This chapter covers network forensics with a focus on packet capture (PCAP) analysis—a critical skill for the CS0-003 exam's Incident Response domain (Objective 3.3). You will learn how to capture, filter, and analyze network traffic to identify malicious activity, reconstruct attacks, and provide evidence for incident reports. Approximately 10-15% of exam questions touch on packet analysis tools, PCAP file formats, and common forensic techniques. Mastery of this topic directly supports the IR process phases: Detection & Analysis, Containment, and Post-Incident Activity.
Jump to a section
Imagine you are an aviation safety investigator analyzing a flight recorder (black box) after an incident. The recorder captures every parameter—altitude, airspeed, engine RPM, control surface positions, radio communications—at precise timestamps. When something goes wrong (e.g., a stall), you rewind the tape to the moments before the event. You correlate the pilot's control inputs with the aircraft's responses, the engine data, and external conditions. Each data point is timestamped to millisecond accuracy. You can filter for specific parameters (e.g., only engine data) or zoom into a 10-second window around the anomaly. The recorder does not interpret events—it only preserves raw data. Your job is to reconstruct the sequence, identify the root cause (e.g., pilot error vs. mechanical failure), and produce evidence for a report. Similarly, packet capture (PCAP) is a 'flight recorder' for network traffic. It records every packet that traverses a link, with precise timestamps, preserving the raw binary data. Analysts use tools like Wireshark or tcpdump to 'replay' the traffic, filter for specific protocols or addresses, and identify malicious activity, misconfigurations, or performance issues. Just as the flight recorder cannot tell you why the pilot pushed the yoke forward—only that they did—PCAP cannot interpret intent; it only shows what happened on the wire. The analyst must correlate packets, reconstruct conversations, and derive conclusions. In both cases, the quality of evidence depends on the capture point (e.g., near the cockpit vs. near the tail) and the completeness of the recording (e.g., full payload vs. truncated headers).
What is Network Forensics and Why Packet Capture?
Network forensics is the process of capturing, recording, and analyzing network traffic to investigate security incidents. Unlike host-based forensics (disk images, memory dumps), network forensics focuses on data in transit. Packet capture (PCAP) is the raw recording of network packets at a specific point in the network. The PCAP format (pcap/pcapng) is defined by libpcap (RFC 4761 for pcapng). The CS0-003 exam expects you to understand that PCAPs are the primary source of evidence for network-based attacks (e.g., scanning, exploitation, C2 communication).
How Packet Capture Works Internally
When a packet traverses a network interface, the NIC receives the electrical/optical signal and converts it into a digital frame. The operating system's network stack processes the frame up to the protocol layer where the capture tool intercepts it. Tools like tcpdump and Wireshark use the libpcap library to place the NIC into promiscuous mode (or monitor mode for wireless). In promiscuous mode, the NIC passes all frames—not just those addressed to its MAC—to the OS. The capture filter (e.g., 'tcp port 80') is applied via BPF (Berkeley Packet Filter) bytecode. BPF is a virtual machine that evaluates each packet against the filter expression before copying the packet to user space. This minimizes overhead. The captured packets are written to a file in pcap or pcapng format. pcapng (the newer format) supports multiple interfaces, nanosecond timestamps, and optional comments. The default pcap format uses microsecond timestamps and a simple header structure: global header (24 bytes) followed by packet records (16-byte header + packet data).
Key Components, Values, and Defaults
Promiscuous mode: Required to capture traffic not destined to the host's MAC. Without it, you only see broadcast/multicast and your own traffic.
Monitor mode: For wireless captures; captures 802.11 frames including management and control frames.
Snaplen: Maximum bytes captured per packet. Default is 65535 (full packet). Setting a smaller snaplen (e.g., 256) reduces file size but loses payload data.
Buffer size: libpcap uses a kernel buffer to avoid drops. Default is often 2 MB. High-traffic links may need larger buffers (set via -B on tcpdump).
