Network Analysis
Objectives: By the end of this topic, you will be able to…
- Capture network traffic with graphical and CLI tools
- Apply filters to focus analysis on relevant protocols
- Recognize normal and anomalous patterns
- Interpret basic network protocol headers
- Use network analysis to support security investigations
What is network analysis?
Network analysis is the process of capturing, inspecting, and interpreting traffic on a computer network. In cybersecurity, it allows analysts to detect active threats such as malware, port scans, or data exfiltration; identify vulnerabilities in configuration or the use of insecure protocols; reconstruct the timeline of an incident for forensic purposes; and audit network security from either an offensive or defensive perspective.
OSI and TCP/IP models (practical summary)
The most relevant layers for network analysis:
| OSI Layer | Example of practical use |
|---|---|
| Layers 1-2 (Physical / Data Link) | MAC addresses, ARP |
| Layer 3 (Network) | IP addresses, routing |
| Layer 4 (Transport) | TCP, UDP, ports |
| Layers 5-7 (Application) | HTTP, DNS, FTP |
These layers allow breaking down a packet to understand what is happening at each level.
Common protocols
| Protocol | Description |
|---|---|
| HTTP/HTTPS | Web browsing (ports 80/443) |
| DNS | Domain name resolution |
| FTP | File transfer (port 21), insecure by default |
| ICMP | Diagnostic messages (e.g., ping) |
| ARP | IP to MAC address resolution |
| SMB | File sharing on Windows networks |
| SSH | Secure remote access |
| Telnet | Remote access (insecure, unencrypted) |
Each protocol has its own structure, inspectable with Wireshark or tcpdump.
Sniffing and collection techniques
Sniffing consists of capturing network traffic passing through an interface. In passive capture, the analyst simply observes traffic without interacting — tools like tcpdump and Wireshark read packets as they flow by. ARP spoofing takes a more active approach, poisoning the ARP cache of nearby hosts to redirect their traffic through the attacker’s machine for interception (a man-in-the-middle attack). At the interface level, promiscuous mode causes a wired network card to capture all traffic on the segment, not just packets addressed to it; on Wi-Fi, monitor mode goes further, capturing frames from networks the adapter has not associated with.
Tools:
| Tool | Description |
|---|---|
tcpdump | Command-line, fast and flexible |
Wireshark | GUI for detailed visual inspection |
tshark | CLI version of Wireshark |
ettercap | MITM attacks and real-time analysis |
Recognizing malicious patterns
Through packet analysis, it is possible to identify suspicious activity. Network scans produce many packets directed at different ports or IP addresses in rapid succession — a SYN scan, for example, generates a stream of SYN packets to sequential ports from a single source IP, all without corresponding ACK replies from the initiator, making it easy to distinguish from normal connection attempts. Flooding attacks generate large volumes of ICMP, UDP, or SYN packets intended to exhaust resources. Unencrypted protocol abuse exposes credentials and session tokens to passive eavesdropping. Anomalous traffic patterns — connections to unusual ports, encrypted payloads inside plaintext protocols, or periodic beaconing at fixed intervals — often signal command-and-control activity. More specific indicators include communication with algorithmically generated domains (DGA), credentials transmitted in clear text, and packets with unusual TTL values or sizes that suggest tunneling or evasion.
Hands-on lab
Requirements: Kali Linux, Wireshark,
tcpdump,tshark,nmap, partner VM
Part 1: Traffic capture and classification
- Identify your active network interface:
ip addr show- Start capturing:
sudo tcpdump -i eth0 -w traffic_lab11.pcap- Generate diverse traffic (HTTP, DNS, ICMP):
curl http://example.com
dig www.github.com
ping -c 5 8.8.8.8- Open in Wireshark and classify by protocol using Statistics → Protocol Hierarchy
- Create a protocol classification table (5+ protocols)
? Which protocol accounted for the highest percentage of traffic in your capture? Does this match what you expected given the commands you ran?
Part 2: Deep protocol analysis
- Choose 3 protocols from your capture
- For each protocol, document: purpose, OSI layer, 4-6 key fields
- Use display filters:
tshark -r traffic_lab11.pcap -Y "dns" -T fields -e dns.qry.name -e dns.a
tshark -r traffic_lab11.pcap -Y "http.request" -T fields -e ip.src -e http.request.uri- Search for unencrypted data (HTTP POST, cookies, DNS queries)
? What sensitive information, if any, was visible in plaintext in your capture? How would the analysis change if all traffic were encrypted with TLS?
Part 3: Detecting malicious patterns
- Start capture on the TARGET system
- Perform a TCP SYN scan from the attacker:
sudo nmap -sS -T4 -p 1-1000 TARGET_IP- Analyze scan traffic with filter:
tcp.flags.syn == 1 and tcp.flags.ack == 0
- Count SYN packets by source:
tshark -r malicious_activity.pcap -Y "tcp.flags.syn==1 && tcp.flags.ack==0" -T fields -e ip.src | sort | uniq -c | sort -rn- Create comparison table: normal traffic vs malicious scan
? What distinguishes the SYN scan traffic from normal TCP connections in your capture? Would this pattern be obvious enough to trigger an automated IDS alert?
Part 4: CLI analysis and reporting
- Generate statistics:
tshark -r traffic_lab11.pcap -q -z io,phs
tshark -r traffic_lab11.pcap -q -z conv,tcp
tshark -r traffic_lab11.pcap -q -z endpoints,ip- Identify top active IPs, DNS queries, most-used ports
- Document anomalies and discuss encryption’s impact on visibility
? Which endpoints generated the most traffic in your analysis? What threshold or pattern would you use as a detection rule in a real network monitoring environment?
Submission
ZIP archive with:
traffic_lab11.pcapandmalicious_activity.pcapprotocol_stats.txt- Report (2-3 pages): protocol classification, deep analysis of 3 protocols, malicious traffic detection, CLI analysis, security reflection
Key concepts
| Term | Definition |
|---|---|
| Wireshark | Network traffic analysis tool with a graphical interface |
| Sniffing | Capture of network traffic passing through an interface |
| DNS | Protocol that translates domain names into IP addresses |
| ICMP | Network diagnostic protocol used by tools like ping |
| ARP | Protocol that resolves IP addresses to MAC addresses |
| IPS | Network intrusion detection/prevention systems |