This chapter covers network forensics and packet analysis, critical skills for investigating security incidents and understanding network-based attacks. For SY0-701, this maps to Objective 4.8 (Explain appropriate techniques used in forensic investigations) under Domain 4.0 (Security Operations). Mastering packet analysis enables you to identify malicious traffic, reconstruct attack timelines, and preserve evidence in a forensically sound manner. This chapter provides the technical depth needed to analyze real captures and answer exam scenario questions confidently.
Jump to a section
Imagine a corporate mailroom that processes thousands of letters daily. The mailroom clerk (network capture tool) logs every envelope that passes through: sender address (source IP), recipient address (destination IP), postmark date (timestamp), envelope size (packet length), and service class (protocol). Normally, the clerk just sorts and forwards mail. But when a security incident occurs—say, an anonymous threatening letter arrives—the investigator retrieves the mailroom log (packet capture) to reconstruct what happened. The investigator examines each envelope’s metadata: the sender’s return address might be forged (spoofed IP), the postmark might show a different origin (traceroute), or the envelope might contain a hidden compartment (encapsulated payload). By correlating timestamps with building access logs (network logs), the investigator can pinpoint who delivered the letter and when. The investigator also uses a magnifying glass (protocol analyzer) to read the letter’s contents without damaging the envelope (deep packet inspection). If the letter is in a foreign language (encrypted traffic), the investigator must find the decryption key or rely on metadata analysis. This mailroom analogy mirrors network forensics: capturing raw traffic, preserving its integrity, extracting evidence, and reconstructing events to identify the attacker’s actions.
What is Network Forensics?
Network forensics is a sub-branch of digital forensics that focuses on monitoring, capturing, storing, and analyzing network traffic to detect intrusions, investigate incidents, and gather evidence. Unlike host-based forensics (examining hard drives or memory), network forensics deals with volatile, transient data—packets that exist only for milliseconds. The primary goal is to answer: who communicated with whom, when, what data was transferred, and what actions were taken. For SY0-701, you must understand the tools, methodologies, and legal considerations for network evidence collection.
The Forensic Process in Network Analysis
The standard forensic process—identification, preservation, collection, examination, analysis, and reporting—applies to network forensics with some adaptations:
Identification: Recognize that an incident has occurred (e.g., IDS alert, user report). Determine the scope—which systems, time window, and types of traffic are relevant.
Preservation: Immediately isolate the network segment or system to prevent evidence tampering. For network captures, this means starting a packet capture (pcap) on a span port or network TAP (Test Access Point) before evidence is overwritten.
Collection: Gather all relevant network data: full packet captures, netflow records, firewall logs, proxy logs, and DHCP logs. Use tools like tcpdump, Wireshark, or commercial appliances. Ensure chain of custody for the capture files.
Examination: Extract and filter data using Wireshark display filters, tshark, or custom scripts. Look for anomalies: unusual ports, suspicious payloads, malformed packets, or known attack signatures.
Analysis: Correlate events across multiple data sources. Reconstruct the attack timeline. For example, an attacker might perform a port scan (detected by firewall logs), then exploit a vulnerable service (visible in pcap), then exfiltrate data (seen as large outbound transfers).
Reporting: Document findings in a clear, reproducible manner. Include screenshots of key packets, hashes of capture files, and conclusions. Reports must be admissible in court, so use forensically sound procedures.
Key Components of Packet Analysis
Packet Capture (pcap): A file format (libpcap) that stores captured network packets. Common tools: tcpdump (command-line), Wireshark (GUI), and tshark (command-line Wireshark).
Network TAP: A hardware device that copies traffic between two network points without interfering with the live link. Provides a true copy of all traffic, including errors.
SPAN Port (Port Mirror): A switch configuration that copies traffic from one or more ports to a monitoring port. Can drop packets under high load because it uses the switch CPU.
Flow Data (NetFlow, sFlow, IPFIX): Summarized metadata about flows (source/dest IP, ports, protocol, packet count, byte count). Useful for trend analysis and detecting large transfers, but not full payload.
Deep Packet Inspection (DPI): Examining the payload beyond headers. Can identify application-layer protocols (e.g., HTTP, DNS, FTP) even if they use non-standard ports.
How Attackers Exploit Network Traffic (and How Forensics Catches Them)
Attackers know that network forensics can reveal their activities, so they employ evasion techniques:
Encryption (TLS/SSL): Hides payload content. However, metadata (IP addresses, timing, certificate details) remains visible. DNS over HTTPS (DoH) can hide DNS queries. Forensics can still analyze handshake parameters and certificate fingerprints.
