply filters to focus analysis on relevant protocols
- Recognize normal and anomalous patterns
- Interpret basic network protocol headers
- Use network analysis to support security investigations
What is network analysis?
Network analysis is the process of capturing, inspecting, and interpreting traffic on a computer network. In cybersecurity, it allows you to:
- Detect active threats such as malware, scans, or data exfiltration
- Identify vulnerabilities in configuration or use of insecure protocols
- Reconstruct incidents for forensic analysis
- Audit network security from offensive or defensive perspectives
OSI and TCP/IP models (practical summary)
The most relevant layers for network analysis:
| OSI Layer | Example of practical use |
|---|---|
| Layers 1-2 (Physical / Data Link) | MAC addresses, ARP |
| Layer 3 (Network) | IP addresses, routing |
| Layer 4 (Transport) | TCP, UDP, ports |
| Layers 5-7 (Application) | HTTP, DNS, FTP |
These layers allow breaking down a packet to understand what is happening at each level.
Common protocols
| Protocol | Description |
|---|---|
| HTTP/HTTPS | Web browsing (ports 80/443) |
| DNS | Domain name resolution |
| FTP | File transfer (port 21), insecure by default |
| ICMP | Diagnostic messages (e.g., ping) |
| ARP | IP to MAC address resolution |
| SMB | File sharing on Windows networks |
| SSH | Secure remote access |
| Telnet | Remote access (insecure, unencrypted) |
Each protocol has its own structure, inspectable with Wireshark or tcpdump.
Sniffing and collection techniques
Sniffing consists of capturing network traffic passing through an interface:
- Passive capture: observing without interacting (
tcpdump, Wireshark) - ARP spoofing: intercepting traffic by redirecting packets (MITM attacks)
- Promiscuous mode: the network interface captures all traffic, not just traffic addressed to it
- Monitor mode (Wi-Fi): captures even non-associated traffic
Tools:
| Tool | Description |
|---|---|
tcpdump | Command-line, fast and flexible |
Wireshark | GUI for detailed visual inspection |
tshark | CLI version of Wireshark |
ettercap | MITM attacks and real-time analysis |
Recognizing malicious patterns
Through packet analysis, it is possible to identify suspicious activity:
- Network scans: multiple packets to different ports or IPs (Nmap, masscan)
- Flooding: large amounts of ICMP, UDP, or SYN packets (DoS attacks)
- Sniffing abuse: exploitation of unencrypted protocols
- Anomalous traffic: connections to unusual ports, encrypted payloads in unencrypted protocols, beaconing (periodic communications)
Common indicators:
- Communication with algorithmically generated domains (DGA)
- Credentials transmitted in clear text
- Packets with unusual TTL values or sizes
Hands-on lab
Requirements: Kali Linux, Wireshark,
tcpdump,tshark,nmap, partner VM
Part 1: Traffic capture and classification
- Identify your active network interface:
ip addr show- Start capturing:
sudo tcpdump -i eth0 -w traffic_lab11.pcap- Generate diverse traffic (HTTP, DNS, ICMP):
curl http://example.com
dig www.github.com
ping -c 5 8.8.8.8- Open in Wireshark and classify by protocol using Statistics → Protocol Hierarchy
- Create a protocol classification table (5+ protocols)
Part 2: Deep protocol analysis
- Choose 3 protocols from your capture
- For each protocol, document: purpose, OSI layer, 4-6 key fields
- Use display filters:
tshark -r traffic_lab11.pcap -Y "dns" -T fields -e dns.qry.name -e dns.a
tshark -r traffic_lab11.pcap -Y "http.request" -T fields -e ip.src -e http.request.uri- Search for unencrypted data (HTTP POST, cookies, DNS queries)
Part 3: Detecting malicious patterns
- Start capture on the TARGET system
- Perform a TCP SYN scan from the attacker:
sudo nmap -sS -T4 -p 1-1000 TARGET_IP- Analyze scan traffic with filter:
tcp.flags.syn == 1 and tcp.flags.ack == 0
- Count SYN packets by source:
tshark -r malicious_activity.pcap -Y "tcp.flags.syn==1 && tcp.flags.ack==0" -T fields -e ip.src | sort | uniq -c | sort -rn- Create comparison table: normal traffic vs malicious scan
Part 4: CLI analysis and reporting
- Generate statistics:
tshark -r traffic_lab11.pcap -q -z io,phs
tshark -r traffic_lab11.pcap -q -z conv,tcp
tshark -r traffic_lab11.pcap -q -z endpoints,ip- Identify top active IPs, DNS queries, most-used ports
- Document anomalies and discuss encryption’s impact on visibility
Submission
ZIP archive with:
traffic_lab11.pcapandmalicious_activity.pcapprotocol_stats.txt- Report (2-3 pages): protocol classification, deep analysis of 3 protocols, malicious traffic detection, CLI analysis, security reflection
Key concepts
| Term | Definition |
|---|---|
| Wireshark | Network traffic analysis tool with a graphical interface |
| Sniffing | Capture of network traffic passing through an interface |
| DNS | Protocol that translates domain names into IP addresses |
| ICMP | Network diagnostic protocol used by tools like ping |
| ARP | Protocol that resolves IP addresses to MAC addresses |
| IPS | Network intrusion detection/prevention systems |
Test yourself
-
Analysis: You capture network traffic and observe hundreds of SYN packets from the same IP toward sequential ports without completing the TCP handshake. What is happening? What tool generates this?
-
Protocols: Why is DNS never encrypted by default and what information does this expose? What solution exists (DoH, DoT)?
-
Forensics: How would you use network analysis to reconstruct a data exfiltration? What evidence would you look for in the capture?