Time precision: pcapng supports nanosecond resolution; older pcap uses microseconds. The exam may ask about timestamp accuracy for evidence integrity.
BPF syntax: Common filters: 'host 10.0.0.1', 'tcp port 443', 'icmp', 'not arp'. Complex filters can use logical operators: 'src net 192.168.0.0/16 and (dst port 80 or dst port 443)'.
Configuration and Verification Commands
tcpdump (Linux/macOS):
Capture all traffic on eth0: tcpdump -i eth0 -w capture.pcap
Capture with a filter: tcpdump -i eth0 -w http.pcap 'port 80'
Read a PCAP: tcpdump -r capture.pcap
Read with hex dump: tcpdump -r capture.pcap -X
Set snaplen: tcpdump -i eth0 -s 256 -w small.pcap
Use a larger buffer: tcpdump -i eth0 -B 4096 -w big.pcap
Wireshark:
GUI-based; supports hundreds of display filters (e.g., http.request, tcp.analysis.flags).
Statistics menu: Protocol Hierarchy, Conversations, Endpoints, IO Graph.
Follow TCP/UDP/TLS stream to reassemble application data.
Export objects (HTTP, SMB, etc.) via File > Export Objects.
tshark (CLI Wireshark):
Read PCAP: tshark -r capture.pcap
Apply display filter: tshark -r capture.pcap -Y 'http.request'
Extract fields: tshark -r capture.pcap -T fields -e ip.src -e ip.dst -e http.request.uri
Interaction with Related Technologies
NetFlow/IPFIX: Flow-level summaries (not full packets). PCAP provides full payload; NetFlow provides metadata (src/dst IP, ports, protocol, bytes). Use both: NetFlow for trend analysis, PCAP for deep dive.
IDS/IPS (Snort, Suricata): These tools generate alerts based on packet content. PCAP can be replayed through Snort to test signatures. Conversely, IDS alerts often reference PCAP timestamps for correlation.
SIEM: PCAPs can be ingested via tools like Moloch/Arkime or Elastic Stack. PCAPs provide raw evidence that SIEM logs lack.
TLS/SSL: Capturing encrypted traffic shows only handshake and encrypted payload. To inspect content, you need pre-shared keys (SSLKEYLOGFILE) or a man-in-the-middle proxy. The exam may ask about limitations of PCAP with encrypted traffic.
Advanced Analysis Techniques
Protocol dissection: Wireshark parses hundreds of protocols. Verify that the correct protocol dissector is used (e.g., if traffic is on a non-standard port, use Decode As...).
Conversation reconstruction: Use 'Follow TCP Stream' to see the full application-layer conversation. For UDP, use 'Follow UDP Stream' (but it may include unrelated packets).
Statistical analysis: IO Graph shows throughput over time. Expert Info (Wireshark) highlights errors (e.g., retransmissions, duplicate ACKs).
Extracting files: Use 'Export Objects' for HTTP, SMB, or TFTP. For other protocols, use 'raw' export via tshark.
Time-based analysis: Compare timestamps from different sources. NTP synchronization is critical for correlation. The exam may test that clock skew can invalidate evidence.
Common Pitfalls in Packet Capture
Capture location: Capturing on the wrong segment misses traffic. For example, capturing on a mirror port that only sees the server's outgoing traffic may miss client requests.
Overrun drops: If the capture buffer overflows, packets are dropped. Monitor for 'dropped' counters in tcpdump: tcpdump -i eth0 -v shows dropped packets.
Truncation: Using a small snaplen cuts payload; you lose application data. Always use snaplen 0 (full) unless storage is critical.
Time synchronization: Without NTP, timestamps from different captures are not comparable. Use the same NTP source for all capture devices.
Legal issues: Capturing traffic without authorization may violate wiretap laws. Always have proper authorization and scope.