IP Spoofing: Forging the source IP address to hide the true origin. In response, the attacker cannot complete a TCP handshake (unless on-path). Forensics can trace back using router logs and timing analysis.
Fragmentation: Splitting malicious payload across multiple small packets to evade signature-based detection. Reassembling fragments in Wireshark (IP defragmentation) reveals the full payload.
Encapsulation/Tunneling: Hiding traffic inside another protocol (e.g., HTTP over SSH, DNS tunneling). Wireshark can decode tunneled protocols if the encapsulation is known. For DNS tunneling, look for excessive TXT queries with random subdomains.
Protocol Obfuscation: Using non-standard ports or encoding payloads (Base64, XOR). DPI can detect patterns like repeated byte sequences or entropy anomalies.
Real Command and Tool Examples
Capturing traffic with tcpdump:
sudo tcpdump -i eth0 -w capture.pcap -s 0 -C 100 -W 5-i eth0: interface to capture
-w capture.pcap: write to file
-s 0: snapshot length (65535 bytes, full packet)
-C 100: rotate file every 100 MB
-W 5: keep 5 files (circular buffer)
Filtering with tshark:
tshark -r capture.pcap -Y "http.request" -T fields -e http.host -e http.request.uri-r: read capture file
-Y: display filter (Wireshark syntax)
-T fields: output specific fields
-e: extract field
Analyzing with Wireshark:
- Display filter: ip.addr == 192.168.1.100 and tcp.port == 80
- Follow TCP stream: Right-click packet → Follow → TCP Stream
- Export objects: File → Export Objects → HTTP (extract files transferred)
NetFlow analysis with nfdump:
nfdump -R /path/to/nfcapd/ -s ip/bytes -n 10-R: read recursively
-s ip/bytes: sort by bytes
-n 10: top 10 flows
Legal and Ethical Considerations
Network forensics often involves capturing traffic that may contain private communications. For SY0-701, you must know: - Authorization: Only capture traffic on networks you own or have explicit permission to monitor. Unauthorized interception violates wiretapping laws (e.g., ECPA in the US). - Chain of Custody: Document every transfer of evidence. Use cryptographic hashes (SHA-256) to verify integrity. - Privacy: Minimize capture scope. Use filters to collect only relevant traffic. Anonymize data when possible. - Retention Policies: Keep captures only as long as needed for investigation or compliance. Securely delete after use.
Common Pitfalls in Network Forensics
Incomplete Capture: Starting capture after the incident; missing initial compromise. Always capture continuously (circular buffer) on critical segments.
Overwhelming Data: Capturing everything without filters leads to terabytes of noise. Use targeted captures based on indicators.
Assuming Integrity: Network captures can be tampered with if the capture system is compromised. Verify hashes and use write-blockers.
Misinterpreting Timestamps: Different devices may have clock skew. Normalize timestamps to UTC.
SY0-701 Specifics
For the exam, focus on: - Purpose of packet analysis: Detecting anomalies, reconstructing attacks, extracting malware, identifying exfiltration. - Tools: Wireshark (display filters, follow stream), tcpdump, tshark, NetFlow analyzers. - Key concepts: PCAP, span port vs TAP, flow data, DPI, chain of custody, hashing for integrity. - Common attacks visible in packet analysis: ARP spoofing, DNS poisoning, SYN flood, HTTP/SQL injection, TLS interception. - Legal concerns: Authorization, privacy, chain of custody.
Summary
Network forensics is essential for incident response. By capturing and analyzing packets, you can uncover attacker actions that host-based forensics might miss. Mastery of tools like Wireshark and understanding of forensic procedures will serve you well in both the exam and real-world investigations.
Identify Incident and Scope
When a security incident is reported (e.g., IDS alert, user complaint, unusual network behavior), the first step is to identify the scope. Determine which systems, time frames, and network segments are involved. Check logs from SIEM, firewall, and IDS to pinpoint suspicious IP addresses, ports, or protocols. For example, an alert might indicate a SQL injection attempt from external IP 203.0.113.5 targeting internal web server 10.0.0.10 on port 443. The analyst should note the timestamp, source/dest IPs, and any related alerts. This scope definition guides the capture and analysis plan. Without proper scoping, you might capture irrelevant traffic or miss critical evidence.
Preserve Network Evidence
Immediately start capturing traffic on the affected network segment. Use a network TAP or SPAN port to copy traffic without disrupting live operations. For example, configure a SPAN port on the switch connecting the web server to send all traffic to a monitoring interface running tcpdump. Use a command like `tcpdump -i eth0 -w incident.pcap -s 0` to capture full packets. If the incident is ongoing, preserve the current state; if it has ended, ensure captures are available from the relevant time window. Also collect flow data (NetFlow) and logs from firewalls, proxies, and DHCP servers. Document the capture start time, duration, and tool used. This step is critical for chain of custody.
Collect and Hash Evidence
Once the capture is complete, copy the pcap file to a secure forensic workstation. Compute cryptographic hashes (SHA-256) of the capture file using `sha256sum incident.pcap > incident.hash`. Record the hash in the chain of custody log. Also collect supporting logs (firewall, IDS, system logs) and hash them. Store originals as read-only (write-blocker if from a disk). For network captures, the pcap file itself is the evidence. Ensure the capture tool was run on a trusted system to avoid tampering. Document the entire collection process: who collected, when, where, and how.
Examine Packets with Filters
Open the pcap file in Wireshark. Apply display filters to narrow down to relevant traffic. For the SQL injection example, start with `ip.addr == 10.0.0.10 and http.request`. This shows all HTTP requests to the web server. Look for suspicious patterns: unusual parameters (e.g., `id=1 OR 1=1`), long URIs, or repeated requests. Use the 'Follow TCP Stream' feature to view the full conversation. Alternatively, use tshark to extract specific fields: `tshark -r incident.pcap -Y "http.request.uri contains \"select\"" -T fields -e http.host -e http.request.uri`. Document suspicious packets with screenshots.
Analyze and Reconstruct Attack
Correlate findings from packet analysis with other logs. For the SQL injection, confirm the attack by checking web server logs for 500 errors or database error messages. Reconstruct the timeline: initial probe (port scan), exploitation (SQL injection payload), and data exfiltration (large responses). In Wireshark, use Statistics → Conversations to see data volumes per IP pair. If exfiltration occurred, you might see a spike in outbound traffic to an external IP. Use 'Export Objects' to extract any files transferred via HTTP. For encrypted traffic, analyze TLS handshake parameters (Server Name Indication, certificate issuer). Document the attack vector, affected systems, and impact.
Report Findings and Preserve Evidence
Create a forensic report detailing the incident, analysis steps, findings, and conclusions. Include screenshots of key packets, the chain of custody log, and hashes. The report should be clear enough for non-technical stakeholders (management, legal). For example: 'On [date] at [time], an external attacker (203.0.113.5) exploited a SQL injection vulnerability in the login page of web server 10.0.0.10, extracting 10,000 customer records. Evidence is preserved in pcap file incident.pcap (SHA-256: abc123...).' Securely store the evidence with restricted access. The report may be used for remediation, legal action, or compliance.
Scenario 1: Detecting Data Exfiltration via DNS Tunneling
A SOC analyst notices an alert from the IDS about excessive DNS queries from an internal workstation (192.168.1.50) to an external domain (malicious.example.com). The analyst opens Wireshark and applies a display filter dns.qry.name contains "malicious.example.com". The capture shows thousands of TXT queries with long, random subdomains (e.g., aGVsbG8=.malicious.example.com). The analyst uses tshark to extract the subdomain labels: tshark -r capture.pcap -Y "dns.qry.name contains malicious.example.com" -T fields -e dns.qry.name. The subdomains appear to be Base64-encoded. Decoding reveals chunks of a file. The analyst further filters for DNS response sizes; unusually large TXT responses (over 100 bytes) indicate data being sent out. The correct response is to block the domain, quarantine the workstation, and perform host forensics. A common mistake is ignoring DNS traffic as benign, missing the exfiltration.
Scenario 2: Investigating a Phishing Campaign
An employee reports receiving a suspicious email. The SOC team pulls the email headers and extracts the URL (http://evil.com/credentials.html). They capture traffic from the employee's workstation using tcpdump on the switch SPAN port. In Wireshark, they filter http.host == "evil.com". They see a GET request for the phishing page and a POST request with form data (username and password). The analyst follows the TCP stream to view the credentials in plaintext. They also check for any redirects or additional payloads. The correct response is to block the domain, reset the employee's credentials, and scan for malware. A common mistake is not capturing traffic quickly enough—the evidence might be lost if the session ends before the capture starts.
Scenario 3: Reconstructing a Ransomware Infection
A server (10.0.0.20) starts exhibiting high disk activity and network connections to known C2 IPs. The analyst uses a network TAP to capture traffic. In Wireshark, they filter ip.addr == 10.0.0.20. They see a series of SMB2 writes to file shares (encrypting files) and outbound HTTPS connections to a C2 server. The analyst uses the 'Statistics → Conversations' to see the top talkers and data volumes. They also check for any unusual protocols—ransomware often uses custom protocols or non-standard ports. By examining the TLS handshake, they extract the Server Name Indication (SNI) which reveals the C2 domain. The correct response is to isolate the server, block the C2 IPs, and preserve the pcap for further analysis. A common mistake is focusing only on the encryption activity and missing the initial infection vector (e.g., a malicious attachment downloaded earlier).