1. Identify the Capture Point
Determine where to capture packets based on the incident scope. For a suspected malware beacon, capture at the egress point (firewall, router). For internal lateral movement, capture on the switch port of the affected host. Use SPAN (Switched Port Analyzer) or TAP (Test Access Point) to mirror traffic. A SPAN port may drop packets under load; a TAP is passive and more reliable. In cloud environments, use VPC traffic mirroring (AWS) or packet capture agent (Azure). The exam may ask which capture method provides the most accurate copy (TAP) and which may drop packets (SPAN).
2. Configure Capture Parameters
Set the interface, filter, snaplen, and output file. Use BPF filters to reduce file size and focus on suspicious traffic. For example, capture only traffic to/from a known malicious IP: `tcpdump -i eth0 -w incident.pcap 'host 203.0.113.5'`. Set snaplen to 0 (full capture) unless storage is limited. Use a reasonable buffer size (e.g., -B 4096 for 4 MB). On high-throughput links (1 Gbps+), consider using multiple capture processes or specialized hardware (e.g., Endace). Document capture start time and duration for chain of custody.
3. Acquire the Capture
Run the capture tool with chosen parameters. Monitor for dropped packets using tcpdump's verbose output (`tcpdump -v` shows dropped count). If drops occur, increase buffer size or reduce snaplen. Capture duration depends on incident: a short burst (few minutes) for active attack, longer (hours) for beaconing. Stop the capture gracefully (Ctrl+C) to avoid corruption. Verify the file integrity using md5sum or sha256sum. Record the hash in the incident log.
4. Initial Triage with Statistics
Open the PCAP in Wireshark or tshark. Use Statistics > Protocol Hierarchy to see which protocols dominate. A high percentage of TCP retransmissions or ICMP errors may indicate scanning or network issues. Use Statistics > Conversations to see top talkers. Look for unusual external IPs with high byte counts. Use IO Graph (1 sec interval) to identify spikes in traffic. For example, a sudden spike in outbound DNS queries every 60 seconds suggests DNS tunneling. Document anomalies for further analysis.
5. Filter and Drill Down
Apply display filters to isolate suspicious traffic. Common filters: `ip.addr == 203.0.113.5` (all traffic to/from IP), `tcp.port == 4444` (non-standard port), `http.request` (HTTP requests), `dns.qry.name contains .xyz` (suspicious domain). Use logical operators: `(ip.src == 10.0.0.1 and ip.dst == 203.0.113.5) or (ip.src == 203.0.113.5 and ip.dst == 10.0.0.1)`. For large PCAPs, use tshark to extract specific fields: `tshark -r capture.pcap -Y 'dns.flags.response == 0' -T fields -e dns.qry.name > queries.txt`. This step isolates the attack traffic from benign noise.
6. Reconstruct Conversations
Use 'Follow TCP Stream' (Wireshark) to view the full application-layer dialogue. For HTTP, you see request headers, body, and response. For malware C2, look for HTTP POSTs with encrypted payloads. For DNS tunneling, examine TXT query responses for encoded data. If the payload is encrypted, look for SSL/TLS handshake details: certificate issuer, cipher suite, SNI. Reconstructing conversations reveals the attacker's commands and exfiltrated data. Save the reconstructed stream as a text file for evidence.
7. Extract Artifacts
Extract files transferred over protocols like HTTP, SMB, or SMTP. In Wireshark, use File > Export Objects > HTTP to save all transferred files. For SMB, export objects from the SMB protocol. Use tshark for automation: `tshark -r capture.pcap --export-objects http,./extracted`. Scan extracted files with antivirus or analyze them in a sandbox. Also extract IP addresses, domain names, and user agents for IOC creation. Record MD5/SHA256 hashes of extracted malware for threat intelligence sharing.
8. Document Findings
Create a forensic report that includes: capture metadata (date, time, location, tool), summary of findings, key packet numbers, screenshots of relevant streams, and extracted artifacts. Use Wireshark's 'Print' feature to generate a PDF of selected packets. Include timestamps in UTC. For chain of custody, document who performed the capture, how the file was stored, and any hash values. The report should support the incident response timeline and provide evidence for legal or compliance purposes.