What SY0-701 Tests on Network Forensics and Packet Analysis
The exam objectives for 4.8 include: understanding forensic procedures (identification, preservation, collection, examination, analysis, reporting), knowing network forensic tools (Wireshark, tcpdump, NetFlow), and interpreting packet captures for evidence. Specifically, you should be able to:
Identify the correct tool for a given scenario (e.g., use tcpdump for command-line capture, Wireshark for GUI analysis).
Understand the difference between a TAP and SPAN port (TAP is passive and provides full copy; SPAN can drop packets).
Recognize when to use full packet capture vs flow data (full capture for payload analysis, flow for trend/volume).
Apply chain of custody and hashing to preserve evidence integrity.
Interpret common attack patterns in packet captures: SYN flood (many SYN packets without ACKs), ARP spoofing (duplicate IP-MAC pairs), DNS tunneling (excessive TXT queries), HTTP attacks (SQL injection, XSS).
Common Wrong Answers and Why Candidates Choose Them
Choosing 'full packet capture' when 'flow data' is sufficient: Candidates often think full capture is always better. However, for long-term monitoring or when storage is limited, flow data is more practical. The exam may ask: 'Which technique is best for detecting bandwidth hogs?' Answer: NetFlow (not full pcap).
Confusing TAP and SPAN: A SPAN port is often chosen because it's easier to configure (no extra hardware), but it can drop packets under load. The exam may ask: 'Which provides the most reliable copy of traffic?' Answer: TAP.
Ignoring legal authorization: Candidates forget that capturing traffic without permission is illegal. A scenario might describe an analyst capturing traffic on a network they don't own; the correct answer is 'obtain authorization first.'
Misusing display filters: For example, using ip.src == 10.0.0.1 when the question asks for all traffic involving that IP (must use ip.addr == 10.0.0.1).
Specific Terms That Appear Verbatim
PCAP: Packet capture file format.
TAP: Test Access Point.
SPAN: Switched Port Analyzer.
NetFlow: Cisco's flow protocol; sFlow and IPFIX are alternatives.
Chain of custody: Documentation of evidence handling.
Hashing: SHA-256 for integrity.
Wireshark: The tool name appears in questions.
tcpdump: Command-line capture tool.
Follow TCP stream: Wireshark feature.
Deep packet inspection (DPI).
Trick Questions
Questions that ask for the 'best' tool when multiple could work: Look for keywords like 'real-time analysis' (Wireshark) vs 'automated script' (tshark/tcpdump).
Confusing 'packet analysis' with 'log analysis': Packet analysis looks at raw network data; log analysis examines system/application logs.
'Which is NOT a network forensic tool?' Options might include FTK Imager (disk forensic tool) vs Wireshark.
Decision Rule for Eliminating Wrong Answers
On scenario questions, first determine if the question asks about collection, preservation, or analysis. For collection, choose TAP over SPAN if reliability is key. For preservation, choose hashing and chain of custody. For analysis, choose Wireshark for interactive, tcpdump/tshark for automated. If the scenario mentions legal concerns, the answer involving authorization is correct. If the scenario mentions 'limited storage', choose flow data. If 'full payload needed', choose packet capture.
Network forensics involves capturing, preserving, and analyzing network traffic to investigate incidents and gather evidence.
The forensic process: Identification, Preservation, Collection, Examination, Analysis, Reporting.
Key tools: Wireshark (GUI analysis), tcpdump/tshark (command-line capture and analysis), NetFlow (flow data).
Use a TAP for reliable packet capture; a SPAN port may drop packets under load.
Always hash capture files (SHA-256) and maintain chain of custody for legal admissibility.
Common attacks visible in packet captures: ARP spoofing, DNS tunneling, SYN flood, HTTP injection, TLS interception.
Encrypted traffic hides payload but metadata (IPs, ports, timing, certificate details) remains visible.
Authorization is required before capturing traffic on any network you do not own.
These come up on the exam all the time. Here's how to tell them apart.
Network TAP
Passive hardware device; no impact on network performance
Provides complete copy of traffic including errors
Cannot be disabled remotely; requires physical access
More expensive; requires dedicated hardware
No packet loss under any load
SPAN Port
Active switch feature; uses switch CPU
May drop packets under high load (over-subscription)
Can be configured and disabled remotely
No additional hardware cost
May alter packet timing slightly
Mistake
Wireshark can decrypt all encrypted traffic automatically.