Enterprise Scenario 1: Ransomware Investigation
A hospital's IT team detects encryption activity on a file server. The incident response team captures traffic at the network gateway using a TAP. They filter for SMB traffic to the file server IP and see a series of SMB2 Write requests overwriting files with a random extension. By following the SMB stream, they identify the source workstation IP and the user account that initiated the encryption. They also extract a sample of the encrypted file via Export Objects. The PCAP shows the ransomware binary downloaded from a remote server over HTTP—the URL is visible in the HTTP request. The team blocks the C2 IP at the firewall and uses the PCAP to identify other potentially infected hosts that communicated with the same IP. The hospital's security team uses this evidence to contain the outbreak and file a report for law enforcement.
Enterprise Scenario 2: Insider Data Exfiltration
A financial institution suspects an employee is stealing customer data. The security team deploys a temporary SPAN port on the employee's switch port. They capture traffic for 48 hours. Using Wireshark's Conversations window, they see large outbound data transfers to a personal cloud storage service (e.g., Dropbox). Filtering on HTTPS, they cannot see the content, but the volume (several GB) and timing (after hours) are suspicious. They also see the employee's machine performing DNS queries for a personal domain. The team correlates the PCAP timestamps with badge access logs to confirm the employee was at their desk during the transfers. The evidence is used in disciplinary proceedings. The lesson: PCAP can prove data volume and destination even if payload is encrypted.
Common Pitfalls in Production
SPAN port oversubscription: A 1 Gbps SPAN port cannot handle 10 Gbps traffic aggregated from multiple ports. Packets are dropped. Always monitor dropped counters. Use a TAP for high-speed links.
Time sync: Without NTP, timestamps from different captures may drift. For legal admissibility, ensure all capture devices are synchronized to the same NTP server.
Storage: Full packet capture on a busy link generates terabytes per day. Use rolling captures (e.g., 1-hour files) and retention policies. Consider using capture appliances with compression.
Encrypted traffic: Increasingly, traffic is encrypted (HTTPS, QUIC). PCAP shows metadata only. To inspect content, use SSL interception proxies (with user consent) or endpoint agents that capture before encryption.
What CS0-003 Tests on Packet Capture Analysis
The exam focuses on practical analysis skills rather than deep protocol theory. Objective 3.3 (Incident Response) includes: 'Given a scenario, analyze network traffic to detect and investigate security incidents.' Expect questions that present a PCAP excerpt (textual representation) or describe a capture scenario. You must identify the attack type (e.g., port scan, brute force, beaconing) and recommend next steps.
Most Common Wrong Answers
Choosing a display filter over a capture filter: The exam may ask: 'To reduce the size of a PCAP file while capturing, what should you use?' Many candidates answer 'display filter' because Wireshark uses display filters. But capture filters (BPF) are applied before writing to disk; display filters only hide packets in the GUI. Capture filters reduce file size; display filters do not.
Assuming promiscuous mode is always needed: For traffic to/from the capture host, promiscuous mode is not required. The exam may describe a scenario where the analyst captures on the same host that generates traffic—promiscuous mode is unnecessary. Candidates often think it's always required.
Misinterpreting timestamp resolution: The exam may show two PCAPs with different timestamps and ask why they don't align. The answer could be different time zones or lack of NTP. Candidates may blame packet loss instead.
Confusing pcap and pcapng: pcapng supports nanosecond timestamps and multiple interfaces; pcap does not. If the exam asks which format is needed for nanosecond precision, the answer is pcapng.
Specific Numbers and Terms on the Exam
Default snaplen: 65535 bytes (full packet). The exam may ask: 'What is the maximum snaplen value in tcpdump?' Answer: 0 (which means full packet, same as 65535).
BPF syntax: Know that 'host' filters IP address, 'port' filters layer 4 port, 'src' and 'dst' qualify direction. The exam may give a filter like 'tcp port 80 and not arp' and ask what it captures.
Promiscuous mode vs. monitor mode: Promiscuous is for wired Ethernet; monitor mode is for wireless 802.11. The exam may ask which mode captures management frames.
Dropped packets: tcpdump reports dropped packets in its output. If drops are high, increase buffer size (-B). The exam may ask: 'Which parameter should be increased to reduce packet loss?' Answer: buffer size.
Edge Cases and Exceptions
VLAN tags: PCAPs may include 802.1Q headers. Wireshark shows the VLAN ID in the frame header. The exam may present a PCAP with VLAN tagging and ask which VLAN the traffic belongs to.
MPLS: MPLS labels appear between layer 2 and 3. Wireshark can decode MPLS if the dissector is enabled. The exam may test that MPLS is not IP routing.
IPv6 fragmentation: IPv6 uses extension headers instead of fragmentation fields. The exam may ask how to filter for fragmented IPv6 packets.
Tunneling: GRE, IP-in-IP, or VXLAN encapsulation. The exam may present a packet with an outer IP header and an inner IP header. You must recognize that the inner packet is the payload.
How to Eliminate Wrong Answers
Always consider the capture point: if the analyst is capturing on a switch SPAN port, they see all traffic to/from that VLAN. If they are capturing on a specific host, they only see traffic to/from that host (unless promiscuous mode is enabled). For questions about reducing file size, the answer is always a capture filter, not a display filter. For questions about evidence integrity, look for options related to hash verification, chain of custody, or timestamp synchronization.
Packet capture (PCAP) is the primary source of evidence for network-based attacks; always capture at the appropriate point (TAP preferred over SPAN for high-speed links).
Capture filters (BPF) reduce file size and are applied before writing; display filters only affect what is shown in the GUI.
Default snaplen is 65535 bytes; use snaplen 0 for full packet capture. Smaller snaplen truncates payloads.
Promiscuous mode is for wired Ethernet; monitor mode is for wireless. Monitor mode captures management and control frames.
tcpdump -v shows dropped packet counts; increase buffer size (-B) to reduce drops.
pcapng supports nanosecond timestamps and multiple interfaces; pcap uses microsecond timestamps and a single interface.
Always hash PCAP files (MD5/SHA256) and document chain of custody for legal admissibility.
Encrypted traffic (HTTPS, TLS) cannot be inspected unless you have the decryption keys or use a proxy.
Use 'Follow TCP Stream' in Wireshark to reassemble application-layer conversations; it removes retransmissions and duplicates.
Time synchronization via NTP is critical for correlating PCAPs from multiple sources.
These come up on the exam all the time. Here's how to tell them apart.
Capture Filter (BPF)
Applied before capture; reduces file size
Uses BPF syntax (e.g., 'host 10.0.0.1')
Cannot filter on application-layer fields (e.g., HTTP methods)
Faster because packets are discarded early
Used in tcpdump, tshark -f option
Display Filter (Wireshark)
Applied after capture; does not reduce file size
Uses Wireshark display filter syntax (e.g., 'ip.addr == 10.0.0.1')
Can filter on any dissected field (e.g., http.request.method == GET)
Slower because all packets must be processed
Used in Wireshark GUI, tshark -Y option
Mistake
Promiscuous mode is required to see any traffic not destined to the host's MAC address.
Correct
Promiscuous mode allows the NIC to pass all frames, but it only works on wired Ethernet. For wireless, you need monitor mode. Also, on a switch, promiscuous mode on a host still only sees its own traffic and broadcast/multicast unless the switch port is configured as a SPAN port or the network uses hubs.
Mistake
A display filter reduces the size of a PCAP file when applied during capture.
Correct
Display filters only affect what is shown in the GUI; they do not change the underlying PCAP file. To reduce file size during capture, you must use a capture filter (BPF) which discards unwanted packets before writing to disk.