Correct
Wireshark can only decrypt traffic if you have the private key (for TLS) or the session key (for WEP/WPA). Without keys, encrypted payloads remain unreadable; only metadata is visible.
Mistake
A SPAN port provides an identical copy of all traffic without any loss.
Correct
SPAN ports can drop packets under high load because they use the switch CPU. A network TAP is passive and provides a true copy without dropping frames.
Mistake
Full packet capture is always better than flow data for network forensics.
Correct
Full capture consumes huge storage and may be impractical for long periods. Flow data provides summary statistics useful for trend analysis and anomaly detection, and is often sufficient for initial investigation.
Mistake
Packet captures are admissible as evidence without any additional documentation.
Correct
To be admissible, you must maintain chain of custody, hash the file, document who collected it and when, and ensure the capture system was not tampered with. Without these, evidence can be challenged in court.
Mistake
ARP spoofing is not visible in packet captures because it uses broadcast traffic.
Correct
ARP spoofing is highly visible: look for duplicate IP addresses with different MAC addresses, or excessive ARP replies. Wireshark has a built-in detection for duplicate IPs.
A TAP (Test Access Point) is a passive hardware device that copies traffic between two network points without interfering with the link. It provides a true copy of all packets, including errors, and does not drop packets under load. A SPAN (Switched Port Analyzer) is a switch feature that mirrors traffic from one or more ports to a monitoring port. SPAN ports can drop packets when the switch CPU is overloaded because they share resources. For forensically sound captures, a TAP is preferred, but a SPAN port is often used for convenience. On the SY0-701 exam, remember that TAP is more reliable but requires extra hardware.
Wireshark can decrypt HTTPS traffic if you have the server's private key (RSA or ECDSA) or the session keys (e.g., from SSLKEYLOGFILE environment variable). Without these, the payload remains encrypted. However, Wireshark can still analyze metadata such as IP addresses, ports, TLS version, cipher suites, and Server Name Indication (SNI). For exam purposes, know that decryption is possible only with keys, and that metadata analysis is still valuable.
A display filter narrows down the packets shown in Wireshark based on criteria such as IP address, port, protocol, or specific field values. It does not remove packets from the capture file; it only hides them from view. Common examples: `ip.addr == 10.0.0.1` shows all packets involving that IP; `http.request` shows only HTTP requests. Display filters are essential for focusing on relevant traffic during analysis. They are different from capture filters (used before capture) which actually discard packets. For the exam, you should be able to interpret and apply basic display filters.
NetFlow is a network protocol developed by Cisco that collects metadata about IP traffic flows—source/destination IP, ports, protocol, packet count, byte count, and timestamps. It does not capture payload. Full packet capture (pcap) stores every byte of every packet, including payload. NetFlow uses less storage and is useful for traffic trend analysis, anomaly detection, and identifying large data transfers. Full capture is needed for in-depth forensic analysis (e.g., extracting malware, reconstructing conversations). On the exam, know that NetFlow is for summary data, pcap for detailed evidence.
DNS tunneling uses DNS queries and responses to exfiltrate data or establish covert communication. Signs include: excessive DNS queries to a single domain (especially TXT or MX records), unusually long subdomain labels (often Base64-encoded), large response sizes (over 512 bytes), and queries at high frequency. In Wireshark, filter `dns.qry.type == 16` (TXT records) and look for long query names. Decode the subdomain part to see if it contains readable data. A classic example: `aGVsbG8=.example.com` decodes to 'hello'. For the exam, remember that DNS tunneling is a data exfiltration technique that bypasses firewalls.
Chain of custody is a documented process that tracks the handling of evidence from collection to presentation in court. It includes who collected the evidence, when, where, how it was stored, and every transfer of custody. For network forensics, this means documenting the capture system, time, duration, and any access to the pcap file. Hashing (SHA-256) is used to verify integrity. Without chain of custody, evidence can be challenged as tampered or inadmissible. The SY0-701 exam emphasizes that chain of custody is critical for legal admissibility.
A capture filter (used with tools like tcpdump or Wireshark's capture options) is applied before packets are stored. It discards packets that do not match the filter, reducing file size. Syntax is BPF (Berkeley Packet Filter), e.g., `host 10.0.0.1 and port 80`. A display filter is applied after capture, only hiding packets from view without deleting them. Display filter syntax is Wireshark-specific, e.g., `ip.addr == 10.0.0.1 and tcp.port == 80`. For forensics, it's often better to capture all traffic and then filter during analysis, unless storage is limited. The exam may ask you to choose the correct filter type for a scenario.
You've just covered Network Forensics and Packet Analysis — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?