Mistake
tcpdump can capture traffic on any interface without special privileges.
Correct
tcpdump requires root or CAP_NET_RAW capability to put the interface into promiscuous mode and access raw packets. Without root, tcpdump may fail or only capture on interfaces that are already in promiscuous mode.
Mistake
PCAP files always contain the full packet payload.
Correct
The snaplen parameter determines how many bytes of each packet are captured. If snaplen is set to a small value (e.g., 68), only the headers are captured and the payload is truncated. The default snaplen is 65535 (full packet), but it can be changed.
Mistake
Wireshark's 'Follow TCP Stream' shows all packets in the conversation, including retransmissions.
Correct
'Follow TCP Stream' reassembles the application-layer data by ordering packets by sequence number and removing duplicates and retransmissions. It shows the data as it would appear at the application layer, not the raw packets.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A capture filter is applied before packets are written to disk, using BPF syntax (e.g., 'host 10.0.0.1'). It reduces the file size by discarding unwanted packets. A display filter is applied after capture, using Wireshark's filter language (e.g., 'ip.addr == 10.0.0.1'). It only hides packets from view but does not remove them from the file. For exam purposes, remember that capture filters are used to limit what is captured, while display filters are used for analysis.
You cannot capture all traffic on a switch by simply plugging in a laptop because switches only forward frames to the port that matches the destination MAC. To capture all traffic, you must configure a SPAN (Switched Port Analyzer) port on the switch that mirrors traffic from one or more source ports to a destination port where your capture device is connected. Alternatively, use a network TAP (Test Access Point) which is a passive device that copies all traffic passing through it. TAPs are preferred because they do not introduce latency or packet loss under load.
Promiscuous mode tells the network interface card (NIC) to pass all frames it receives to the operating system, not just those addressed to its MAC address or broadcast/multicast. It is needed when you want to capture traffic not destined to your host, such as when connected to a hub or a SPAN port. On a switch, promiscuous mode alone is insufficient; you still need the switch to send you the traffic (via SPAN). For wireless, you need monitor mode instead of promiscuous mode.
Use a capture filter (BPF) to discard packets you don't need. For example, `tcpdump -i eth0 -w out.pcap 'port 80'` captures only HTTP traffic. You can also reduce the snaplen (e.g., `-s 256`) to capture only the first 256 bytes of each packet, but this truncates payloads. Another option is to use a rolling file approach with `-C` (file size limit) and `-W` (number of files) in tcpdump. Do not rely on display filters to reduce file size—they only affect the view.
The default snaplen in tcpdump is 65535 bytes, which is enough to capture the entire packet for most networks (Ethernet MTU is 1500 bytes). A snaplen of 0 means 'use the default' (65535). Some older versions treat 0 as 'unlimited' but modern implementations treat it as the default. To capture full packets, you can use `-s 0` or omit the -s option. Setting a smaller snaplen (e.g., 68) captures only the headers and is useful when you only need layer 3/4 information.
In Wireshark, go to File > Export Objects and select the protocol (HTTP, SMB, TFTP, etc.). Wireshark will list all objects transferred over that protocol (e.g., files downloaded via HTTP). You can save selected objects or all of them. For HTTP, this works for both requests and responses. For other protocols, you may need to use tshark: `tshark -r capture.pcap --export-objects http,./extracted`. Extracted files can be scanned for malware or analyzed further.
Expert Info (Analyze > Expert Info) is a feature that automatically detects and categorizes anomalies in the capture, such as TCP retransmissions, duplicate ACKs, zero windows, or malformed packets. It is useful for quickly identifying network issues or suspicious behavior. For example, a high number of TCP retransmissions may indicate packet loss or a scanning tool. On the exam, you may be asked to use Expert Info to find errors in a PCAP.
You've just covered Network Forensics: Packet Capture Analysis — now see how well it sticks with free CS0-003 practice questions. Full explanations included, no account needed.
Done with this chapter?